There's no debate: internal threats are a major security concern. Writes Tara Seals for Infosecurity, "Among companies experiencing data breaches (and that is to say, a majority), internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental." The Intel report revealing this information also noted that security professionals have experienced an average of six significant security breaches each.
Breaches are a major risk to your business health, and insider threats, as a major cause of breaches, are too. Your employees are a liability, but one you can't eliminate. So, how do you address the threat?
Your employees aren't bad people. But there are multiple actions they can take to move from insider threat to internal threat actor, and many of these are unintentionally threatening, not purposefully so.
Imagine your employee receives an email from an adversary. If she clicks on that email, she's moved from insider threat to internal threat actor. If you accidentally delete a document that has no backup, you yourself have acted on your permanent position as an insider threat.
In the all-too-common case of social engineering, wherein an external threat actor gains access to your data through manipulation of an individual, the individual is the insider threat that becomes the internal threat actor in their provision of access.
"However, there do also exist the intentional insider threat actors," says Devi Momot, CEO of Twinstate. "They're disgruntled, upset with their employer, and want to cause sabotage or harm, potentially by destroying information or tarnishing the reputation of the company," she says.
Intentional threat actors may steal customer lists, financial information and employee or customer birthdates, social security numbers and other identifying information. Perhaps they might physically destroy hardware or delete data that has no backup.
And finally, there's an unintentional threat actor who damages your reputation through inappropriate communications. Many individuals aren't likely to realize this type of action represents a threat, and so don't consider it a danger. But noticing this type of action might be helpful in identifying insider threats.
"If they're doing this in public, what are they doing inside of your systems?" asks Momot. "If they're expressing general unhappiness, what else are they likely to do?"
Knowing there are countless ways for internal threat actors to arise, how can you possibly detect and combat threats without trying to monitor everyone constantly?
Healthy suspicion is really the only way. "Assume that everyone inside of your organization is a threat to your organization," says Momot. "It's not a personal judgment. But we all make mistakes."
Things like fatigue and mental workload can sometimes cause employees to move too quickly. One might respond to a wire transfer request from an external threat actor posing as your boss, for example. If actions like wire transfers are common practice in your business, there's very little chance they would see an issue with honoring that request, especially if they're moving quickly.
The balance between constant paranoia causing you to act as Big Brother and total lack of healthy fear, which is why it's good for all of your employees to maintain a healthy level of awareness. Consider how you would have treated a lone backpack left in an airport 30 years ago, and how you would treat that same sight today. In the current era, with so much of our information being digital and the internet fueling rapid sharing, the stakes are too high and irreparable damage can occur too quickly for us to ignore the threat.
"How we trust and don't trust our coworkers has changed, and that's a good thing," says Momot. "It should be a little different. We should be just a little suspicious."
Encouraging your employees' paranoia sounds a bit scary itself, but continued awareness training is truly one of the most effective ways to combat insider threats. Not only will it help employees speak up when they see something suspicious, but it will allow them to examine their own behavior, as well, perhaps mitigating those accidental infractions.
All employees should understand the threat environment everyone is faced with today. Creating a healthy level of distrust through carefully designed awareness training provided by an external company can make your employees more accepting of the culture change that needs to take place at the corporate level, and help you stay far away from "being the bad guy." A partner will take a look at what needs to happen and consider the individual that must make changes, encouraging community conversations around the awareness training. That's ideal.
Though awareness training is incredibly beneficial, there's another important effort you should take to protect your business from internal threat actors: instituting rules of least privilege.
The best practices for accounting apply. Rotation of duties, separation of duties and rules of least privilege are infinitely valuable to your ultimate goal. The goal is not to fully eliminate all possible disruptions to your business, as that may be impossible to achieve. The goal is to survive whatever the disruption may be. Instituting these policies can help you do that.
However, where a business isn't large enough to rotate duties on an effective schedule, a security partner can act as a safety net. To avoid collusion, it can be helpful to have different people focused on day-to-day management of IT infrastructure than on infosec at large. That's where a partner comes into play.
Whatever your current security posture, insider threats do exist at your business. Through encouraging healthy suspicion, teaching your employees about the new and evolving threat environment, and instituting common best practices like rotation of duties and rules of least privilege, you can combat them and protect your business's assets and reputation.
Read more about cyber awareness: