Insider risk: Employees are your biggest cyberthreat (and they may not even know it)
Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Today’s workforce is data-dependent and widely distributed. The use of cloud collaboration technology is sprawling. Data is highly portable, users are often remote and off the network, and file-sharing technology is widespread. It’s no wonder, then, that insider risk is of greater concern than ever.
“Insider risk is one of the fastest growing threats that businesses have to address today,” said Michelle Killian, senior director of information security at Code42, a software-as-a-service (SaaS) vendor specializing in insider-risk management.
Insider threats are often not malicious — in fact, a significant portion of the time, they’re inadvertent and simply the result of human nature — but even so, as Killian pointed out, “insiders can expose, leak or steal data at any moment.”
What is insider risk?
Simply put, an insider is anyone who has access to an organization’s data or systems: employees, contractors, partners, vendors.
Insider risk occurs when sensitive corporate data — IP, digital assets, client lists, trade secrets, and other company “crown jewels” — is moved to untrusted places, such as personal devices, email or cloud destinations.
“Such data movement presents considerable competitive, financial, privacy and compliance risk,” said Killian.
According to Joseph Blankenship, vice president, research director for security and risk at Forrester, insider risks are typically composed of:
- “Accidental” actors: Insiders who cause harm due to carelessness, mistakes, or by non-maliciously circumventing security policies. A 2021 Forrester survey indicated that 33% of data breaches attributed to insiders were accidental or inadvertent, according to Blankenship.
- Compromised accounts: External actors who gain access to legitimate user accounts and credentials and use them to steal data or harm systems.
- Malicious insiders: Those who intentionally steal data, commit fraud or sabotage assets. “These are the people we normally think about when we hear the term ‘insider threat,’” said Blankenship. He pointed to a 2021 Forrester survey that found that 35% of data breaches attributed to insiders were due to malicious intent or abuse.
Blankenship also noted instances where ransomware “mules” bring malware-like ransomware into corporate systems to circumvent external controls. Another trend is the recruitment of insiders by outside actors. This can be through willing participation or the result of social engineering, bribery or blackmail.
Ultimately, “insiders have knowledge of systems and data that external actors don’t have,” said Blankenship. “They may also be aware of the security measures organizations have in place to secure data or monitor activity, and can attempt to get around those.”
Furthermore — and perhaps most detrimentally — they are trusted. “We have to trust users to some extent so that they can get their jobs done without creating too much friction for them,” he pointed out. However, “insider threats occur when this trust is abused.”
Security blind spots
Data entitlements and ownership can be murky waters. Companies sometimes aren’t clear — or at least don’t enforce — data policies. So, when an employee quits or otherwise leaves, they often take files with them, said Killian.
According to Code42 research, about two-thirds of employees who have taken data to a new company have done it before: 60% admitted to taking data from their last job to aid in their current roles. Furthermore, 71% of organizations said they are unaware of how much sensitive data is being taken by departing employees.
Another “challenging data-security blind spot” is employee workarounds.
It can be repetitive to have to repeatedly input credentials, and security controls are often viewed as inconvenient or even a hindrance to productivity, said Killian. To get around this, sometimes employees will save files to a personal cloud drive or send them to personal email accounts — thus leaving files open to compromise.
“More times than not, employees are just trying to get their work done,” said Killian, “but they make mistakes or take shortcuts to move more quickly than company policies allow.”
Furthermore, there is significant overlap between cloud-based personal tools and enterprise collaboration tools — Google Drive, for instance — thus creating a “breeding ground for insider data leaks and theft,” said Killian.
Oftentimes, organizations rely on domain-based methods to identify whether source code or trade secrets are being uploaded to unsanctioned areas. But the lack of unique sub-domains for enterprise and personal environments makes it difficult to distinguish whether data is at risk, she said.
Then there’s pure negligence or carelessness; innocent mistakes, if you will. According to Aberdeen’s Risk Report, 78% of data exfiltration events were caused by non-malicious or unintentional behaviors.
Killian pointed to one example of a CFO who accidentally shared a document titled “Restructuring” with her entire company. Clearly, that’s not intentional but think of the risks: employee unrest, potential investor concerns, and a breach in compliance.
Are you an organization? You already have risky insiders
Organizations of all sizes must realize that they — and right now — have insider risk to one extent or another, said Blankenship. But because these insiders are “notoriously difficult to detect,” organizations must actively look to thwart them, and ideally cut them off from the start.
This process, he said, should involve:
- Enacting strong policies and processes.
- Actively communicating with and training employees.
- Building teams and coalitions of stakeholders.
- Implementing monitoring and detection technologies.
Killian also identifies three core components to mitigation:
- Adopting a transparent, security-centric culture.
- Providing proper security and awareness training.
- Implementing technology that provides visibility into data movement.
As she explained, potential indicators of risky behavior could include file movements made off-hours or altered file extensions. Organizations should also consider employees who have access to files of highly confidential projects, or those employees who are soon to leave the company.
“Without technology providing the right visibility, it’s nearly impossible for security to focus the appropriate protections and mitigate the overall data exposure risk,” said Killian.
Insider risk management (IRM) and insider threat management (ITM) tools can monitor, filter and prioritize risk events and detect when files are moving to non-corporate locations, including to personal devices, cloud storage and other networks. These are often integrated with identity and access management (IAM) software that pulls internal data.
Code42 is one of a growing number of companies specializing in IRM tools; other platforms include Proofpoint, InterGuard, Ekran System and Forcepoint.
Security without impeding collaboration
Still, technologies should identify risky file movements without inhibiting an organization’s collaborative culture and employee productivity, said Killian. The best way to address this is by wrapping a layer of security around collaboration tools so that employees can still work efficiently, she said. This is especially important with remote workforces.
“Now is the time to take steps to secure data in a way that allows employees to continue working, wherever that may be, without disruption,” said Killian.
And if — or, more likely, when — a risky insider is identified?
“Security analysts should ensure that interactions exercise tact, empathy and caution,” said Killian. “You wouldn’t treat a colleague the same way you would treat an external attacker.”
Also critical: Employee education — during onboarding, reiterated throughout employment, and underscored during offboarding. According to Code42, more than half (55%) of companies are concerned that employees’ cybersecurity practices are lax in new hybrid-remote work environments.
“To put employees in a better position, our current training models need an overhaul,” said Killian. “Training should be actionable, hyper-targeted and bite-sized to provide right-sized response lessons for end-users who show accidental or negligent user activity.”
But mitigating insider risk requires due diligence on the part of employees, too.
“While companies can certainly do a better job educating their workforce on what is considered IP and what they’re allowed to keep,” said Killian, “it’s important that employees understand the rules and guidance provided — or risk the repercussions.”
A growing problem
As Killian described it, the shift to remote work has created “the perfect storm” for insider risks and threats. Remote and hybrid work greatly decreases security visibility, and file-sharing technology makes it easier than ever to transfer sensitive information.
A 2022 cost of insider threat survey by Ponemon Institute found that insider-led cybersecurity incidents have increased by 44% over the last two years. The Institute also found that the average annual costs of known insider-led incidents rose more than a third to $15.38 million.
According to Code42, since the pandemic began, 61% of IT security leaders have identified their remote workforce as the cause of a data breach.
Reasons cited for this include:
- Networks being less secure (71%).
- Employees not following security protocols as closely as when in the office (62%).
- Employees being more likely to use a personal device (55%).
- Employees believing that organizations are not monitoring file movements (51%).
Furthermore, “as we enter a period of economic uncertainty and potential layoffs, insider risk will increase,” said Blankenship. “Fear of layoff and economic distress are two powerful motivators for insider threat.”
But a silver lining — if there is one — is increased awareness for organizations.
“Insider risk has always existed,” said Blankenship. However, “awareness of the threat vector has increased, the tools for finding insider threats have improved, and organizations are focusing efforts on detecting and stopping insider threats.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.