How to Identify and Prevent Insider Threats in Your Organization

Insider threats are on the rise. Whether they come from accidental insiders who are prone to phishing attempts or malicious insiders who are seeking to expose sensitive data, insider attacks have significantly increased in recent years. According to the 2019 Insider Threat Report from Cybersecurity Insiders, sponsored by Fortra, 70 percent of cybersecurity professionals surveyed believe that the frequency of insider attacks has increased in the last year alone. And an incredible 62 percent of organizations have experienced at least one insider attack in the past 12 months. So why are insider threats increasing, who is responsible for them, and what can your organization do to prevent them?

What Explains the Rise of Insider Threats?

Companies today are highly vulnerable to insider threats—and for good reason. The Insider Threat Report found that 68 percent of security teams surveyed feel extremely to moderately vulnerable to insider attacks. External threat actors have become considerably more sophisticated in their malicious activities that target insiders—from deploying social engineering attacks like phishing emails to scanning through LinkedIn and other data stores on the Internet to gather details on corporate environments.

Internally, IT systems are becoming increasingly complex and overloaded. Security teams are having to do more with less and may not receive or provide adequate levels of training. Combined together, all of these different elements can serve as infection vectors into your environment, providing pathways for people to do things accidentally or intentionally malicious within your systems.

In fact, the same survey from Cybersecurity Insiders found that inadvertent insider threats—caused through accidental breaches from malicious activities like phishing emails—were of concern to more than 70 percent of security teams. Negligent insiders who willfully ignore security policies are a major concern to more than 66 percent of cybersecurity professionals. This includes developers, for example, who have access to production machines, and ignore company security policies, like working from home on an unsecured network, to cut corners or do something faster or cheaper. And finally, malicious insiders who are actively seeking to do harm or cause damage are a concern to 62 percent of security teams. These types of insiders can include disaffected employees or someone outside your organization trying to steal credentials to get in. Overall, more than half of all incidents today are due to inadvertent or accidental insider attacks, while the remaining half is split between malicious insiders and actual hacking, like credential theft, appearing as an insider coming from your system.

With inadvertent insiders representing the largest area of concern to cybersecurity professionals, understanding what contributes to these types of insider threats is essential. Again, according to the Insider Threat Report, the most feared inadvertent insider threat originates from phishing emails. This is followed by poor passwords, spear phishing, and orphaned accounts. Many security teams may not view orphaned accounts as a security risk, but they are great places for bad actors to gain access into your organization since no one is actively looking into them. Orphaned accounts occur typically in larger organizations with fairly high turnover. As people exit the company, there may not be a specific process for cleanup happening for either internal or external system access.

How Much Do Insider Attacks Cost Your Organization?

One of the most alarming findings from the Cybersecurity Insiders study is that many security teams may not recognize the financial impact insider attacks can have on an organization. More than half of those surveyed believe it would cost less than $100,000 to deal with or mediate an insider attack. But studies show these types of attacks are significantly higher in cost. In fact, some recent reports estimate that the average cost of a cyber incident today ranges from $270,000 to upwards of more than $20 million at large organizations.

In addition to monetary loss, there are forensic issues you have to deal with to discover how the incident happened. This requires significant time from your own internal security teams to remediate the incident—taking time away from more strategic activities. You must conduct additional training, potentially hire outside consultants, and even replace new equipment to close any loopholes. Combined together, all of these add up to an unexpected expense incurred by your organization.

What Roles Pose the Biggest Risk for Your Organization?

It’s no surprise that those who are privileged IT users or administrators pose the biggest security risks. According to the Cybersecurity Insiders report, 59 percent of security teams indicated these roles were the largest concern for the company since the accounts were highly privileged, and would have dangerous consequences if they ended up in the wrong hands. That’s why it’s best practice to implement a privileged access management (PAM) program, using solutions like Core Privileged Access Manager (BoKS), to secure your privileged systems and applications. Additionally, strong Identity Governance and Administration solutions from Core Security, can ensure that privileged access is assigned properly, appropriate approvals are established, and the proper checks and balances are in place.

Second to IT users, contractors, service providers, and temporary workers pose the greatest risk to organizations, with 52 percent of cybersecurity professionals responding. This category of user is often a target for bad actors because turnover is high for these roles and orphaned accounts can stack up if there is an undefined process for cleaning up those accounts. That’s why it’s essential not to overlook these types of workers or make them a lower priority for your organization. Even though they may not be highly privileged, if their access falls into the wrong hands, a bad actor could do real damage within your environment. 

How Can You More Effectively Manage User Privileges?

Many organizations have poor or very manual processes when it comes to management of user privileges. With a large number of systems and applications, lack of centralized management, highly manual processes, and no clear understanding of required access for various roles, it’s no wonder that more than 77 percent of cybersecurity professionals consider management of user privileges ineffective. One way to address this is to automate provisioning around the various stages of the user lifecycle. In fact, at least half of all survey respondents in the Insider Threat Report believe an integrated Identity and Access Management (IAM) solution is a key part of a solid IGA policy.

Another best practice is the implementation of role-based access controls (RBAC). This means having solid, well-defined roles in place and knowing specifically which access privileges each role needs. As organizations grow and evolve, the right IGA solution can allow for more efficient changes and decrease risk by focusing on role definitions and role assignments, rather than on individual accounts. 

Three Areas of Focus for Insider Threat Prevention

While considerable time and effort is spent concentrating on external threats and trying to address persistent, malicious threats from bad actors, too often, security teams may not be focused enough on what is happening inside their environment. However, with the right layered security model, you can ensure you have the right defenses and depth in your overall security strategy and approach. The Insider Threat Report indicated that 56 percent of cybersecurity professionals consider their monitoring, detecting, and response to insider threats only somewhat effective or worse. And more than half of respondents said that they either did not have the appropriate controls in place or were unsure of whether they had any controls to prevent an insider attack. So in response to this, below are three strategic areas of focus that can guide insider threat prevention in your organization: 

1) Deterrence: 62 percent of respondents from the Cybersecurity Insiders report said deterrence was an important strategy to help prevent insider attacks. Deterrence means ensuring you have good access controls, strong encryption on your data, and appropriate policies in place that deter and discourage insider threats.

2) Detection: Similar to deterrence, nearly two-thirds of respondents indicated that detecting what is happening in their environment was essential in preventing insider attacks. Detection means actively monitoring what users are doing and ensuring visibility into network threat-related activities with network traffic analysis solutions.

3) Analysis and Post Breach Forensics: Nearly half of all cybersecurity professionals responded that being able to do post breach forensics analysis was also an important part of responding to and preventing future insider attacks. If a breach does occur, you must be able to deal with it quickly and effectively. This means examining what has happened in the environment, and having a way to easily see and analyze what is occurring real-time.

Having a comprehensive Security Information and Event Management (SIEM) solution that provides real-time threat detection and prioritization is critical. Remember, it’s not always just users with a Windows PC that can cause damage to your systems. Sometimes it’s through an IoT device, a Wi-Fi access control, security camera, or maybe even a card system to get into your parking lot. All of these are interconnected elements now—and represent potential areas for breach where someone can misuse their access or maliciously try and take control of your environment.

Make Insider Threat Prevention a Priority in Your Organization

Whether they originate from a malicious source or from an accidental breach, insider attacks will likely continue to rise in the organizational environment. But your company can take an active role in trying to prevent them. By monitoring for threats, training and empowering users, and providing security teams with innovative cybersecurity solutions and tools, like those offered by Fortra and Core Security, you can leverage a layered security model that positions your organization for success. Remember, you can only change what you acknowledge. So start by adopting a strategy that emphasizes defense and depth, and empowers you to mitigate the growing risk of insider threats in your organization. 

Whether you’re looking to advance Identity Governance and Administration in your organization, enhance Privileged Access Management, improve your Penetration Testing, or more actively monitor Security Information and Event Management, we have the industry-leading solutions you need to reduce the risk of insider threats.