You know the legend: an innocent babysitter is bombarded with menacing nighttime phone calls while on a job. Eventually, she reports the calls to the police, who tell her that the calls are coming from inside the house.
This, in a nutshell, is the threat of insider risks. Most people are aware that there are bad actors in the world of cyber security, referring to hackers operating either on their own or sometimes on behalf of nation states who try to break into systems from the outside to steal data or otherwise cause damage. But the paranoia-inducing threat of insider risks is that the biggest challenge organizations face isn’t so much bad actors on the outside as insider threats operating from within.
Without the proper insider threat management measures, the results can be devastating. It’s why organizations need to ramp up their security focus to help ward off these threats before they strike.
The three types of insider threats
Broadly speaking, there are three types of insider threats. The first is the malicious insider who intentionally and knowingly abuses their insider status to steal valuable data or cause harm. This could be for any number of reasons an employee or trusted insider could turn on their employer – perhaps because they bear a grudge over being passed over for a promotion, they’ve been fired (but not yet stripped of their access), or they see the opportunity to make money by selling out secrets.
For example, in 2017 a Bupa employee used the healthcare company’s in-house CRM system to access customer information, copy it, and then attempt to sell it online via the Dark Web. Almost 550,000 customers were affected by the breach, which resulted in Bupa being fined more than $230,000.
The second type of insider threat is the negligent insider. Scarily enough, these aren’t bad actors who have somehow snuck into a company and are operating maliciously from behind the scenes; they’re just ordinary employees who have somehow made a terrible mistake. That could be accidentally attaching proprietary information to an email which is then sent to the wrong person or a person tricked by a phishing attempt. For instance, they might be sent an email purporting to be from their boss asking them to forward information for an urgent meeting, or a message from HR asking them to log into a web portal to rectify a pay issue – but which, in both cases, is actually an attacker faking the messages.
The third and final type of insider threat is a blend of the inside and outside threat: the external cybercriminal who somehow manages to bypass whatever perimeter controls are in place and uses them to access a compromised, but otherwise valid, account.
Zero trust
Insider risks are only going to become more of a challenge. With a globally distributed workforce, largely due to the repercussions of the coronavirus pandemic, there is more reliance than ever on cloud-based systems in which information can be accessed from anywhere.
Companies must step up when it comes to managing insider risks with identity based security. These identity based security methodologies use strong user authentication and access control for managing access to corporate assets.
This approach entails what is known as “zero trust” methodology, in which it is assumed that any device or user either within or without the perimeter of a network is a potential threat. It means constant identity verification, and granting users access to assets based on strict access controls in which no-one has access to more than is needed for him or her to perform their job. (Meaning that a person who makes backups as part of their role may not also need to be able to install new software packages.)
A security focused company culture
Developing an identity focused security policy can mean rethinking internal security practices. Measures like multifactor authentication (MFA), privileged access reviews, smart analytics tools that monitor the characteristics of individual users, device identification, and more, are all measures that organizations must put in place. In some instances, you may be able to implement these changes yourself. In others, it may be necessary to bring on board cyber security experts to help.
As noted, the risks associated with these attacks and threats are becoming more pronounced all the time. Establishing a company culture that’s focused on security is a great way of getting ahead of potential looming threats – while also imbuing these concerns in your employees, which can result in positive behavioral changes on their part.
Be proactive about making these changes, and your organization will reap the rewards. Do the opposite and, well, frankly that’s an option too potentially disastrous to think about.