Data breaches are a major threat to every firm. But while the popular image is often of shadowy hackers hunched over a laptop somewhere trying to break into systems, the truth is that the majority of incidents - up to 60% - originate from within the business. Despite this, just 10% of security budgets go towards developing insider threat programs.
Whether intentional or otherwise, tackling insider threats needs to be a top priority for any security team. One essential part of this is training your employees on how to spot and report such incidents, and what to do to avoid becoming the next victim.
What are insider threats?
Insider threats come in a wide variety of forms, but essentially, they all refer to breaches that originate within the organization rather than from external sources. This doesn't necessarily mean outside parties aren't involved at all - many insider breaches are the result of successful phishing scams, for example - but what they have in common is that the incident could not have occurred without the actions of an internal employee.
The majority of these are unintentional. This can range from mistakes made by an IT worker while configuring a piece of software to an end-user falling for a social engineering attempt, reusing weak passwords or losing sensitive materials. Indeed, according to the Ponemon Institute's 2020 Cost of Insider Threats survey, negligence by employees or contractors is behind 62% of insider data breaches.
When they are intentional, these threats can be even more dangerous. Disgruntled employees who feel they've been badly treated or are about to leave their job can be especially dangerous, as they know exactly what your most valuable assets are and what they can do to cause damage.
The dangers insider threats pose
Accidental insider threats can have huge consequences, both financially and in terms of a firm's reputation. The Ponemon Institute estimated that in 2020, incidents caused by negligence cost an average of $307,111 each. However, because they're so frequent, this adds up to a total cost of $4.58 million a year.
When it comes to deliberate actions rather than errors or negligence, there are a range of incidents that can fall under the umbrella of insider threats, all of which have the potential to cause serious damage to your business. Although malicious threats only account for 14% of incidents, they cost an average of $756,000 each, so ensuring everyone is aware of what such incidents look like is vital.
These threats include:
- IP theft: Your intellectual property (IP) is often among your most valuable assets, and employees know this. Therefore, it can be tempting to steal this data to sell on the open market, or take with them when they leave. In 2020, for instance, it was revealed how one General Electric employee had downloaded thousands of proprietary files to try and start his own company.
- Fraud: Theft or disruption of data for financial gain is another risk you need to be on the lookout for, such as users accessing and misusing financial details, changing account routing information or approving false payments. As much as 40% of fraud-related losses stem from insider threats, so it's vital you have processes in place to spot this activity.
- Sabotage: Disgruntled employees using their privileged access to destroy data or disrupt systems can be hugely harmful. For example, one case involving a Cisco employee deliberately deleting hundreds of virtual machines cut services to thousands of WebEx customers and cost the firm $1.4 million in damages.
- Espionage: This is sometimes similar to theft, but with the difference that the perpetrator is taking information with the express purpose of handing it to another organization, such as a competitor or even a government. These inside agents could be working for someone else from the start, or may be the target of bribery or blackmail.
3 steps to boost awareness of insider threats
Putting in place a training program to tackle these risks is paramount, and this should have two elements to it. The first is training employees on best practices to reduce the risk of accidental breaches, while the second is to ensure users have the knowledge and confidence to report any suspicious activity they encounter. Within this there are a few factors to take into account.
1. Understand the different options for training
Developing a comprehensive training program is no small task. Different people learn in different ways, so you need resources that work for everyone, not just a single lecture where employees get talked at. Some people prefer a session with an instructor, while others would rather read material on their own time. Consider multimedia training, quizzes and articles to give people the best range of options.
2. Encourage openness
Developing an environment where people can feel comfortable reporting any issues they encounter is vital. This ensures people aren't worried about potential punishments for genuine mistakes, or getting something wrong during training. Giving people a clear point of contact if they spot something suspicious can also help encourage them to report incidents and be confident it will be investigated fully.
3. Run simulations
Simulations are among the most effective parts of any cyber defense strategy, as they can show employees exactly what to look for and alert security teams to anyone who isn't following policies. These often involve phishing attempts, but other simulated insider attacks can also let you know if your defenses aren't spotting unauthorized access to databases or data exfiltration efforts, for example.