Earlier this year, the Acting Director of the National Counterintelligence and Security Center, Michael J. Orlando released a letter for distribution marking September 2021 as “National Insider Threat Awareness Month.” In his letter, Orlando explained:
“The United States has suffered a rising number of incidents perpetuated by trusted insiders who have adversely affected public health and safety, national security, and the economic well-being of the United States. The last year and a half presented an increasingly challenging risk environment, with significant adjustments to work and home life, disrupted supply chains, financial insecurity, unreliable or overwhelmed technology capabilities, political and cultural fissures, and serious health concerns. The risk for espionage, violence, unauthorized disclosure, and even unwitting insider threat actions are higher than ever as our adversaries seek to take advantage of our vulnerabilities through increased targeting of insiders.”
While not every organization may be facing imminent threats pertaining to national security, there is still an alarmingly high rate of risk for insider threats and bad actors.
Here’s what you should know about insider threats and staying protected.
What Are Insider Threats?
Insider threats are threats that come from users inside your organization. They have legitimate, authorized access to your organization’s assets, and abuse this access in some way. The Cybersecurity and Infrastructure Agency (CISA) defines an insider threat as: “A person with access to protected information, which, if compromised, could cause damage to national security and public safety.”
CISA continues that an insider threat has, “the potential for an insider to use their authorized access or special understanding of an organization to harm that organization,” which can include “malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, facilities, and associated resources.”
Organizations of all sizes are vulnerable to insider threats, from the large corporations and healthcare networks to the small, mom-and-pop-run local store. It’s important to note that insider threats via access abuse sometimes are deliberate and intentional—but not always. Either way, they can harm your organization, your employees, and even your customers. According to one study conducted by IBM, the rise in insider threats soared to 200 percent between 2018 and 2019, but astonishingly, the primary reason behind these threats was accidental.
This is likely because insiders usually know where an organization stores their most sensitive data, and often have elevated levels of access above what they may need. These attacks can do serious damage to your organization. Ponemon Institute released a study in 2020 stating that the average cost of an internal data breach was $11.45 million—and 63 percent of these incidents were attributed to negligence.
Whether the insider threat is a true accident or something more malicious, it can lead to the exposition of confidential information like customer data, intellectual property, funds, and more.
Types of Insider Threats
There are intentional and unintentional insider threats, as already discussed. But within the category of “unintentional threats,” are more nuanced distinctions as well.
Intentional Insider Threats
Intentional threats happen when insiders take actions to harm an organization for personal benefit or in retaliation for a personal grievance. Some are motivated by these perceived grievances or by ambition or financial pressures, while others are feeding the designer for attention by creating danger or releasing sensitive information. Yet other times, intentional actors may even believe they are acting on behalf of the good of the public.
Unintentional Negligent Threats
Unintentional negligent threats often happen when those who understand security or IT policies, but choose to ignore them, thinking nothing will happen. It could be allowing someone to “piggyback” through a security entrance point, or even misplacing or losing a portable storage device. These are behaviour’s that can all be witnessed and corrected or prevented.
Unintentional Accidental Threats
Everyone makes mistakes from time to time, even the best employees who may be naive to a mistake that causes a risk for your organization. This could be mistyping an email address and sending out sensitive organizational information or clicking on a well-disguised phishing hyperlink in a message. These kinds of threats can’t usually be completely prevented, but they can be mitigated.
Other Types of Insider Threats
There are so many ways that organizations can become vulnerable to internal threats, both purposeful and unintentional. In some cases, insider threats may also involve actors outside the organization
- Collusive Threats: These threats refer to when one or more insiders collaborate with external actors to compromise an organization
- Third-Party Threats: These threats are associated with vendors or collaborators who exist outside the organization but have been granted access to complete their work.
Mitigating the Risk
What does a risk mitigation plan for insider threats look like? After all, employees need access to data to perform their jobs, and it’s hard to know who can’t be trusted with certain confidential data.
An insider threat mitigation program should span your entire organization from end to end—including access for those working from less-secure networks working at home. According to CISA, the program should be a “mechanism to help individuals, rather than an aggressive enforcement or a ‘gotcha’ program,” and it should incentivize proper behaviour with training and awareness, policy, procedures, and management practices, all aimed at encouraging employees to act on behalf of the organization, while also detecting and deterring wrongful acts like sabotage, theft, espionage, or harm.
Every kind of insider threat presents different kinds of symptoms for security teams to uncover and diagnose. But their approaches must be comprehensive and proactive. Options include:
- Software that maps accessible data
- Software that establishes trust mechanisms like multifactor authentication, access controls, and more
- Software that defines policies around devices and data storage
- Software that monitors and searches for potential threats and atypical and risky behaviour
- Software that acts when it’s called for
Additionally, organizations should have an Insider Threat Mitigation Program in place, which:
- Identifies and secures critical assets, data, and services
- Monitors behaviour of outsiders and trusted insiders who breach trusted actions
- Assesses threats to determine the risk of identified concerning parties
- Manages all kinds of insider threats with strategies to monitor persons of concerns, potential victims, and vulnerable or targeted parts of the organization
- Engages with insiders who are potentially on the path to intentional or unintentional insider threat actions
One of the most important things that organizations can do is identify which data is sensitive and needs protection. From there, it is easy to discover which sensitive information is exposed, what the risks are that are associated with this data, and what needs to be done to protect it.
It’s also essential to know your users, and know who has access to this sensitive data, and manage your access controls. Too often, too many people have access to sensitive information within their organization that they don’t need. While most employees will just leave this information alone, it still leaves organizations vulnerable and exposed. Access controls can prevent this data from getting into the wrong hands.
StorCentric: Your Threat Assessment Partner
While September is Insider Threat Awareness Month, organizations shouldn’t just be aware of the risk of insider threats—they need to take action all year round. StorCentric can help you build a secure enterprise from the inside out, with machine learning tools to identify potential risky behaviour, endpoint data protection, data security solutions, and more.