Insider Threats: Why These Cybersecurity Incidents Continue to Grow

With the rising threat of ransomware and other attacks that originate from outside organizations’ networks, it’s easy to forget the damage that an insider threat—whether it’s employee carelessness or something more malicious—can cause in both money and resources.

Two recent reports on insider threats detail how these incidents have changed over the past two years, especially in the wake of COVID-19, and how other issues such as work-from-home, greater reliance on cloud-based applications, and the Great Resignation have added to these concerns.

Earlier this month, MITRE, the U.S. government-backed research agency, and security firm DTEX released an extensive study about insider threats, which examined about 4,500 of these incidents across a wide variety of global enterprises over the past year.

The results showed a 72 percent increase in actionable insider threat incidents between 2020 and 2021, with most of these (42 percent) involving IP or data theft. The industries that most frequently succumb to insider threats include technology, critical infrastructure and government agencies, according to the report.

MITRE and DTEX also found that while 100 percent of employees or users constitute an “insider risk,” only about 1 percent of these make up an “insider threat” with malicious intent. The study also warns about the rise of the so-called “super malicious threat,” which the researchers define as “a malicious insider threat with superior technical skills and in-depth knowledge of common insider threat detection techniques.”

Another study, this one conducted by security firm Proofpoint and the Ponemon Institute, concluded that organizations that sustained an insider threat incident spent $15.4 million on average to help remediate these incidents. It also took 85 days to resolve most of these threats. The results are based on questions sent to more than 1,000 IT and security practitioners across North America, Europe, the Middle East, Africa and the Asia-Pacific region.

Overall, the number of insider threat incidents increased 44 percent over the past two years, and while some of this is related to the global pandemic and the shift to remote work, researchers found other factors that have contributed to these numbers, said Ryan Kalember, executive vice president for cybersecurity strategy at Proofpoint.

“While we can’t attribute the overall rise in insider threats to a single factor, the shift to work-from-anywhere and the Great Resignation have both exacerbated these risks,” Kalember told Dice. “There’s no doubt that a dispersed workforce creates a greater reliance on the cloud, a significantly larger attack surface, and a weakening in the visibility and effectiveness of legacy data loss controls. Plus, it’s easier than ever to share and expose large amounts of sensitive information—both carelessly and maliciously.”

An Ongoing Concern

While insider threats are continuing to grow, damaging organizations’ infrastructure and reputation, several observers noted that many of the sea changes over the past two years are likely to further excel these incidents in the months and years ahead.

The permanent move to remote and hybrid work, without attempting to address many of the underlying security issues that come with this shift, is likely to lead to greater damage from insider threats, whether it’s malicious or accidental, said Hank Schless, senior manager for security solutions at Lookout.

“Remote work only adds to the difficulties that organizations face when they’re trying to gain visibility into how their users access, handle and manage corporate data,” Schless told Dice. “The forced introduction of unmanaged smartphones, tablets, laptops and PCs meant that many organizations lost control of data and couldn’t ensure that those devices were free of any malware when handling sensitive data. In addition, without the right tools in place, there was no way to ensure that data was being secured or handled properly once it got to the unmanaged device.”

Archie Agarwal, founder and CEO at security firm ThreatModeler, agreed that many of the security challenges that come with remote work are still not fully addressed—leaving the door open to insider threats as well as other attacks.

“When an organization’s business practices change—such as sending workers home from the office—the hard-fought security controls implemented may no longer be in play. Put simply: the threat model changes,” Agarwal told Dice. “When this occurs, organizations should re-evaluate who can access their systems, from where that access occurs, and what possible opportunities for misuse or abuse have opened up. The key is for organizations to detect that business practices have changed and have an easy way to triage their impact.”

And while the Great Resignation could affect the number of insider threats that organizations sustain, not everyone is convinced this is a long-term security trend.

“I would caution against leaping to conclude that the Great Resignation materially increases insider threats,” said Rick Holland, CISO and vice president for strategy at Digital Shadows. “Employees are certainly exhausted and burned out, but that doesn’t mean they are going to ‘break bad.’ A recent example that counters the increased insider threat narrative is the failed 2020 Tesla ransomware plot where an ethical employee turned down a payout and reported the solicitation to leadership.”

Changing Tactics and Skills

And while inside threats are on the increase for many reasons, there are ways that organizations can reorder their security and IT plans to help mitigate these incidents. Holland noted that countering insider threats should be part of any organization’s overall cybersecurity plan that focuses on investing and developing resilient systems.

“Defenders need to have accidental and malicious insiders built into their threat models,” Holland told Dice. “Enterprises need resilient security programs that are effective against all threats, including external actors, accidental insider threats, and malicious insider threats. Many of the security controls you deploy to protect against external threats also protect against internal threats. For example, actors compromise internal and privileged accounts, so robust security monitoring detects malicious identity activity protects against all threats.”

Lookout’s Schless added that, while the cloud has enabled remote work, security programs need to focus on protecting the systems that support these apps, as well as ways to monitor who has access to the data that SaaS applications store.

“Insiders often have access to far more resources than they need to get their job done, which is why attackers have focused so much on phishing employee credentials to kick off their attacks. Broad access to the infrastructure also means that a disgruntled employee can cause major issues for their organization if they decide to go rogue,” Schless said. “Modern data-loss prevention solutions can monitor data usage regardless of where it is in the infrastructure or whether it’s at rest or in motion. Combining that with user and entity behavior analytics—UEBA—as part of a greater cloud access security broker—CASB—solution and this is the best way to prevent insider threats from compromising your data.”

Another way for organizations to counter the tide of insider threats is building up a skilled workforce within the security operations center (SOC) to help better detect and deter suspicious behavior, said Jasmine Henry, field security director at JupiterOne.

“Organizations may need to augment their SOC talent with hiring to add new individuals with skill and knowledge of insider threat detection,” Henry told Dice. “However, organizations also need to consider how they can enhance existing skills and create cross-functional efforts to mitigate insider risk. Ideally, security specialists would work closely with HR, legal and executives to be more proactive about insider threats with numerous initiatives to reduce risk, from employee engagement efforts to better privileged access management capabilities.”