The last few years have wrought a maelstrom of change in the modern workplace. Remote and hybrid work, a widespread embrace of the cloud, and increased employee turnover have made safeguarding data more challenging than ever. It’s no wonder that insider threats jumped 44% in 2022.
According to the 2022 Voice of the CISO report, many cybersecurity leaders consider a proactive stance toward insider threats to be essential. After all, no business is immune to insider risk. In fact, insider threats are the top security concern for chief information security officers (CISOs) globally. More than a third of the CISOs surveyed said addressing insider threats is a top priority for their IT department over the next two years.
About this series
Today’s cyber threats rely on human interaction, not just technical exploits. In fact, research for Verizon’s 2022 Data Breach Investigations Report found that 82% of data breaches involve the human element. As the report states, this reality “puts the person square in the center of the security estate.” Attackers use social engineering to trick people into clicking unsafe URLs, opening malicious attachments, entering their credentials, sending sensitive data, transferring funds and more.
This is the final post in our six-part blog series covering topics that all organizations should address in the security awareness training they provide to their users. The topics we have explored in this series are:
2. Phishing
3. Business email compromise (BEC)
4. Social media
5. Ransomware
6. Insider risk
We encourage you to check out the five previous installments in this series. While our coverage of these topics was inspired by Cybersecurity Awareness Month in October, the information presented in this series can be useful to your organization at any time of year.
What is insider risk?
An insider is a person who has some type of working relationship with an organization. Because of their role and privileges, they have (or once had) authorized access to critical data and systems. An insider might be a current or former employee, contractor or business partner who might meet all or some of these criteria:
- They have computer or network access supplied by the company.
- They develop products and services for the organization.
- They know about the organization’s future strategy.
- The have access to protected information.
In short, an insider is someone who is in a position of trust. Clearly, these users pose a threat when they act with malicious intent and knowingly use their trusted position for personal gain or benefit. What might not be as obvious is that users who accidently misuse or mishandle their access can cause just as much harm. The same goes for users whose insider access is compromised and exploited by an outside attacker.
The terms ‘insider risk’ and ‘insider threat’ are sometimes used interchangeably but they are not the same. Insider threats is a subset of insider risk: all insiders pose risk to an organization given their access to an organization’s data and systems. However, not all insiders will become an insider threat. This is an important distinction that requires a strategic and tactical approach to manage effectively.
Types of insider threats
Here’s a closer look at the three key types of insider threats:
- Careless. A careless insider is a well-intentioned user who makes poor decisions that can result in the exposure or theft of valuable data. Examples include downloading files to a USB storage device or inadvertently sharing sensitive data externally (such as a customer’s credit card information). Careless users account for 56% of insider incidents.
- Malicious. These insiders are motivated by personal gain and seek to harm to the organization. Examples include exfiltrating financial data or trade secrets or destroying sensitive information. Ponemon’s research on insider threats found that malicious insiders account for more than a quarter (26%) of all insider incidents.
- Compromised. Compromised users are often Very Attacked People™ (VAPs) with privileged access to information. In other words, they have credentials and access that could give threat actors access to a company’s critical systems and data. Attackers use social engineering techniques such as phishing to steal those credentials. About 18% of insider incidents this year have involved stolen credentials.
Insider threat activities
The threat from a careless user stems from:
- Human error. This can include anything from server misconfigurations to sharing a file more widely than necessary.
- Bad judgment. This can include taking shortcuts that unintentionally put the organization at risk, such as moving a file to a USB drive or personal file-storage account.
Threats stemming from malicious users might include:
- Sabotage: The malicious insider seeks to damage company systems or destroy data.
- Fraud: The insider with malicious intent steals or alters data to create deception with an aim to disrupt the company or benefit financially.
- Intellectual property (IP) theft: Any proprietary information that is valuable to an organization can be considered IP. Malicious insiders steal IP for their own financial gain or to cause long-term damage to the company, monetary or otherwise.
- Espionage: When a malicious insider steals sensitive trade secrets, files and data from an organization and then sells that information to the company’s competitors or even state-sponsored threat actors, they are engaging in espionage.
Finally, insider threats from compromised users typically stem from one or more of the following:
- Stolen credentials
- Phishing
- Malware
- Unintentional aiding and abetting through social engineering attacks
Tips for end users
Organizations should help employees avoid being part of the insider threat problem. This learning process starts with building their knowledge about careless behavior and the potential for malicious insider activity. And while security awareness won’t stop users with malicious intent, it can help others recognize and report suspicious behavior.
Here are key things your users should know about this critical topic:
- Think before you act. While taking the shortest path can sometimes make your job—or your colleagues’ jobs—easier, it can also create risk. (For example: Don’t share account credentials or transfer data to a USB device.)
- Stay up to date. Ensure you are aware of the organization’s policies for data and system access and use. (For example: Use only apps and tools provided or sanctioned by the organization’s IT department.)
- Report any suspicious behavior to the security team. If you see behavior by a colleague that doesn’t seem right—for example, the person asks to “borrow” credentials to access an app they aren’t authorized to use—they could be a malicious or compromised user.
Also, underscore to your users that they have a critical responsibility to help protect your organization’s data. Embrace their front-line role and incorporating the simple but effective measures outlined above into their everyday practices, can go a long way toward reducing and mitigating insider threats.
Resources to help improve your organization’s cybersecurity all year-round
We hope you have found this blog series on essential security awareness training topics helpful. For more security awareness information and resources, visit the Proofpoint Cybersecurity Awareness Hub.
Also, consider supporting your organization’s insider risk management efforts with the Proofpoint Insider Threat Management (ITM) solution. It protects against data loss and brand damage whether users are malicious, negligent or compromised. Proofpoint ITM takes a people-centric approach to protecting sensitive data from insider threats and data loss with rich context that integrates user activities, content and threats. Learn more about Proofpoint ITM here.