Although there might be numerous combinations of human circumstances and unfortunate contexts that can trigger an insider threat, the main drivers behind these kinds of threats are human greed, anger, curiosity and unawareness or carelessness.
An immigration officer tried to rid himself of his wife by adding her name to a list of terrorist suspects. According to MailOnline, he used his access to security databases to include his wife on a watch list of people banned from boarding flights into Britain because their presence in the country is “not conducive to the public good”.
As a result, the woman was unable to return from Pakistan for three years, after travelling to the county to visit family. The tampering went undetected until the immigration officer was selected for promotion and his wife name was found on the suspects’ list during a vetting inquiry.
Secret data about the Swedish missile system has been made available to the public after a leakage at the Military Archives of Sweden, the daily newspaper Aftonbladet reported after the data surfaced on a Russian web forum.
According to Aftonbladet, a large part of the data in question revolves around Robotsystem 15, developed in the 1980s by Saab Bofors Dynamics and still largely in use in a number of countries outside Sweden, including Algeria, Finland, Germany and Poland. The leaked data reveals, among other things, the speeds, the angles and the loads the missile can handle.
Neither the archive employee nor the man who published the secret data was aware of having committed any crimes.
An IT contractor was found guilty of planting a ticking ‘destructive’ logic bomb in the US military systems, reports The Register in late 2017. He was accused of knowingly transmitting malicious code with the intent of causing damage to an Army computer used in furtherance of national security. He deliberately introduced malware into the US Army Reserve payroll systems after his employers lost the contract to provide the technology. The malware was seemingly designed to delete files and knacker services. The military estimates the costs of USD 2.6 million to fix the damage.
A while back, the New York Times published a similar story about a programmer who worked for Omega Engineering. His relationships with his colleagues were strained, and for this, management fired him. The programmer then decided to take his revenge, so he installed a ‘logic bomb’ on their servers. An employee then accidentally triggered the ‘bomb’, which then deleted the company’s designs and software programmes. Total damages came in at around USD 10 million. This case is still considered as one of the most expensive in the computer sabotage history.
Insider attacks are costly
These are only some of the similar stories as, according to Veriato “Insiders Threat 2018” report, 90% of organisations feel vulnerable to insider attacks. The report further indicates that 53% of the researched organisations have confirmed insider attacks against their company in the previous 12 months, while 27% of organizations say insider attacks have become more frequent.
The news outlets are swamped with similar narratives, including the most known one of Edward Snowden. According to McAfee’s Grand Theft Data report, insiders are globally responsible for 43% of data breaches. The McAfee’s report also points out that the respondents who had mostly experienced insider breaches indicated that they were not as knowledgeable about email security, web security, and data loss protection (DLP).
The costs of insiders’ attacks are skyrocketing. The recent Ponemon Institute “2018 Cost of Insider Threats” study has revealed that ignoring the growing threat posed by insiders can be costly for businesses of all sizes and in all industries. It further states that confidential business information, which encompasses company financials along with customer and employee data, is a highly strategic asset and equally a high-value target. The confidential business information (57%) takes the top spot as most vulnerable to insider attacks, followed by the privileged account information (52%), and sensitive personal information (49%).
The average cost of an insider-related breach over last 12-month period has increased to over USD 8.7 million. This sum doubles that one of the ‘regular breach’ which, according to IBM, averages USD 3, 6 million. According to the Ponemon Institute, the credential risk (or imposter risk) is the costliest type of insider incident at an average of USD 648,846 per event. This type of incident is 2.5 times more costly than incidents involving an employee or contractor negligence that amounts to USD 283,281 per incident. Criminal and malicious insider incidents cost an average of USD 607,745 per incident.
Inside hazardous players
The Swedish man from our opening story, who is no longer employed by the Sweden Military Archives, came to be suspected of negligence. Judging from the interrogations, he did not realise the implications of his actions. The former archive employee has been charged with gross negligence. The visitor who published the data was also not suspected of having committed any crimes.
A disgruntled employee looking to punish his organisation, opportunists wanting to make money by selling a company’s data or intellectual property (IP), or unaware and untrained personnel that might unsuspectingly open the security doors to adversaries are some of insider threat actors that might put organisations at huge cybersecurity and, ultimately, business risk.
An employee that does not earn enough for the desired lifestyle might fall a prey to a competitor, who offers a generous reward if she or he “can forward some essential data” about a very important project that is about to be launch. That employee is an ideal candidate for a cyber corporate espionage.
Quitting employees, particularly those with considerable technical skills and high privilege access, can also pose a threat if he or she decides to “teach the lesson” the current employer and plant a malicious code with delayed execution (‘time bomb’) in the company’s vital information system.
Fraudsters are also potential insider threat agents. An unhappy employee can be tempted to, for example, sell personally identifiable information (PPI) on a dark web, hoping to be able to sustain more lavish lifestyle – and not to be caught.
And the list goes on as many situations can prompt people to do delinquent or negligent things.
However, previously mentioned Veriato report warns that too often, people associate the term ‘insider threat’ with malicious employees intending to directly harm the company through theft or sabotage. In truth, negligent employees or contractors unintentionally cause an equally high number of security breaches and data leaks – by accident. For example, an employee in a vital role can have too much on his or her plate and sometimes gets confused. No wonder, hence, that he or she cannot remember different passwords for all of the systems that needs to be accessed. Also, people forget to close the computers when the work is finished, thus creating a situation that can easily be (ab)used for unauthorised access to the valuable company’s data and project documentation.
The Ponemon Institute report shows that the negligent employees account for the majority of incidents (64%), followed by malicious insiders (23%). This report further points out that both regular employees (56%) and privileged IT users (55%) pose the biggest insider security risk to organisations, followed by contractors (42%).
Reducing possibilities of insider threat
A thorough understanding of the company’s internal and external situation, different types of threats that it might face and the adversaries’ motivations should be the base for the organisational insider threat strategy. For example, the Veriato report notes that the main enabling risk factors include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%).
Preventing insider threats can be complex endeavour but it can also be as modest as enforcing employees to adhere to the cybersecurity policies and provide a training that enables them to distinguish the difference between normal and suspicious user activity. In this regard, with the right insider threat prevention strategy, policies, procedures and tools in place, organisations stand a far greater chance of averting these threats and keeping corporate information assets safe and secure.
Introducing strong access rules, policies for least privilege and the separation of duties are the essentials of an insider threat programme. The utilisation of user behaviour monitoring is indispensable for early detection of insider’s intentional or accidental threats.
Having these safeguards in place will help organisations, not to just detect insiders timely, but also to classify the threats, assess the damage and to launch an appropriate response.
Human links are still considered as the weakest in the cybersecurity chain. Hence, no wonder that the cybersecurity professionals are increasingly turning to the automated enforcement of security policies. However, there is a word of caution not to over-rely on policy and automated enforcement when it comes to protecting against insider threat. The Information Age brings an illustrative story on the risk of over-reliance on automation:
“Unlike Google’s approach that goes so far as to eliminate a steering wheel in their opening gambit at this technology, more traditional manufacturers are stopping short of declaring fully-automated, self-driving cars. Their approach is to augment safety, rather than permit drivers to occupy their time on something other than driving. Similar logic needs to apply in business. Fully removing the insider threat through automation is a risky venture”.
The story goes on by explaining of what happens when a situation arises that automation simply cannot compute. “Is that the time to hand control back to a distracted employee? Expecting that policies, coupled with incomplete automated enforcement, will sufficiently mitigate the insider risk is a dangerous gamble. However, we can support IT with tools which make their job easier. Today, one of the primary tools for enforcing policies related to least privilege and separation of duties is identity governance. It maps out who has access to what identifies whether that access is within policy, and enforces that policy through automated de-provisioning of accounts”.
As illustrated in this article, detecting and preventing insider threats are not trivial tasks. However, understanding that there is a possibility of such an attack, makes the first step in a successful defence. The Veriato report suggests that the current trends in the insider threat protection are shifting to the detection of insider threats (64%), followed by deterrence methods (58%), and analysis and post-breach forensics (49%). The utilisation of the user behaviour monitoring is accelerating as 94% of organisations deploy some method of monitoring users. About 93% of the surveyed organisations monitor access to sensitive data.
Finally, it is worthy of noting that the most popular technologies to deter insider threats are Data Loss Prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies deploy Intrusion Detection and Prevention Solutions (IDPS), log management and the Security Information and Event Management (SIEM) platforms.