The evolution of the cyber threat landscape is a constant reminder that organizations need a robust cybersecurity strategy. Organizations that play with highly sensitive data are at a disadvantage when it comes to identifying, detecting, and responding to attacks, especially if its current security infrastructure has gaps, or programs in place lack the latest foundational measures. According to a 2020 study, most organizations are only able to detect insider threats after the “act” occurs; like the exposure of information or exfiltration of data. How has the insider threat changed over time, what are the risk factors security teams need to look out for, and what can CISOs do to mitigate the risk and close this lingering security gap?
Threat Origins
The first known case of insider threat in business was documented in 1792 when William Duer was named the Assistant Secretary of the U.S. Treasury. Duer had access to trading information, which led to the first insider trading incident in the United States. Duer was a trusted employee with access to sensitive information that he used in nefarious ways to great financial gain.
The types of insider threats have changed over time since that first incident, with many organizations focused purely on the malicious insider. Historically, organizations have characterized insider threats as one of three types:
- Malicious Insider: intentional insider stealing intellectual property or up to no good
- Negligent Insider: the user that commits unintentional or accidental acts that put the organization at risk
- Third Parties / Attackers: third parties, like contractors who have legitimate access, or attackers that become insiders via compromising credentials
Prior to 1990, insider threats were primarily characterized by physical theft and misuse, especially in classified and government systems and offices. These are the types of incidents that became movie plots–espionage and theft of classified data throughout the 1980s by government employees and contractors, including one of the most significant espionage projects run by the government. In 1985 Project Slammer was created to better understand the behavior behind espionage carried out by American spies.
Examining Behaviors
Project Slammer found that individuals saw their circumventing security safeguards and security procedures as a “victimless” crime and a necessary part of their espionage activity. In cases of negligent insiders, data suggests that some individuals choose to circumvent security controls or policy during their activity because they see those controls as a hindrance to getting their job done.
The ability to perpetrate insider threat actions has become easier and more significant due to the Internet and the innate functionality of technology. The Internet has increased the outside attacker’s ability to gain credentials, phishing users with malicious intent, or other web-based attacks. Using the Internet, websites, and the collaboration necessary between services and websites to conduct business has brought to light more negligent insider actions. For example, when a user might misconfigure an API, which causes a security incident because the misconfiguration in programming caused data leakage to the wrong parties.
The Complexity of Insider RIsk
As organizations face more incidents related to insider threats, the types of insider threat have been further examined, reviewed, and identified. The sheer size of the problem has grown exponentially and as an industry and independent organization, we need to do our part to address this growing problem. A recent Ponemon study reports that insider threats have continued to rise over the last two years by 44 percent, with a single incident costing an average of more than $15 million.
The likelihood of risky behavior has increased with the complexity and scale of malicious attacks targeting individuals over the Internet, along with the ever-changing environments we work in. IT complexity, OT/manufacturing, cloud infrastructures, SaaS, Internet of Things (IoT), and so on, have made the reality of insider threat an evolving risk to organizations.
New Insider Threat Classifications
Over time, organizations have further broken down the specific types of insider threats, depending on the organization, type of industry, and other risk factors. The new types of insider threats have evolved to:
- Bad Leavers / Departing Employees – The largest reason organizations lose intellectual property is intentional or unintentional employee departures.
- Security Evaders – Normally categorized under negligent insiders, these employees utilize workarounds and other measures to evade security policy and controls.
- Inside Conspirators – This type is less common and includes employees that are pressured to act on behalf of an external organization (criminal, competitor, etc.) through the use of blackmail or other threatening behavior.
- Third-Party – If someone is not on your payroll, it doesn’t mean they aren’t a threat. Many organizations utilize third-party services for some if not all of their organization’s needs and their employees often have access to confidential data.
The need for a well-balanced insider threat program is important, without relying solely on technology. The program must be a balance of technology, along with people and processes that address this growing issue for organizations. Users are still the first line of defense. Identify and understand the riskiest users. Take action, reduce insider risk and stop the next incident.