With remote and hybrid work models showing signs of permanence, the need for a strong insider threat management (ITM) program is increasing. Yet, many organizations continue to focus on defending against external threats rather than threats that come from within—a choice that can potentially hurt their bottom line. According to research from Ponemon Institute, the average cost of insider threats is $11.45 million, an increase of 31% in two years.
The resulting vulnerabilities associated with individual employees and organizations can create the perfect storm, but it’s not all doom and gloom. It’s possible to minimize these vulnerabilities by avoiding common mistakes associated with insider threat risks.
Here are the top four security missteps that often make employees (and companies) more vulnerable to insider threats, and what you can do to mitigate the insider threat risk for your organization:
1. Minimal employee cybersecurity training
Not all insider threats are the result of malicious employee activity; sometimes, employees make honest mistakes. In fact, careless insider threats account for 62% of data breaches, according to Ponemon. This could come from actions as seemingly innocuous as downloading sensitive documents to a thumb drive or emailing encrypted documents to finish work at home.
With the rise in remote work and hybrid work solutions, this kind of behavior has become even more prevalent. As companies are increasingly relying on collaboration tools, many lack established protocols for employees who work within dispersed teams. This issue also extends to external vendors who use these same tools for everyday communications. Without guidance on what constitutes safe and proper behavior, employees might not even realize when they’re putting the company at risk.
Preventing careless insider threats
Cybersecurity training is often an afterthought in many organizations, rarely shared with any sort of regularity. To mitigate the risks of insider threats, consider customizing your employee cybersecurity training to be relevant to risks you see. If you can build customized alerts into your existing technology so that users are notified at the time a careless risky behavior happens, you can more effectively establish the reason for the alert and take immediate action to stop that issue from happening again.
For other risks seen repeatedly within business units, increased (or more frequent) cybersecurity and compliance training around email and cloud-based collaboration best practices or general security reminders will help prevent careless insider threats.
2. Not accounting for external stressors
Changes to the way we work today certainly make it more challenging to spot the warning signs of potentially malicious activity. It was once considered highly suspicious if an employee was accessing data at odd hours or from a different location, but now it’s the norm.
Also, with a work-from-anywhere workforce, it’s become easier for many companies to overlook various external stressors that could inspire malicious insider behavior. These stressors include:
- Money emergencies: An employee could be convinced to act maliciously when experiencing financial distress.
- Revenge: A disgruntled employee could leak data to retaliate against the company. This could happen as a result of mistreatment within a team, a work conflict, or a furlough, layoff or firing.
- Privilege: An employee might think they deserve to own and control data, especially if they played a major role in obtaining or creating the data.
- Opposing values: An employee with religious or political beliefs that are counter to the company’s values could feel justified in leaking data.
- Third-party recruitment: Criminal organizations or foreign espionage agencies may recruit insiders, with the aim of system misuse, fraud or financial gain.
Detecting malicious insiders
With a dispersed workforce, it can be harder for cybersecurity teams to be informed about disgruntled employees, poor performance reviews, or individual personal circumstances that might cause an employee to act maliciously. Neglecting the human component of data loss puts your team on the defense instead of acting proactively.
To mitigate the potential risks, ensure there’s greater collaboration and consistent communication between team leaders (including human resources, legal, privacy and compliance) and cybersecurity personnel, especially if an employee expresses strong disagreement or disregard for company policies. The more educated your business unit leaders are about the signs that typically precede data theft and insider threats, the more they can help to inform your security team.
To that point, your security team should also be correlating user activity and data interaction regularly. When coupled with insight around possible trigger points, this correlation of activity and interaction can help the team be proactive with their work to uncover privilege abuse and potential data loss risks.
3. Incomplete or ineffective processes
As mentioned earlier, the average cost of insider threats is a staggering $11.45 million. But this figure can increase drastically when an organization lacks an effective process for addressing insider threats in a timely fashion. While the average number of days to address an incident is 77, according to Ponemon, 35% of companies took more than 90 days, which equates to an average cost of $13.71 million.
Without a streamlined process in place, your team could spend hours trying to determine whether a potential threat requires follow up. That was the case for Certified Collateral Corporation (CCC), whose security team took six to seven hours to assess potential threats.
Improve your mean response time
When insider threats occur, it’s essential to accelerate your mean time to respond (MTTR). CCC, from the example above, reduced the time spent on initial investigations from six to seven hours to between 10 and 15 minutes using the Proofpoint Insider Threat Management (ITM) solution.
The most effective ITM programs include cross-departmental engagement, which means not everyone will have the experience to understand the IT team’s jargon or analysis. Using a platform that can highlight relevant evidence in easy-to-understand reports makes sharing evidence easier for decision-making purposes.
4. Lack of a modern approach to DLP
There are more ways organizations can suffer a data loss incident now than ever before, especially when you consider the burgeoning gig economy that requires more company outsiders to have access to more sensitive company information.
Data loss prevention (DLP) programs that companies once implemented to remain compliant typically create too much friction for digitally native employees. This ultimately leads to employees identifying workarounds that can unintentionally increase the threat surface, completely counteracting the intended goal of implementing a DLP solution.
Update your DLP approach
Push your team to move away from a traditional approach to DLP. After all, data doesn’t move itself; people move data. A modern approach to endpoint DLP requires implementing a people-centric solution that changes the way organizations detect, prevent and respond to insider threat incidents based on a combination of how risky the user is and how sensitive the data is.
Gaining real-time visibility into the context around data movement can help security teams more effectively identify risky data movement. It enables more effective prevention and resolution efforts to stop data loss incidents before they can cause significant financial or brand damage to an organization.
By better understanding where your vulnerabilities are among your employees and within your internal company processes, you can take steps to prevent data loss and insider threat risk. Giving yourself greater visibility into early indicators that may trigger an insider threat incident will allow you to address vulnerabilities and mitigate the risks associated with insider threats more effectively.
Do you recognize the value of an ITM program but wonder how it could impact your bottom line? Learn more about the business case to implement an ITM program.
Subscribe to the Proofpoint Blog