Are insider threats the biggest cyber security danger?
1st February 2019
What are insider threats?
Cyber security breaches caused by malware, hacking, denial of service (DDoS) and ransomware are reported daily. They often appear to be more frequent and damaging than cyber breaches caused by the insider threat from the people who work for the organisation itself.
Many cyber security threats will come from the accidental or malicious involvement of members of staff or related stakeholders. The threat will also come from guests and third-party contractors who are given access to the IT system to complete their assignments. Outside of any criminal intent, employees are inadvertently causing corporate data breaches and leaks on a regular basis.
Disclosing credentials due to phishing, direct theft, or even carelessness when using a BYOD machine will all lead to malware infecting an IT system. Hackers work hard to use sophisticated social engineering techniques to trick unwary users.
How big is the problem?
The CA Insider Threat 2018 Report details the results of a survey designed to uncover the latest trends and challenges regarding insider threats. It also identifies solutions to prevent or mitigate insider attacks. One of the largest of its kind, the survey canvassed the view of 5,000 IT professionals in working in organisations worldwide. Ninety per cent of respondents confirmed they were vulnerable to insider attacks. The key risk factors identified included too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the growing complexity of IT systems (35%). Just over half confirmed their organisation had experienced an insider attack in the previous 12 months.
While actual costs of a major security incident are not easy to determine, the most common estimate was in the range of $100,000 to $500,000 per successful insider attack. Twenty-four per cent of those surveyed expected damages to exceed $500,000.
Who are the risky insiders?
Security professionals have a unique responsibility to detect, counter and mitigate the impact of cyber attacks. The job becomes increasingly more challenging when threats come from trusted and authorised users within the organisation. It is often difficult to determine when users are simply doing their job function or something illegal or unethical.
The CA Insider Threat 2018 Report identified the following risky insiders:
- Regular employees
- Privileged IT users/admins
- Senior directors and executives
- Onsite contractors and temporary workers
- External service providers with internal access
- Customers and visiting guests
Phishing remains number one attack
Cybersecurity experts all agree that email phishing attempts as the biggest threat for accidental insider vulnerabilities. Phishing attacks trick employees into sharing sensitive company information by posing as a legitimate business or trusted contact. Email attacks often contain malware attachments or hyperlinks to compromised websites. Other insider threat attacks are related to weak/reused passwords, unlocked devices and unsecured WiFi networks.
Preventing and mitigating insider cyber attack
Insider data threats present another layer of complexity for IT professionals to manage, requiring careful planning with regards to access controls, user permissions and monitoring user actions.
The most popular technologies used to counter insider threats are Data Loss Prevention (DLP), encryption, and identity and access management solutions. To more effectively detect active insider threats, companies are also deploying Intrusion Detection and Prevention (IDS), log management and SIEM platforms.
These technologies tend to focus on detection, deterrence and post-breach forensics. The CA Insider Threat 2018 Report confirms a growing trend toward the use of continual behavioural monitoring of user activity and their access to sensitive data sources. Many employ endpoint detection and response (EDR) systems which are monitored by their internal IT team or an outsourced security operation centre (SOC).
Identification of high-risk insiders is a crucial part of a threat prevention strategy. One way to identify these individuals is to profile their behaviour and work patterns. Hostility toward other employees, late or missing assignments, work outside normal work hours, and declining performance are just some of the physical indicators. Insider threat management systems from vendors such as Observe IT and Ekran provide fully integrated solutions that include threat detection, incident investigation, blocking policy, monitoring privileged users and compliance to standards.
The increasing volume and complexity of insider threats have caused cybersecurity professionals to take more action and deploy User Behaviour Analytics (UBA) systems. UBA solutions look at patterns of human behaviour and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns. Big data platforms like Apache Hadoop are increasing UBA functionality by allowing users to analyse petabytes worth of data to identify insider threats and advanced persistent threats.
CYBERSHIELD MDR-INSIDER is our fully managed service that combines cutting-edge technology, experienced security analysts and latest global threat intelligence needed to educate, deter, block and investigate suspicious insider threat activity.
Functioning as your company’s cyber security operations centre (SOC), our leading insider threat detection and prevention service includes:
- Real-time user monitoring and surveillance
- Automated alerts based on a violation of Insider Threat Rules
- Notification and blocking of unauthorised access
- Reporting to support incident investigation and compliance