Dissecting Insider Threats in Cyber Security by Filip Cotfas, Channel Manager, CoSoSys

Insider threats are a major and increasing problem for organizations, as the human factor is often the most difficult to control and predict when it comes to data security and protection. With digitization, the amount of digital data is growing exponentially, and together with this, the number of systems and human interactions with the data is increasing too. More interaction involves exposing the data to more security vulnerabilities.

The potential risks of insider threats are numerous, including financial fraud, data corruption, theft of valuable information, and installing malware. These incidents can lead to data breaches that expose sensitive information such as Personally Identifiable Information (PII) or Intellectual Property (IP) and can result in high fines while detecting them is not an easy task for security teams.

What are insider threats in cybersecurity?

Insider threats are cybersecurity risks originating within the organization itself. They can be caused by users with legitimate access to the company’s assets ñ including current or former employees, contractors, business partners, third-party vendors, etc. Insiders can vary significantly in awareness, motivation, intent, and access level.

Traditional security measures such as firewalls or antivirus systems focus on external threats and are not always capable of identifying threats emanating from inside the organization. Besides being invisible to traditional security solutions, insider attacks can be harder to detect or prevent than outside attacks and go unnoticed for months or years.

Types of Insider Threats

Malicious insider or Turncloak: This is someone who uses their access privilege to exfiltrate or steal data and use it with the goal of personal or financial gain. Malicious insider threats include accessing and disclosing confidential information without authorization, carrying out fraudulent transactions, and sabotaging the organizationís systems, network, or data. Departing and disgruntled employees, as well as those with high-level access, can cause these types of incidents.

Negligent insider or Pawn: A negligent or careless insider has no malicious intent but mistakenly gives away sensitive data or inadvertently puts company data at risk. These threats include misusing assets, mishandling data, and installing unauthorized applications (shadow IT). Negligent insiders may be well-intentioned, but they can become victims of phishing attacks or social engineering.

Collusive insiders: This type will collaborate with malicious external threat actors to compromise the organization. These cases usually involve fraud, data theft, or a combination of the two. Although it is the rarest form of criminal insider risk, it can still come with high costs.

The most common type of insider threat is a negligent employee or contractor, while the most costly incidents threats were credential thefts.

Insider threat motivations

Motivations can vary and malicious insiders might act out of a grudge towards their employer, might simply want money, or it could be an act of corporate or nation-state espionage. Unintentional insider threats could happen due to a lack of knowledge, out of curiosity, or convenience as well as misplaced technology. By understanding the motivations, security teams can be more proactive in their approach to insider threat defense.

Insider threats in the era of work from home

The coronavirus pandemic has set the remote work revolution on a fast track, and many companies have been forced to shift to work from home policies and enabling remote staff overnight.

Remote work is opening up new insider security threats, and companies are scrambling to keep up with these unprecedented risks. The new norm of remote work means no face-to-face supervision and little to no training for handling new security risks. Employees can also face more distractions in their home settings, coupled with the overlying stress of the pandemic and regular work pressure. Accidental disclosures can easily happen, as the lines between work and home, professional and family are more blurred than ever.

Remote working can also offer many data theft opportunities, including the loss or unlawful appropriation of physical devices, the possibility of sharing passwords, encryption keys, and company laptops with unknown third parties.

Employees can accidentally share a customer database, intentionally disclose a trade secret or share Social Security numbers in the public cloud. The increased data portability is another threat factor, posing a high risk of data loss or theft. Employees working from home can easily transfer, share or remove data, and cause the organization to lose revenue, get a penalty for non-compliance or damage the reputation.

Thus, working remotely, especially for organizations with no solid remote work plans, means that their assets and confidential data are more vulnerable during the global pandemic. Implementing the right tools and technologies and paying closer attention to company data can decrease the risk of cyber incidents.

Common types of insider attacks

These are the most prevalent internal incidents and practices that represent a threat to a company’s data security.

Social engineering

Recognized as one of the biggest security threats facing companies, social engineering is a malicious threat that implies human interaction. Usually, it involves tricking someone inside the organization to make a security mistake or reveal sensitive information. Social engineering attacks have different forms, including phishing and baiting. Malicious actors who engage in social engineering manipulate human feelings, such as curiosity or fear, and compromise their targetsí information.

Data sharing outside the company

Employees sharing confidential data, either publicly or with unauthorized third parties, can cause serious problems. This type of incident usually happens out of carelessness: information is sent to the wrong email address, a reply all button is hit instead of a simple reply, confidential data is accidentally posted publically.

Shadow IT

The use of unauthorized devices, software, applications, and services in the workplace is often hard to trace by IT departments and this is where the term shadow IT comes from. While it can improve productivity and drive innovation, shadow IT also poses a serious threat to data security and can lead to data leaks, compliance violations, and more.

Use of unauthorized devices

With the rise of Bring-Your-Own-Device (BYOD) policies and the proliferation of mobile devices, organizations encounter many internal security problems, including the risk of losing data due to employee negligence or malicious intentions. Portable devices and USBs, in particular, although convenient to use, are easy to lose or steal. Thus negligence can easily lead to disastrous data breaches, such as the infamous Heathrow Airport security incident in which a careless employee lost a USB device with over 1,000 confidential files.

Physical theft of company devices

Nowadays, it is becoming increasingly common that employees take their work computers or portable devices out of the office. This can happen for several reasons, including remote work, attending an industry event, or visiting a client. By leaving the security of company networks, work devices become more vulnerable to physical theft and outside tampering.

Do check out: