Verizon’s 2022 Data Breach Investigations Report found that 18% of security incidents that resulted in data compromise involved insiders. The Ponemon Institute 2022 Cost Of Insider Threats Global Report found that the average cost to remediate an incident caused by an insider was $184,548.
What this means for businesses is that insider threats need to be taken as seriously as external attacks, and processes need to be put in place to contain these as rapidly as possible.
Current and past employees, business partners, contractors, suppliers or vendors with access to a company’s technology infrastructure all pose a potential threat.
“Insiders can be negligent or the victim of a compromise – usually credential theft – or, in extreme cases, malicious,” says Port443 co-founder and director ML Conradie.
Malicious insiders intentionally abuse the access they have to company resources. They may do this because they hold a grudge, because they’ve been influenced, or for financial gain, she says. Ponemon estimates malicious insiders caused 26% of the incidents studied in its 2022 report, at an average cost per incident of $648,062.
Negligent insiders cause the majority of incidents, often due to not upgrading software or patching devices, ignoring company security policies and other non-malicious but ultimately destructive actions.
Credential theft involves attackers using methods like phishing or social engineering to get valid usernames and passwords. Ponemon comments that this is the most expensive type of incident to mitigate at an average cost of $804,997 per incident. Once thieves have valid user credentials, they have the keys to the kingdom in terms of getting access to critical company data.
Says Conradie, businesses need to take decisive action to mitigate insider threats in a number of ways.
Education – Cybersecurity awareness is a critical, and ongoing element of keeping your business protected, particularly given the speed at which new threats emerge. As Verizon puts it, ‘most data thieves are professional criminals deliberately trying to steal information they can turn into cash’, which makes them highly motivated, and highly skilled. Employees have to be trained on the company’s security policies and understand what steps they need to take to keep data safe, and why. This includes not emailing sensitive data to anyone, including their personal accounts, as a way to get around the company’s security measures.
Accessibility – A safe bet is to adopt a principle of granting the least possible access to company networks and resources, says Conradie, “in other words, give people access only to resources and networks they absolutely need to be able to use to do their jobs.” This access should be reviewed regularly and updated as needed, including ensuring that access is revoked when people leave or a relationship with another business is terminated.
Policy – Education, training and access should all be determined by a cybersecurity policy that outlines how data is protected by the organisation, what data is considered public, internal, confidential or restricted and who has rights to access the different categories, how third-parties (like suppliers and so on) will be handled. This should be overseen by a cybersecurity committee (or information security officer depending on the size of the business) who take responsibility for the policy and ensuring it is kept current.
Protection – Businesses have a legal and ethical obligation to protect their information technology infrastructures and must have security controls in place so that the security team is alerted to malicious activity. This includes email security, data loss prevention, identity and access management controls and an operational capability to monitor and respond to alerts.
“It’s tempting to think only about external threats, but good business leaders know that they have to start with what they can control: themselves and their people,” Conradie concludes.
