“External hackers are the only threat to corporate assets”—McKinsey rightly called out that assertion as a myth back in 2017. Fast-forward to today, and it appears that more businesses are starting to understand that internal threats are just as concerning as what’s out in the external threat landscape.
For far too long, the cybersecurity community has over-focused (and overspent) on the external threat actor. Yet, time and time again, we see cases where the insider risk becomes an insider threat and results in undesirable outcomes. But we keep spending time, money and effort to secure applications, assets and data without considering the risks that the people who access these things can present.
When you think about the path an insider threat takes across the attack chain, it’s clear there should be some means to prevent insider risks from evolving into insider threats. These measures may include:
- Adding more layers of access
- Requiring more levels of authentication
- Asking for more approvals in the data-sharing process
- Using other deterrents, whether digital or policy-related
And when an insider threat evades detection and isn’t blocked, we must lean on technology for identity threat detection and response. Solutions with these capabilities can look for persistence, information gathering, lateral movement, privilege escalation and other signs that an insider threat is actively trying to subvert security processes and controls.
We still have opportunities to stop an insider threat event when data is staged and exfiltrated, or when some other impact is imminent. But we also need to do what it takes to provide the most comprehensive view into what people are doing within the company’s digital ecosystem. That will help to prevent insider risks from turning into active insider threats.
A changing landscape with new trends in insider threats
Economic uncertainty is creating new scenarios for insider threats. It’s also amplifying some preexisting ones. Major change events for businesses such as mergers and acquisitions, divestitures, new partnerships, and layoffs provide avenues for insider risks to become insider threats. There are plenty of examples of disgruntled employees causing damage after they have left a company (or before). And employees tempted by “better” opportunities can present ongoing risk for data exfiltration.
A new trend: Insider threats that don’t need an insider to stage data for exfiltration. External parties, including purveyors of corporate espionage, pay for access instead. We have seen cases, like the AT&T “unlocking” scheme, where employees recruited by bad actors will then recruit others in the company to engage in nefarious activity. And we’ve seen instances—such as the Cisco insider threat case—where employees will destroy a company’s infrastructure for malicious reasons.
The emergence of generative AI further highlights the need to change the traditional “outside-in” approach to security. Blocking the use of tools like ChatGPT, Google’s Bard AI, Microsoft Copilot and others is not realistic, as many businesses will depend on generative AI for productivity gains. Insiders who are careless about protecting internal data when using these hosted platforms are a risk. Mitigating that risk will require implementing a spectrum of controls. (There are already ways to safeguard your data in generative AI like ChatGPT and other AI and chatbot platforms.)
Finally, when focusing on securing sensitive data like intellectual property, be sure to factor in the context of the people who have access to that information. Otherwise, you could end up creating risk. The security team will be inundated with alerts, and they could miss true threats amid all the “noise.”
In short, take care to design your insider threat program to be a business enabler, not a productivity inhibitor.
During Insider Threat Awareness Month, Forrester analysts will share their insights and advice on emerging trends during a fireside chat hosted by Proofpoint on approaches to insider threat management (ITM). Don’t miss this special event—register now.
Find out more about getting started with data loss prevention (DLP) and ITM.