Insider threats are on the rise and continue to affect organisations. These threats result in data loss, monetary damage, reputational issues, and more. According to a recent study from The Ponemon Institute, insider threat trends show the number of incidents has increased by a whopping 47 percent since 2018. These incidents cost organisations an average of $11.45 million a year.
Beyond cost alone, here are five reasons why newly emerging insider threats trends should be on every CISO’s radar.
1. Opportunities for insider attacks have increased
Insider threat incidents have risen for three primary reasons: increased opportunity, dedicated focus, and improved detection. Old-school data exfiltration methods such as the use of personal email on corporate systems and physical media (think USB drives, CDs, and DVDs) still prevail. But, cloud sharing platforms have transformed insider data theft. They give malicious insiders nearly limitless cloud storage to move data outside of protected environments.
The good news is that while opportunities for insider attacks have increased, so have measures to mitigate them. More organisations are recognising insider threat risks and have built dedicated insider threat programs for incident detection and response. In addition, new, dedicated insider threat management tools have arisen in response to these people-centric threats.
2. The attack surface for insider threats is wider
Insiders are people who have access to sensitive data and systems. This can include employees, contractors, suppliers and vendors. Insider incidents typically occur in three forms: careless or accidental insiders, compromised accounts or malicious insiders. The more people with access to sensitive information, the less an organisation can control. As a result, the attack surface for insider threats increases (whether they’re accidental or malicious).
Each of these types of insiders is difficult to detect because they are using seemingly legitimate user credentials. Detecting these threats requires focused effort and technology that can detect unusual or malicious user activity.
3. Malicious insiders have many motives
While there are many motives for insider threats, financial gain is the primary reason.[1] Insiders can monetise their access to sensitive data like PII, PHI, PCI, or intellectual property. Beyond financial gain alone, other motives include:
- Personal gain: For example, taking intellectual property or customer data to a new employer. Some insiders act because they feel entitled to information related to work they’ve done for their employer.
- External influences: Influences like nation-states (think corporate espionage) or personal beliefs (political or religious) may motivate insiders to act.
- Emotions: Angry or disgruntled insiders may sabotage systems or data to get revenge on an employer, manager, or coworkers. Or, some insiders may snoop on executives, coworkers, or customers in order to leak or “dox” that information externally.
4. COVID-19 has changed the threat landscape
The pandemic has impacted workers globally in different ways. Many people are under stress due to the fear of getting sick, the potential impact to employment, and their financial futures. These stressors are reasons why insiders may act maliciously.
As a result, COVID-19 has changed the threat landscape for organisations. The rapid move to work-from-home for many workers has challenged organisations to employ the same security controls they use when employees are attached to corporate networks. Some behavioural monitoring tools became virtually useless because employee behaviour changed drastically, throwing their models off. Users may not be as careful with data when working remotely and can be distracted, leading them to make poor security decisions.
What’s more, many external attackers are using COVID-19 as a lure to sending phishing emails to users to steal credentials. Distracted users are more vulnerable to these types of social engineering attacks.
5. Context is needed, but not easy to get
Insider threat is a people problem. Most security programs are geared towards stopping external actors using a variety of technical controls and detection tools. Insider threat trends show that insiders are different because they look mostly like normal users and have different motivations.
The most important thing for CISOs to consider with insiders is the context in which the insider is acting. A people-centric security solution that monitors a combination of user activity, data activity, and threat context is most effective in detecting and responding to unusual or malicious activity. Insider threat management platforms can also be used to gather evidence during an investigation. This evidence may be used to support corrective action against an employee or in litigation.
Want to learn more about insider threats from Joseph Blankenship Vice President and Research Director at Forrester?
Listen to the Forrester Webinar on The New Realities of Insider Threats and Work from Home today