The Cost of Insider Threats is Exploding: Here’s How to Manage Them
Table Of Contents:
There’s a growing problem at the heart of enterprise cybersecurity posture. It’s not shadowy cyber-criminals or state-backed hacktivists. It’s not the unfathomable complexity of the modern IT environment. It’s the resource no organisation can do without: its people.
According to one study, breaches caused by insiders cost on average $16.2m today – up 40% on the figure four years ago. Yet the same organisations are only spending $3.2m annually to fix the problem. Something has to change.
How Serious Is the Insider Threat?
Insider risk can take many forms. That DTEX study places them into three categories:
- Malicious insiders such as disgruntled employees looking to harm the company they work for. For larger or strategically important firms this may even include corporate spies or state actors
- Individuals who are outsmarted by phishing scams or other tactics, enabling hackers to hijack their accounts and more
- Negligent insiders who ignore security warnings and may misconfigure systems
It is the third risk type that’s likely to cost organisations most, according to the report. But in general, insider threats are often harder to spot than those perpetrated from outside the organisation – especially if malicious intent is involved. And that can mean extra time, effort and cost remediating them. According to IBM, malicious insider breaches took an average of 308 days to identify and contain last year. And they cost $4.9 million on average – 9.6% higher than the global cost of all breaches.
Cases seem to appear in the news with growing frequency. In February it emerged that a former council worker in the UK stole 79,000 residents’ email addresses with the aim of promoting a new business. On the other side of the Atlantic, Verizon was forced to notify affected individuals after an insider “inappropriately handled” a file containing information on over 63,000 employees. And the government has charged a former Google employee with theft of trade secrets.
Are Insider Threats More Likely?
There are a couple of reasons why CISOs should be concerned. The first is home working. Since the pandemic, it has become a regular feature of many organisations. Some say the UK is now the work-from-home capital of Europe. Yet being away from the office can also raise the risk of intentional wrongdoing or negligence. On the one hand, it may provide opportunities to make off with sensitive data. On the other, home workers sometimes say they’re more likely to take risks or contradict security policy, than if they were in the office.
The second risk factor is the cost-of-living crisis. As financial pressures build on employees, they may be more willing to take risks for personal profit. A February poll from fraud prevention non-profit Cifas reveals that 54% of UK businesses are concerned about staff being targeted by cyber-criminals: for example, to disclose sensitive information in exchange for cash. Over two-fifths (42%) specifically call out the insider threat.
Similar research from Bridewell Consulting last year reveals that over a third (35%) of critical national infrastructure (CNI) security leaders believe the economic downturn is forcing employees into data theft and sabotage. It claims that the number of employee sabotage incidents at CNI firms increased by 62% year-on-year.
Threat groups like Lapsus$ have openly admitted they look to bypass security defences with the help of insiders at targeted organisations.
Managing the Insider Threat
Jamie Akhtar, CEO of CyberSmart, tells ISMS.online that whether mitigating malicious or negligent insider risk, organisations should take a similar approach – blending practical steps and HR-focused strategies.
“You need to control access within your organisation. What we mean by this is that you need to be strict about which user accounts have admin privileges and access to sensitive data,” he explains.
“Apply the rule of thumb that no one should have access to anything they don’t need to do their job. This also means having a clear process for offboarding and removing access from leaving staff. Too often breaches stem from staff who shouldn’t have access to sensitive information having it.”
This should come alongside enhanced cybersecurity training to help staff spot and avoid common threats, he adds.
“However, all of this is for nought if employees feel under-appreciated enough to want to take action or are simply snowed under. After all, it only takes one disgruntled or overworked member of staff to make a decision that could put the entire business at risk,” Akhtar argues.
“Businesses do need to put in place practical safeguards, but they also need to show empathy and support for employees.”
Tracey Carpenter, insider threat manager at Cifas, describes five steps to preventing insider risk, applicable across cybersecurity and fraud scenarios. First, have a robust pre-employment screening policy in place. Then, review and close any gaps in controls.
“If an employee has the motivation to commit fraudulent conduct or can rationalise their dishonest behaviour, they could target and exploit these gaps in controls,” she tells ISMS.online
Organisations should also remember to be proactive, not reactive, she says. That means not relying on staff or customers to flag instances of potential dishonest conduct by employees. Remember also to conduct checks throughout the employee lifecycle, during which time an employee’s risk profile may change. And finally, work collaboratively by sharing threat intelligence where possible, she says.
How ISO 27001 Can Help
Best practice standards like ISO 27001 can also help. ISO 27001 mandates cybersecurity training programmes for staff, which would help improve awareness about the need for a security-first culture. It also requires regular reviews of policy and procedure.
“ISO27001 includes a requirement for continual assessment to ensure that the risks (including insider threats) to an organisation are continually monitored and that mitigating controls are implemented and incrementally improved,” explains CyberSmart’s Akhtar.
“This helps deal with insider threats because it helps businesses put in place the processes and practical steps to counter them. What’s more, it encourages organisations to think about the threats posed by insiders and how to continually improve their security measures.”
However, cybersecurity standards and schemes like Cyber Essentials can only get organisations so far. They also need to consider the underlying causes of insider risk. That may require a fundamental reassessment of corporate working culture.
“Fraud is everyone’s business,” Cifas’s Carpenter concludes. An organisation that embraces fraud prevention training and commits to building and developing an anti-fraud culture is better equipped to not only tackle the growing insider threat but also protect its staff, customers, and wider stakeholders.”
