If you’re outside the security industry, you probably think of a cybercriminal as they are portrayed on TV and movies: a shadowy figure in a hoodie, hunched over a computer in a darkened room. The reality is, they could look like the person you just talked to in the break room in your office. That’s because insider threats, which are cyber threats coming from an employee, contractor or trusted partner, either by malicious intent or negligence, are on the rise among businesses.
Recently, electric car manufacturer Tesla was the alleged intended victim of an elaborate scheme by a Russian ransomware group. The story made headlines after an FBI sting resulted in an arrest of one of the ransomware operators. The ransomware group targeted an employee of the organization and attempted to groom him to launch the attack against his employer. They wanted this employee to install malware on the company network which would allow the ransomware group to steal data. The employee would have been paid $1 million USD for his efforts to sabotage his own company. When the target realized that criminal activity was afoot, he contacted the FBI, and became part of a sting operation to take down the ransomware operators. Notably, the person who attempted to recruit the Tesla employee said that he had successfully recruited employees at other companies in a similar scheme and they had never been caught.
Not all insider threats are intentional
Insider breaches account for about one third of all cyberattacks on businesses, with about 2,500 breaches per day occurring in the US. That number is climbing year over year. Since 2018, insider attacks have increased by nearly 50 percent.
However, not all insider attacks unfold like the one described above. Around two thirds of insider threats are from employees clicking on phishing emails. Negligent employee behavior, such as poor password hygiene, or downloading unauthorized apps and software, can also lead to breaches.
Even though the actions of the employees seem insignificant and can happen in mere seconds, these actions can have long-term and devastating consequences on their employers. With an average of nearly 200 days for a company to detect that a breach has occurred, cybercriminals have ample time to steal data and intellectual property once they are on a company’s network. The financial impact can be huge. Costs to recover from an attack average $3.92 million, and losses of intellectual property can be irreparable. If business operations are halted temporarily from a ransomware attack, that can translate into lost revenue. If customer data is stolen, trust can be lost, which is difficult to put a price tag on.
Malicious insider attacks motivated by revenge, financial gain
Some insider attacks are done purposely, with malicious intent. These individuals are looking for a pay day. Or, they feel wronged by the company/individual employees within the company and want to do damage. They could be looking for notoriety. Regardless of the motive, these types of threats are particularly dangerous because the attacker already has access to the network. The higher levels of access the individual has, the more the potential for damage.
Indicators of an internal attack in progress
Abnormal activity by a user is a strong sign that something is amiss. For instance, accessing the network at odd times, such as the middle of the night or on weekends when this person usually would not be working. Another tipoff could be that the employee is accessing documents and data for a department they don’t work in, or that have restricted permissions. Finally, large data transmissions could be an indicator of foul play. Endpoint detection and response software, particularly the type that is monitored by a Security Operations Center, would notice abnormal behavior and a trained expert would investigate the activity to see whether it merited follow-up.
Is an insider attack preventable?
While organizations certainly cannot predict who might constitute an insider threat, or when an attack will happen, they can follow a few best practices to guard against insider threats:
- Monitor your endpoints.
A reliable managed endpoint detection & response solution can help catch abnormal behavior on your network beyond what would be caught by an antivirus software.
- Security awareness training
Providing your employees with security awareness training can help them identify the types of threats to look out for. Phishing tests can identify individuals in the organization that may need additional training.
- Restrict access to the network
Is your data stored on a common drive that the entire company can access? Make sure that privileged information is restricted to only those individuals who need it. For instance, a sales employee should not have access to payroll data.
- Treat employees well
This seems like fairly basic advice, and should hopefully be a best practice in any organization already, but if your employees are treated well, they will have a sense of belonging, and be loyal to the organization. Individuals who feel isolated are those who tend to commit malicious insider attacks.
Concerned about insider threats at your organization? Turn to a managed security services provider that can help keep threats of all types at bay.