What are Insider Threats and How Does Compliance Help You Stop Them?
When business professionals talk about security threats, they often talk about external threats: hackers, phishing attempts, DDoS attacks and so on. However, according to a 2020 survey, 66% of organizations consider the threat of an inside attack more likely than external ones. According to another survey by the Ponemon Institute, insider threats increased by 47% from 2018 to 2020. Additionally, the costs of these attacks increased 31% to $11.45M in 2020.
So, what is an insider threat? Insider threats are breaches, disclosures, or theft of private and protected data by someone inside an organization. These thieves will almost invariably have authorized access to the data in question, or a way to receive that authorization either legitimately or by stealing credentials from a colleague.
Insider threats don’t just originate from current employees, either. Many of these breaches occur when a former employee continues to have access to sensitive systems, or they communicate with an accomplice that has such access.
Why are Insider Threats So Dangerous?
Insider threats are dangerous precisely because they are unexpected, and strike in places where organizations are often least equipped to fight against.
Think about it this way: Business and technical system security are often predicated on monitoring unauthorized access, recognizing behaviors that are out of the norm and locking down vulnerabilities that would open up that system to attack.
Because of this, these security measures are all about prevention, and much of that is defining who is authorized to access a system and what kinds of actions they are authorized to take. For example, specific users will have access to a system–and these users might have additional security measures like traditional Two-Factor Authentication (2FA) or advanced biometric Multi-Factor Authentication (MFA) to prove they are who they are. On top of that, these users will have specific roles and responsibilities that dictate what data they can access when they can access it and what they can do with it.
With legitimate users and use cases defined, the security and compliance system can then block out unauthorized users and prevent unauthorized manipulation of data.
However, when it comes to insider threats, you are dealing with someone who is, for all intents and purposes, a legitimate user. They are trusted by the system because they are a part of your organization and have had their role (and subsequent access privileges) authenticated by people making decisions
These threats fly under the radar because they are hard to predict, and they strike in the most vulnerable space your IT system has.
Types of Insider Threats
With an increasingly complex IT infrastructure, and equally complex compliance and security frameworks, vectors for insider attacks or threats are numerous. There are largely four types of insider threats to consider:
- Negligence: A breach could be considered an “inside job” simply because someone didn’t follow the right procedures and left a vulnerability open. While not malicious, it still opens you up to attack or theft. This is usually the most common form of unauthorized data disclosure.
- Attacker Collusion: This is when an insider is approached by external hackers to provide access, information or some other asset to help them access your systems. What’s really dangerous about this kind of threat is that if someone inside your organization colluded with someone outside, it could be happening for months or even years before you notice it. By that time, they could have been fired or resigned and moved on.
- Third-Party Vendors: You may be working with some sort of service provider, whether a cloud, SaaS, security or other managed service. You may even have a contractor that you’ve hired for a relatively small job that requires limited system access. In either case, employees for that vendor could, with the right access, steal data. Or, if they aren’t secure or compliant in their own right, they could facilitate an external attack.
- Theft for Money or Destabilization: An insider, given the right access, might simply work alone for their own ends. They might think they can steal data and sell it on a black market for big money. Or, they may have ideological commitments that drive them to leak data to competitors or foreign agents.
If your organization is of any significant size or works extensively with third-party providers, you could be open to anyone or more of these threats.
How Can Compliance Help Prevent Insider Threats?
The truth is that many insider threats have been common for years, and security frameworks have implemented some requirements for their mitigation. Government contracting, including normal federal and Department of Defense (DoD) compliance frameworks, have several requirements in place to prevent insider threats:
- The Cybersecurity Maturity Model Certification (CMMC) framework covers insider threats through several safeguards. As an approach for managing Controlled Unclassified Information (CUI), CMMC calls for DoD contractors to implement safeguards outlined in NIST SP 800-171, including the implementation of training programs for the recognition and prevention of insider threats.
- FedRAMP also offers several requirements for the training and administration of insider threats, including mitigation procedures and training programs for employees of Cloud Service Providers (CSPs) working with federal data.
The truth is that being compliant with any major framework will at least get you on the road to preventing insider threats. Most frameworks, including FedRAMP, CMMC, HIPAA, NIST 800-171 and NIST 800-53 (to name a few) call for some basic cyber hygiene practices, including:
- Controlling access to data: This can include zero-trust procedures to require authentication for any protected information.
- Maintaining authorized access records: If someone is fired or leaves your organization, you should be able to cancel their credentials and block access the moment they are no longer on the payroll.
- Recording access events through audit logs: There should be a record of all data access for all users, including what data is accessed, what’s been done with it, who accessed it and any associated security warnings.
- Training employees on insider threat recognition: Your staff should have a good eye for warning signs of suspicious behavior or instability that could suggest an insider threat.
The truth is that compliance will put you in the right security posture to at least consider insider threats from an IT and personnel perspective. Governmental frameworks are often focused on this across a variety of safeguards (user access, auditing logs and trails, etc.), but insider threats are also incredibly common in retail and financial services as well, and frameworks like PCI DSS also focus on such threats.
Insider threats are a major problem that a compliance partner can help you solve. if you are committed to your security posture and want support against insider threats or data theft, call 1-888-896-7580 to discuss your organization’s cybersecurity needs.