The last few years have wrought a maelstrom of change in the modern workplace. Remote and hybrid work, a widespread embrace of the cloud, and increased employee turnover have made safeguarding data more challenging than ever. It’s no wonder that insider threats jumped 44% in 2022.
According to the 2022 Voice of the CISO report, many cybersecurity leaders consider a proactive stance toward insider threats to be essential. After all, no business is immune to insider risk. In fact, insider threats are the top security concern for chief information security officers (CISOs) globally. More than a third of the CISOs surveyed said addressing insider threats is a top priority for their IT department over the next two years.
About this series
Today’s cyber threats rely on human interaction, not just technical exploits. In fact, research for Verizon’s 2022 Data Breach Investigations Report found that 82% of data breaches involve the human element. As the report states, this reality “puts the person square in the centre of the security estate”. Attackers use social engineering to trick people into clicking unsafe URLs, opening malicious attachments, entering their credentials, sending sensitive data, transferring funds and more.
This is the final post in our six-part blog series covering topics that all organisations should address in the security awareness training they provide to their users. The topics we have explored in this series are:
4. Social media
6. Insider risk
We encourage you to check out the five previous instalments in this series. While our coverage of these topics was inspired by Cybersecurity Awareness Month in October, the information presented in this series can be useful to your organisation at any time of year.
What is insider risk?
An insider is a person who has some type of working relationship with an organisation. Because of their role and privileges, they have (or once had) authorised access to critical data and systems. An insider might be a current or former employee, contractor or business partner who might meet all or some of these criteria:
- They have computer or network access supplied by the company.
- They develop products and services for the organisation.
- They know about the organisation’s future strategy.
- The have access to protected information.
In short, an insider is someone who is in a position of trust. Clearly, these users pose a threat when they act with malicious intent and knowingly use their trusted position for personal gain or benefit. What might not be as obvious is that users who accidentally misuse or mishandle their access can cause just as much harm. The same goes for users whose insider access is compromised and exploited by an outside attacker.
The terms ‘insider risk’ and ‘insider threat’ are sometimes used interchangeably but they are not the same. Insider threats is a subset of insider risk: all insiders pose risk to an organisation given their access to an organisation’s data and systems. However, not all insiders will become an insider threat. This is an important distinction that requires a strategic and tactical approach to manage effectively.
Types of insider threats
Here’s a closer look at the three key types of insider threats:
- Careless. A careless insider is a well-intentioned user who makes poor decisions that can result in the exposure or theft of valuable data. Examples include downloading files to a USB storage device or inadvertently sharing sensitive data externally (such as a customer’s credit card information). Careless users account for 56% of insider incidents.
- Malicious. These insiders are motivated by personal gain and seek to harm to the organisation. Examples include exfiltrating financial data or trade secrets or destroying sensitive information. Ponemon’s research on insider threats found that malicious insiders account for more than a quarter (26%) of all insider incidents.
- Compromised. Compromised users are often Very Attacked People™ (VAPs) with privileged access to information. In other words, they have credentials and access that could give threat actors access to a company’s critical systems and data. Attackers use social engineering techniques such as phishing to steal those credentials. About 18% of insider incidents this year have involved stolen credentials.
Insider threat activities
The threat from a careless user stems from:
- Human error. This can include anything from server misconfigurations to sharing a file more widely than necessary.
- Bad judgement. This can include taking shortcuts that unintentionally put the organisation at risk, such as moving a file to a USB drive or personal file-storage account.
Threats stemming from malicious users might include:
- Sabotage: The malicious insider seeks to damage company systems or destroy data.
- Fraud: The insider with malicious intent steals or alters data to create deception with an aim to disrupt the company or benefit financially.
- Intellectual property (IP) theft: Any proprietary information that is valuable to an organisation can be considered IP. Malicious insiders steal IP for their own financial gain or to cause long-term damage to the company, monetary or otherwise.
- Espionage: When a malicious insider steals sensitive trade secrets, files and data from an organisation and then sells that information to the company’s competitors or even state-sponsored threat actors, they are engaging in espionage.
Finally, insider threats from compromised users typically stem from one or more of the following:
- Stolen credentials
- Unintentional aiding and abetting through social engineering attacks
Tips for end users
Organisations should help employees avoid being part of the insider threat problem. This learning process starts with building their knowledge about careless behaviour and the potential for malicious insider activity. And while security awareness won’t stop users with malicious intent, it can help others recognise and report suspicious behaviour.
Here are key things your users should know about this critical topic:
- Think before you act. While taking the shortest path can sometimes make your job—or your colleagues’ jobs—easier, it can also create risk. (For example: Don’t share account credentials or transfer data to a USB device.)
- Stay up to date. Ensure you are aware of the organisation’s policies for data and system access and use. (For example: Use only apps and tools provided or sanctioned by the organisation’s IT department.)
- Report any suspicious behaviour to the security team. If you see behaviour by a colleague that doesn’t seem right—for example, the person asks to “borrow” credentials to access an app they aren’t authorised to use—they could be a malicious or compromised user.
Also, underscore to your users that they have a critical responsibility to help protect your organisation’s data. Embrace their front-line role and incorporating the simple but effective measures outlined above into their everyday practices, can go a long way toward reducing and mitigating insider threats.
Resources to help improve your organisation’s cybersecurity all year-round
We hope you have found this blog series on essential security awareness training topics helpful. For more security awareness information and resources, visit the Proofpoint Cybersecurity Awareness Hub.
Also, consider supporting your organisation’s insider risk management efforts with the Proofpoint Insider Threat Management (ITM) solution. It protects against data loss and brand damage whether users are malicious, negligent or compromised. Proofpoint ITM takes a people-centric approach to protecting sensitive data from insider threats and data loss with rich context that integrates user activities, content and threats. Learn more about Proofpoint ITM here.