Is it paranoia if it's real? Know these insider threat indicators
Do you know how to recognize common insider threat indicators? Protecting your organization's data depends on it. It's not paranoia, it's preparation.
Published January 31, 2022"Just because you’re paranoid doesn’t mean they’re not out to get you.” More than just a great Nirvana lyric, this also sounds like an apt mantra for modern-day cybersecurity.
Because if administrators are feeling paranoid these days, it’s for good reason. External attacks abound, and insider threats tend to fly under the radar until it’s too late. And even if your employees are honest and trustworthy, what if it could happen to you? Do you know what motivates an inside actor, and what insider threat indicators to watch out for?
Think your organization is immune? Insider threat awareness is the first step towards preventing an attack. Let’s look at a few statistics to illustrate how real a threat insiders are.
Over the past year, 94% of organizations experienced an insider breach. Predictably, most inside breaches (84%) stemmed from human error. But of the 26% that didn’t, 66% were the result of a malicious leak. And IT departments are largely unprepared against malicious insider threats — an overwhelming majority (72%) of IT administrators think that protecting against “intentionally malicious behavior” is a high priority. Perhaps most hair-raising of all, 23% of employees think it’s completely ok to take company data with them to a new job (like these two former GE employees).
Ready to consider that an insider threat could happen to you? Let’s turn to what you can do about it.
What drives an inside actor depends on your organization’s industry, company size and IT infrastructure. That said, a few common motivators are universal to all industries and company sizes.
Most inside actors have innocent motives. The vast majority of insider threats come from employees who are careless, or who don’t follow security protocols. Employees — especially those in non-technical roles — are often ignorant of how their actions impact data security.
It can be hard to get employees to take responsibility for data security. And, as many IT pros can attest, some users need more convincing than others. Yes, them, the ones who are too “focused on the big picture.” The C-suite is infamous for avoiding security protocols, believing IT procedures don’t apply to them. IT will have a hard time protecting against insider threats unless all — that means all — employees take responsibility for and ownership of data security.
Malicious insiders have one goal: to gain from exploiting or sharing company data. Maybe that’s financial gain from the data itself, or profit (in partnership with a third party) from reconfiguring security assets for remote access. A malicious insider might be a disgruntled employees who got fired, passed over for a promotion, or feels they’re not getting due recognition (ever had a manager take credit for your work?). Or maybe the employee just holds a grudge against the person responsible for IT security. Shockingly, not all IT personnel are universally loved and respected …
Specific threats can also face organizations in high-security industries like defense, intelligence or critical infrastructure. An employee might actually be a spy working for a rival organization, or they may be blackmailed by a rival into sharing sensitive information. And whistleblowers can leak confidential information to regulatory bodies or even to the press. Think of Snowden, who, although a whistleblower of conscience, did gather data as an insider. Can your company protect against your Snowden, whether he or she has network physical and/or remote access?
Once you know the types of insider threats, you can further prevent insider attacks by keeping an eye on a few key insider threat indicators.
Your IT administrators have the highest level of network credentials. Sometimes, an insider threat can come from the very person who’s supposed to prevent it. Imagine an IT administrator is feeling undervalued and plans to leave the company. But first, he or she purposefully installs several unlicensed copies of Microsoft Office. Then, a mysterious whistleblower informs an organization like the BSA | The Software Alliance. That same whistleblower receives a percentage of the hefty penalty levied at your organization for license infringement. And your organization pays the price — which could end in bankruptcy for smaller organizations.
As more employees go remote, insider threats increasingly originate from outside the network. Unless all devices on and off-premises have the same security software and protocols in place, it’s easier for hackers to gain access to devices off-site. And if your employees use their own device, it’s even harder to ensure security. Plus, what if the device gets lost or stolen? Can you remote wipe all devices? Also, how can you be sure that anyone who has access to a remote machine doesn’t manually copy or take pictures of sensitive information? Any picture of a text document is just as valuable to hackers as the file itself.
Members of your team are regulars at a few local spots. One day, as part of a promotion, memory sticks are given to all customers at a bar your staff is known to frequent. Congratulations, all who accept the promo are now proud owners of a malware variant that allows the hacker remote access to the system when inserted into the USB port. The memory sticks were donated by a friendly neighborhood hacker as part of a fake company promotion, a plan targeting your company, a large local employer. How many of your employees will use these memory sticks at work?
A red flag should go up when an employee logs in at unusual times or from unusual locations. Do you know why they’re logging into their laptop at 2 a.m.? Or are they logging in from an IP address that traces back to your competitor’s headquarters? Other common warning signs are employees who access applications or systems for the first time, or who start copying large amounts of information.
Ignorance of industry regulation can also be a risk factor. For example, a healthcare provider installs CCTV cameras that happen to face computer screens displaying patient’s medical records. That’s a significant HIPAA violation (in the U.S.) and violates other data privacy laws for healthcare records in other countries. Not only is it a possible insider threat, it also carries the usual high penalties (that compensate a government department and not, unfortunately, the victims). Knowledge of and full compliance with industry regulation can avoid prevent these types of insider threats.
Yes, not always easy to identify an insider threat. But the price of not doing so is great. Data loss, security breaches, service outages or even legislative penalties cost dearly. And reputational damage can take years to rebuild.
In a world where insider threats are increasingly prevalent, smart insider threat management can help you recognize potential insider threat indicators and prevent an attack before it happens. Whether it’s choosing the right type of multi-factor authentication or implementing contextual access management, focus on securing your network from risks and you’re already a step ahead towards preventing insider attacks.