External cybersecurity threats get all the press, and they are certainly dangerous. Shadowy international gangsters, brilliant but evil hackers, mom-and-pop-shop criminals stealing from us one Target transaction at a time – as fictional as it sounds, it is all real, and very much deserves our attention and protection as individuals and a society.
But another type of attack is perhaps even more common, and certainly more insidious. Insider threats, as you would expect, are the result of user actions from inside an organization. While they are not as action-movie dramatic, they are just as harmful, and in my opinion, even more frightening than their external counterparts.
What are insider threats, and why are they so dangerous?
The numbers on insider threats are staggering. Vormetric reports that 89% of organizations feel they’re at risk of an insider attack. According to a study by Crowd Research Partners, 62% of security professionals saw a rise in insider attacks over the last 12 months. Verizon estimates that 70-90% of malware samples are unique to a single organization, so you can ensure that the basic perimeter controls won’t keep you safe. Personal anecdotes from within organizations confirm this prevalence as well. Business Insider recently reported that hackers are offering Apple employees in Ireland up to 20,000 euros for their Apple ID login information.
Harvard Business Review cites at least 80 million insider attacks in the United States each year, with the caveat that “the number may be much higher, because they often go unreported.”
So how, specifically, do we define insider threats? In a nutshell, an insider threat comes from:
- and/or malicious internal users
An important distinction of this definition is that an insider threat can be either deliberate or accidental; the careless users can be just as risky as the malicious ones. Data breaches occur when these users, no matter their intent, intersect with data. This occurs in many different ways; in fact, we’ve identified ten distinct types of insider threats, which we’ll break down in an upcoming post.
Because insiders have legitimate access to data, it can be very challenging for organizations to identify and discern what is legitimate behavior and what is a threat. Insiders have the right credentials and vast opportunity to compromise data with an attack surface that’s exponentially larger than the technical perimeter accessible to outsiders. This is a tremendous risk to organizations. But what is the alternative? You cannot not trust your employees. That trust is critical to each step of the value chain, from day-to-day operations to pie-in-the-sky innovation, not to mention company culture.
Why current controls can’t contain insider threats
You must trust your employees. But you must also verify that your trust is well-placed. This involves monitoring access to sensitive and valuable data, and putting systems and guard rails in place that protect both your employees and your data. Most companies have some form of this in place – but even then – there are a lot of security alerts to sort through and many times you don’t know what you’re looking for when it comes to suspicious data access. Unfortunately, it’s much easier said than done well.
The truth is that current controls are not working. JP Morgan Chase recently performed a test post-breach on phishing effectiveness. They found that 20% of their employees were tricked by the email. Despite our best efforts at education, prevention, and protection, breaches continue to occur for three main reasons:
- Organizations do not have the safeguards in place to identify risks and threats that involve insiders.
- Current solutions fail because they are designed to detect malware and tools that hackers use. They are absolutely not focused on the target of the attack: your data.
- You cannot isolate just the compromised insider or the malicious insider or just the careless insider – you need a solution for the whole problem.
3 steps to better protection against insider threats
To thoroughly protect themselves and their data from insider threats, businesses must take a three-pronged approach based on these fundamental questions.
- Who is accessing my data? Gaining visibility into who is accessing your data repositories, including databases, file servers and cloud apps is the first step to detecting risky users. This means granularly monitoring all users in the organization, not just a subset of people – such as your privileged users. Since anyone can become compromised or do something careless, you need to have a grasp on the actions of everyone.
- Is the access okay? This is usually the hardest step for security teams to iron out, because what often looks like it could be “normal” business activity can in reality very concerning and vice versa. In order to address this grey area, security teams require context and accuracy. This is where machine learning technology comes into play; it establishes a full, contextual behavioral baseline from which you can pinpoint critical anomalies that indicate a serious misuse of enterprise data.
- How do I respond quickly? With a deep understanding of user access patterns, you are better positioned to detect compromised, careless and malicious users that are putting your organization’s data at risk. But you still need the right tools. Your data security solution should go beyond “knowing” that a user logged in to or tried to log in to a database server. It must provide the details of what actual data records a given user accesses, how that access deviates from your baseline and the most actionable next steps to prevent a serious breach.
Whether accidental or deliberate, insider threats are often missed, but always dangerous. To prevent breaches and attacks, companies need to focus on protecting exactly what matters most: the sensitive and valuable data assets within the organization.