If you were asked what every company or organization has in common; what would you say? Well, there are many potential answers, but one thing is for certain — all companies/organizations are at risk for insider threats in cyber security. There is a lot of attention in the media about companies being hacked by external parties (e.g. individuals, criminal organizations, or nation-states), but the greater risk to organizations comes from those already within the “walls of the castle.”
What is Insider Threat?
On the surface, defining insider threat seems self-explanatory–a source of potential danger or harm to an organization stemming from someone that is within or part of an organization. There are, however, varied sources and motivations of insider threat.
Insider Threat Report: Ponemon Institute
In an April 2018 report, the Ponemon Institute issued an insider threat report and provided interesting insider threat statistics regarding the costs of insider threats to organizations around the globe across 13 different industries. For the purposes of the report, insider threats were comprised of the following:
- Careless or negligent employees or contractors
- Criminal or malicious insider threat
- A credential thief
There are, of course, more fine-grained categorizations of insider threats, but the Ponemon report kept it simple.
Insider Threat Statistics
As part of the Ponemon report, 717 security practitioners working in 159 organizations across the world were interviewed regarding the impact of insider threats on their organization. Each of the 159 organizations had at least one material event caused by an insider, but there was a total of 3,269 insider incidents evaluated as part of the report. Of the 3,269 insider incidents evaluated, 64% were related to negligence; 23% resulted from a criminal or malicious insider, and 13% resulted from credential theft.
Examples of Insider Threats & Attacks
Examples of insider threats are wide and varied, but some of the more prevalent examples are outlined below:
- Theft of sensitive data. For many organizations, their trade secrets are their crown jewels that potentially represent decades of development and financial investment. This data is a target for the criminal or malicious insider who will attempt to exfiltrate and sell the data to competitors (potentially as a part of a new employment offer) or foreign governments.
- Induce Downtime. You’ve heard the phrase “time is money.” This saying is especially true in today’s age of digital commerce. For companies that make millions by the minute, any downtime can be quite expensive, but downtime can also be detrimental to companies that have Service Level Agreements (SLA) with their clients. Violating an SLA due to downtime caused by an insider may put the company in jeopardy of losing a significant client or paying fees related to violation of the SLA.
- Destruction of property. While the destruction of physical property is less common than other insider attacks such as exfiltration of sensitive data, depending on the extent of the destruction, this specific risk may result in significant downtime and financial expenditures to replace damaged assets.
- Damage to Reputation. Companies expend significant resources (i.e., time and money) to build and protect their brand. Within minutes (or less) a malicious insider attack can cause investors and clients to lose confidence in an organization’s ability to protect personal information, trade secrets, or other critical data. A loss of confidence often results in a loss of market share which results in a loss of revenue.
What are the Financial Impacts of Insider Threats?
Ultimately, though, each of the above risks impacts an organization financially. In their study, the Ponemon Institute also evaluated the financial impacts resulting from the insider incidents.
In their research, the Ponemon Institute found that, on a per-incident basis, the costliest incidents were those involving credential theft which was more than double the cost per incident of those involving employee or contractor negligence, despite negligence being the most prevalent cause of insider threat.
In terms of annualized cost, though, employee and contractor negligence is the most costly to organizations by a significant margin.
How Can Insider Threats Be Mitigated?
A good place to start when determining how to mitigate the risks of insider threats is to do an insider threat risk assessment. As part of the risk assessment, focus on the behaviors that indicate an insider attack. Once these behaviors are identified, then develop controls to support insider threat detection and prevention. Below are several suggestions regarding controls for detection and prevention:
Insider Threat Detection
- Implement a Data Loss Prevention solution.DLP solutions detect potential cases of unauthorized access to data or attempts to exfiltrate or destroy sensitive data and alert staff to address attacks against sensitive corporate data.
- Configure auditing across the entire environment. Auditing is a critical capability that is often overlooked entirely or marginally implemented thus inhibiting an organization’s efforts to detect malicious or negligent insider activity. Once auditing is configured though, there must be mechanisms in place (e.g. a SIEM) to assist with the analysis, correlation, and alerting on events of interest. The data must also be secured from tampering or deletion. Just having volumes of audit data without a means of analysis and alerting minimizes the value of the audit data as breaches or insider incidents may occur and be recorded, but an organization is blind to the malicious activity.
- Implement a privileged access management (PAM) solution. While there are a lot of prevention capabilities within PAM solutions, they also offer detection capabilities such as session recording and auditing. This capability will record all activities (e.g. issued commands) performed by privileged users.
Insider Threat Prevention
- Segregate duties. This is especially difficult in smaller organizations where individuals wear many hats. That said, there must be controls in place to safeguard the organization from insider threats. Where possible, split administrative duties between competent staff members (remember negligence is a big factor in insider threats). We’ve seen small organizations rotate privileged access to production to individuals for a week at a time while they rotate into DevOps roles for the week and then back their primary responsibilities in development.
- Limit privileged access. If at all possible, limit giving all privileged access across your organization to a single individual. Insider incidents from privileged users are especially nasty, so separate privileged responsibilities across multiple privileged users. Implement technical controls to limit privileges to only that which is necessary for the individual’s privileged role. For example, strictly limit who has access to the root user’s password and implement capabilities like “sudo” (in Linux) to define specific privileged commands that can be executed and limit who can modify the sudoers file. Another option is as mentioned previously is to implement PAM which enabled very fine-grained administrative privileges.
- Block access to cloud storage sites. Sites such as Dropbox, Box, iCloud, OneDrive, and Sync and other cloud storage sites are a potential vector to easily exfiltrate corporate data. If these sites aren’t used by your organization, then block access to them.
- Implement Multi-factor Authentication (MFA).Implement MFA to mitigate the risk of credential theft. From my perspective, MFA should be implemented everywhere possible within an organization, but especially for privileged users.
- Limit access to sensitive data. All data within an organization should be categorized and protected in accordance with the associated categorization. It is important to know where sensitive data resides, who accesses it, and how it is accessed. Restrict access to corporate data to only those that require it to perform their job functions. In addition to limiting the access to data, use a DLP solution to tag and track data to determine who is accessing or downloading sensitive corporate data.
- Encrypt sensitive data. Encrypting sensitive data will provide protections if the data is successfully exfiltrated. Ensure that access to keys to decrypt the data are protected appropriately.
- Backup your data. Ensure that critical data is frequently backed up to multiple locations and can be retrieved and restored. Having backups of critical data will come in handy when a malicious insider attempts to delete it in retaliation for being terminated or because they are angry. Access to backups should also be controlled to prevent deletion in addition to the critical data. In addition, develop procedures that outline how to restore data from backup.
Insider threats are a significant risk to organizations, and according to the Ponemon Institute, incidents of insider threat have increased since 2016, especially for incidents involving negligence and credential theft.
In addition, responding to, containing, and remediating insider incidents are extremely costly, averaging well over $200k per individual incident for negligence and over $600k per incident for credential theft.
We have provided several insider threat examples along with insights on how to reduce or mitigate them. Evaluating the risks tied to insider threats should also be part of every organization’s risk management process.
Linford & Company has extensive experience in assisting organizations of all sizes to manage their compliance requirements. Please contact us if you are in need of compliance or advisory services for SOC 1, SOC 2, FedRAMP, HITRUST, and HIPAA audits and assessments.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations and HITRUST assessments. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.