The proactive approach to insider threats

How to identify the risks and prepare

Combination lock Insider threats were already on the rise, even before the COVID-19 outbreak placed a greater strain on corporate security.

Factors that motivate employees and other insiders to compromise an organization’s computer network – including fear, anxiety, anger, depression and financial troubles – have been exacerbated by the pandemic. The shift to working remotely created even more opportunities for security breaches due to malicious insider behavior and employee negligence, often resulting in unauthorized access or sharing of information from laptops, mobile phones, cloud storage and other technologies.

Organizations must be diligent in reducing insider threats during these challenging times by applying a proactive approach considering the balance between security and privacy.

Increasing insider threats Organizations need a more comprehensive effort to combat insider threats because of the dramatic increase in incidents. There has been a 47% jump in insider threats over the past two years, according to a study conducted by The Ponemon Institute, a leading security research organization.

The reasons for the steep rise range from increasingly emboldened insiders who are intent on committing theft, fraud and espionage, to negligent employees who enable accidental disclosures through weak passwords, phishing scams or compromised devices.

“Due to the COVID-19 situation, with many people working from home, the possibility rises relating to data leakage,” said Grant Thornton Cybersecurity and Privacy Principal Derek Han.

While hackers garner the most attention for cyberattacks, most insider threats are the result of employees, contractors and third parties letting their guard down. They fall into three categories:

  • Negligent
    62% of insider threat incidents are caused by negligent, hasty or unaware employees.
  • Compromised
    23% of insider threat incidents are the result of compromise, with stolen and sold insider credentials leading to identity theft and sabotage.
  • Malicious
    14% of all insider threat incidents are linked to insiders with criminal intent, whose motives stemmed from theft, fraud or espionage.

The exploitation of insider threats has been aided by a variety of tools, including encryption (which allows for anonymity), cryptocurrencies (which enable transactions to take place without being traced) and dark web trading sites. Remote workers can unwittingly add to the problem.

“There are quite a few vehicles for people to conceal their identity and either steal the information, sell the information or trade for information,” Han said. “Also, the information resides in the cloud. It’s information accessible from anywhere, and when the boundaries become blurry it’s easier for people to access the information.” Understanding the indicators that could lead to insider threats can help organizations detect potential issues and prevent incidents before they occur.

Digital transformations are ubiquitous today and the internet has allowed cyber attackers to steal valuable data from organizations with more ease. Dark websites and the onion router (Tor) provide a platform to connect buyers and sellers online and to trade data. Cyber criminals are increasingly making an effort to look for vulnerable insiders who will give them what they need willingly, in addition to looking for ways to infiltrate systems.

The human factor While human behavior is the impetus for insider threats, most organizations rely on technology to detect and prevent attacks. The problem with that approach is that organizations typically react to an attack after it has occurred.

A fully developed insider threat program must be human-centric from the beginning. It must engage employees through training, transparency and communication. It must also leverage human behavior and analytics tools to identify possible human vulnerabilities and prevent a possible breach before it happens. It involves employees in the process.

“It’s a culture shift. It’s making people feel they’re involved in the organization,” Grant Thornton Risk Advisory Services Senior Manager Rohan Singla said. “It’s transforming employees from the weakest link to the strongest link in an organization.” Establishing an insider threat program framework requires the involvement of the entire organization, beginning with the endorsement from the CEO. It includes input from IT, human resources, legal, and employee training and awareness.

By engaging employees to identify and help prevent insider threats, the organization develops a powerful ally. With the aid of using technology and analytics to identify and predict potential human vulnerabilities, the organization has a more complete insider threat program.

Of course, an organization needs to strike a careful balance between encouraging employee participation, while also monitoring their behavior. This is why training, awareness and communication, as well as assessing privacy risks, are so important.

Insider threat program implementation Insider threats are a key cybersecurity risk that has resulted in significant cyberattacks with financial and reputational damages. To truly ensure consistency and compliance, organizations should implement an insider threat program that is designed for sustainability. Effective program implementation typically involves three key pillars:

  1. Assess
    In the Assess pillar, organizations evaluate the regulatory requirements, industry standards and best practices that apply to their high-value data. Then, they evaluate their data protection tools, solutions, risks and employee preparedness.
  2. Build
    In the Build pillar, organizations implement the changes identified during Assess, including policies, procedures, governance, teams, training and tools. They also implement and integrate technology to produce and track insider threat indicators.
  3. Run
    In the Run pillar, organizations manage and monitor their programs, including employee sentiment, awareness, compliance and training, reporting on performance and risk metrics. Organizations also adjust programs based on feedback and regular independent audits.

“To monitor insider threats, organizations need to look for behaviors and trends over months. They need substantial data and the evidence to show what, where and when employees might have done something wrong,” Singla said. Violations might not be intentional, so organizations need to talk with employees and help them understand the issues and risks.

Remote workplace challenges Executing a proactive insider threat program will encounter challenges in today’s pandemic environment, where many employees are working from home. It’s hard enough to foster a work culture among employees on a video call, much less try to roll out a new or enhanced insider threat program.

But, with employees working from remote locations with laptops, mobile devices and internet connections, the chances for serious security breaches increase.

As the traditional security perimeters defined by firewalls are disappearing, it becomes essential for organizations to proactively address the insider threats where the boundary of trust and human behaviors continue to change.

Derek Han
Principal and Leader, Cybersecurity and Privacy
T +1 312 602 8940

Rohan Singla
Senior Manager, Risk Advisory Services
T +1 415 354 4747