Insider Threats: How Co-Workers Became a Bigger Security Headache

One of the biggest security threats to your team might be the person working right beside you.

Insider threats, which can take the form of either malicious or careless employees, are not only an ongoing problem for many security and IT teams; they are also a costly one, as well. In a study released earlier this month by the security firm Proofpoint, IBM and the Ponemon Institute, researchers found that companies shelled out an average of $11.45 million in 2019 to clean up these incidents—a 31 percent increase from the $8.76 million firms spent on the issue in 2018.

The study, based on interviews with 1,000 IT and security executives from companies in the North America, Europe, Middle East, Africa and Asia-Pacific regions, finds that the number of insider threat incidents increased 47 percent between 2018 and 2019. Yikes.

Those IT and security professionals surveyed for the report also told researchers that about 60 percent of all insider threat incidents were caused by careless employees, while a small but still significant number (23 percent) were traced back to workers with malicious intentions.

Also of note: Those surveyed reported that it took, on average, about 77 days to clean up an insider security incident; however, the longer the recovery time, the more expensive the recovery became. By the 90-day mark, costs spike to over $13 million annually (on average).

“The lack of preparedness and sufficient tooling to identify and contain insider threats is evidenced by how long they take to clean up,” Mike McKee, executive vice president and general manager for insider threat management at Proofpoint, told Dice.

Multiple Fingers to Point

This report from Proofpoint, IBM and Ponemon reinforces other studies—including one from Verizon—that arrive at similar conclusions.

For instance, the Verizon report points out that 57 percent of data breaches in 2019 could be traced back to a careless or malicious insider, while 20 percent of all security incidents (as well as 15 percent of data breaches) were caused by misuse of privileges by workers or contractors. And these security lapses weren’t caused by executives, but rather by lower-level employees, with Verizon finding that 61 percent of insiders who caused a security issue did not have high-level access.

Why do these insider threats keep happening, and why are they getting progressively worse?

The answer, not surprisingly, is multifaceted. There’s the changing nature of work, the increasing reliance on contractors and third parties for services, and attackers and cybercriminals becoming much better at stealing credentials and brute-forcing their way into corporate networks.

“While the study did not cover the drivers behind increased frequency, our broader perspective is that the growth in insider-led cyber security incidents is driven by a range of issues, including more sophisticated external threats leading to compromised user accounts (i.e. credential thieves), a more connected workforce and increasing number of data exfiltration vectors, and continued growth in third-party contractors and shorter job tenures across industries,” McKee said.

Where many companies fall down is focusing too much on the movement of data around the corporate network, instead of gaining better visibility into how people work and how files move among individuals, McKee added.

“This is the only way to gain context-specific insights into the ‘how’ and ‘why’ of a user’s behavior that helps establish intent, anticipate activity and, when required, streamline the investigation process,” McKee said. “On the people front, it’s important to understand that your most valuable assets—your people, employees, contractors and  partners—can also become your greatest vulnerability if you don’t put sufficient protections in place.”

Reduce Security Risk

Despite increases in insider threats, there are several tech strategies that enterprises can deploy to help mitigate some of these security incidents, suggested Steve Durbin, the managing director of the Information Security Forum, a London-based cybersecurity and risk management firm. 

Durbin’s checklist includes security best practices and tech deployments, including:

  • Identity and access management solutions. 
  • Desktop solutions that enforce data classification, for example by encrypting confidential documents before emailing, or by preventing highly confidential documents to be emailed to external addresses. 
  • Data loss prevention (DLP).
  • Event logging and monitoring.
  • Remote wiping of mobile devices.

The Information Security Forum also offers a checklist for companies that includes ways to evaluate employees before they are hired, inducting new workers into a firm’s security practices, evaluating people as they develop and how to change their behavior, and finally how to remove someone who is a threat and revoke his or her privileges.

“All these actions can be supported by awareness and training,” Durbin told Dice. “The trust organizations are placing in insiders has grown with advances in information technology, increasing information risk and changing work environments. This trend will continue as the volume of information insiders can access, store and transmit continues to soar—and mobile working for multiple employers becomes the status quo.”