(This is an updated version of a blog that was originally published on 1/28/21.)
Most security teams focus on detecting and preventing external threats. But not all threats come from the outside.
The shift to hybrid work, accelerated cloud adoption and high rates of employee turnover have created a perfect storm for data loss and insider threats over the past several years. Today, insider threats rank amongst the top concerns for security leaders—30% of chief information security officers report that insider threats are their biggest cybersecurity threat over the next 12 months.
It’s easy to understand why. Insider threats have increased 44% since 2020 due to current market dynamics—and security teams are struggling to keep pace. According to the Verizon 2023 Data Breach Investigations Report, 74% of all breaches involve the human element. In short, data doesn’t lose itself. People lose it.
When the cybersecurity risk to your company’s vital systems and data comes from the inside, finding ways to mitigate it can be daunting. Unlike with tools that combat external threats, security controls for data loss and insider threats can impact users’ daily jobs. However, with the right approach and insider threat management tools, that doesn’t have to be the case.
In this blog post, we’ll share best practices for insider threat mitigation to help your business reduce risk and overcome common challenges you might face along the way.
What is an insider threat?
But first, let’s define what we mean by an insider threat. In the cybersecurity world, the term “insider” describes anyone with authorized access to a company’s network, systems or data. In other words, it is someone in a position of trust. Current employees, business partners and third-party contractors can all be defined as insiders.
As part of their day-to-day jobs, insiders have access to valuable data and systems like:
- Computers and networks
- Intellectual property (IP)
- Personal data
- Company strategy
- Financial information
- Customer and partner lists
All insiders pose a risk given their position of trust—but not all insiders are threats.
An insider threat occurs when someone with authorized access to critical data or systems misuses that access—either on purpose or by making a mistake. The fallout from an insider threat can be dire for a business, including IP loss, legal liability, financial consequences and reputational damage.
The challenge for security firms is to determine which insiders are threats, and what type of threats they are, so they know how to respond. There are three insider threat types:
- Careless. This type of risky insider is best described as a user with good intentions who makes bad decisions that can lead to data loss. The 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that careless users account for more than half (56%) of all insider-led incidents.
- Malicious. Some employees—or third parties, like contractors or business partners—are motivated by personal gain. Or they might be intent on harming the business. In either case, these risky users might want to exfiltrate trade secrets or take IP when they leave the company. Industrial espionage and sabotage are examples of malicious insider activity. Ponemon research shows malicious insiders account for 26% of insiders.
- Compromised. Sometimes, external threat actors steal user login information or other credentials. They then use those credentials to access applications and systems. Ponemon reports that compromised users account for 18% of insiders.
Insider threat mitigation best practices
Companies can minimize brand and financial damage by detecting and stopping insider threats. How each security team approaches insider threats will vary depending on the industry, maturity and business culture. However, every organization can use the five best practices we’ve outlined below to improve their insider threat prevention.
1. Identify your risky users
Most insiders fall into the “careless” category. That’s good news in a way. It means the average user doesn’t intend to steal or misuse data or abuse their access to systems.
The trouble with careless users often starts when they want to take the path of least resistance. If there is an avenue that helps them perform their duties quickly, they will often take it, regardless of whether or not it is secure.
Based on Proofpoint deployments, roughly 10% of users are risky. The remaining 90% are low-risk users. Risky users typically include high-risk employees such as:
- New hires
- Very Attacked People™
- Departing employees
- Users with privileged access, like IT administrators and customer service reps
- Third parties, such as contractors and partners
Determining who at your company is risky is a critical step toward insider threat mitigation.
2. Communicate policies well and often
Promoting good communication is another vital step toward mitigating the risk of unintentional insider threats. If your cybersecurity policies are too technical, the average user won’t likely understand how to follow them. They may also fail to grasp the purpose of these measures.
Reach out to your users to find out if they are experiencing performance bottlenecks using your current data loss prevention tools or policies. If so, then see if there is a way to take a more balanced approach to safeguard systems or data from exfiltration while minimizing the impact on employee productivity.
You can enable better threat mitigation when you are upfront with your users about the need for security policies. Your communication should also be consistent. These efforts will help to foster a more positive atmosphere where users see security controls as an asset—not a burden.
3. Understand the context
Visibility is critical to successful threat prevention and mitigation. You need visibility into a user’s activities before, during and after a potential insider threat to have context. Context is the key to understanding a user’s intent and motivation. How a security team may respond to a careless user is very different from how they may respond to a malicious or compromised user.
Visibility into content, behavior and threats provides people-centric insights to help identify risky behavior. In instances where a user shows malicious intent, forensics evidence like screen capture and detailed metadata can help to augment investigations.
4. Educate and bring awareness to risky behavior
Over half of the insider threats that lead to insider threat mitigation are careless insiders. That is why it is so important to integrate your threat prevention and mitigation efforts tightly with your company’s security awareness program.
Effective security awareness programs provide training based on a user’s unique knowledge gaps and the threats they actively face in the real world. To that end:
- For careless users, you may need to reiterate guidelines for sharing sensitive data with external partners.
- For compromised users, it may be helpful to make them aware of the latest phishing or social engineering scams.
Delivering bite-sized training to users that they can take in regular intervals makes it easier for them to fit training into their daily lives. This approach also helps to reinforce concepts over time so that people don’t forget what they’ve learned.
5. Develop proactive response plans
When you face an insider threat incident, it is crucial to move fast to investigate it. You also need to determine the best response, depending on the threat type. And you may need to work across the security team and correlate and triage activities and alerts to get a holistic picture.
Given the widespread implications of an insider threat, insider threat mitigation can involve collaboration with cross-functional teams such as human resources (HR), legal and privacy that may be critical to your response. Meeting with and developing response processes and procedures with these groups proactively can save precious time later, when it matters most.
How Proofpoint can help
As a converged data loss prevention (DLP) and ITM solution, Proofpoint Insider Threat Management (ITM) helps businesses detect and prevent insider threats on the endpoint in real time. Proofpoint enables insider threat mitigation by providing:
Visibility and prevention
Proofpoint ITM provides real-time, contextualized insights into the “who, what, when and where,” with timeline views and screen captures to provide irrefutable evidence needed for investigations. Prevention capabilities block users from exfiltrating data across a number of channels—like USB, web uploads, cloud sync and print—helping to minimize damage.
When investigating incidents, security teams usually have to piece together alerts from disparate sources. That makes investigations cumbersome and time-consuming.
Proofpoint ITM, which is part of the Proofpoint Sigma information protection platform, helps security teams work more efficiently. It includes a centralized view to help teams correlate alerts and manage investigations across channels, including endpoint, web, cloud and email.
The solution includes workflows for better collaboration. It also features exportable PDF reports for any non-security users involved in an insider threat investigation, like HR, privacy and legal.
Rapid time to value
Proofpoint ITM is a scalable, API-driven, cloud native solution, so it can be up and running quickly. With a single, lightweight endpoint agent, you get the flexibility and benefits of monitoring both everyday and risky users without the need to collect arduous amounts of data. The solution meets privacy and compliance needs with attribute-based access controls and data that is stored geographically.
Ready to build your own insider threat program? A successful program and insider threat mitigation plan both require clearly articulated goals, executive support and cross-functional collaboration. Learn more about the process in our e-book, Getting Started with Data Loss Prevention and Insider Threat Management, and in this webinar.
The Insider Threat Management Starter Pack from Proofpoint can also help you to gain a deeper understanding of insider threats and how to deal with them proactively.