The Human Side of Cyber Risk

Understanding and addressing how your insiders work today

Insider threats can wreak untold havoc on an organisation. It’s critical that security leaders prepare strategies for the three main insider risks

A healthy dose of paranoia is understandable and often even necessary in cybersecurity, but in the case of insider threats – where the risk lies within the organisation like a Trojan horse – leaders must strive to avoid internalising a frenzied monomania that views every employee as a menace. After all, “it is more shameful to distrust our friends than to be deceived by them,” said Confucius. 

But the unfortunate truth is that improperly managed staff can cause an eye-watering amount of damage, whether due to negligence, because they’ve been targeted, or malice. A Ponemon report conducted on behalf of Proofpoint claimed insider threats caused as a result of compromised insiders almost doubled since 2020, when much of the world was working remotely due to the pandemic, and the average annual remediation cost for insider-led incidents caused by careless or negligent users was a staggering $6.6m. This is all complicated by the emergence of a hybrid work world, where the traditional understanding of perimeter defence no longer applies and ‘bring your own device’ was flipped on its head – with staff bringing their work into their homes and therefore all the devices in them.

Reputational damage, sensitive data, downtime, ransomware, and worse – these are all potential outcomes from unchecked insider risk. But there are three core kinds of insider threat leaders need to address, because the strategies to manage them can drastically differ.

Careless users

Over half of all insider threats are due to negligence, and so were completely avoidable. While important, training can go only so far, and organisations can’t expect every employee to be a security expert on top of their ordinary workload. What’s needed is to shape the fundamental make-up of an organisation into one that’s security-aware. 

“Tackling insider threat isn’t easy – these are, after all, people that were employed to be trusted and do a job,” explains Dr Jason R C Nurse, associate professor in cybersecurity, University of Kent, and author of Smart Insiders: Exploring the Threat from Insiders using the Internet-of-Things. “Promoting a healthy security culture first involves raising awareness of what ‘good’ security behaviour looks like, and making the security-related expectations from employers crystal clear.” 

That means everyone should know what is, and is not, acceptable. Businesses should endeavour to create a culture of reporting anything that appears to be strange – not paranoid, but vigilant. “Any reports should be treated in confidence, but also, those who receive reports should cautiously investigate without unwarranted accusations or actions,” Nurse says.

The perimeter “no longer exists,” says Lena Smart, chief information security officer at database provider MongoDB. If every employee is working from a different kitchen table or home office, with varying setups and network accessibility, there’s “no such thing as a one-way path for network traffic”. 

“All your entry points can just as easily become attack vectors, so everyone needs to be involved and accountable,” she says.

Achieving this accountability means eliminating blame culture and creating spaces for reporting where people are not afraid to flag potential issues. For example, Smart suggests, leaders could appoint ‘security champions’ who become ambassadors for cybersecurity in their own departments – someone empathetic who understands the day-to-day workloads of their colleagues, and can act as a conduit to the IT security team if issues arise.

Similarly, internal whistleblowing hotlines can be a lifeline for flagging urgent problems with security staff. But these must be created without any negative connotations, and employees should understand that it’s always in the best interests of the business that problems are reported – even if they think the worst-case scenario has just occurred.   

Malicious employees 

Whether for financial reasons or from feeling wronged, a committed employee can cause a lot of damage. For example, in 2020, a ConocoPhillips employee created fraudulent invoices to trick the oil giant into paying a friend’s business more than $3m. The actions were part of a larger embezzlement scheme that totalled nearly $7.3m. Businesses need monitoring capabilities to nip malicious insider threats in the bud wherever possible. However, it’s far from desirable if staff feel under surveillance at all times. A culture of fear and suspicion will not encourage people to come forward when there are genuine threats that need flagging, and employee wellbeing can suffer. What’s more, overstepping the mark regarding privacy could lead to workplace grievances, as well as legal or reputational damage for the company in charge. 

“As with all things, there’s a balance,” says Nurse. “Organisations want to protect themselves and their assets, while employees want to work without an employer infringing their privacy.” 

Organisations want to protect themselves and their assets, while employees want to work without an employer infringing their privacy

One potential way forward to achieve this balance is for employers to be completely transparent about what they record and why. They should be up-front with employees how data is used, potentially in aggregate or anonymously unless otherwise necessary, advises Nurse, to keep the organisation secure: “Anything else may breed distrust which may further harm the relationships between employer and employee.”

Compromised insiders

One of the most effective paths for attackers is to target employee credentials and then exfiltrate data by stealth. In 2021, the United Nations confirmed that the intergovernmental organisation had suffered a data breach of sensitive information. The method: buying a UN employee’s username and password from the dark web

Anyone can log onto dark web marketplaces and take their pick from as many as 15 billion passwords that are up for sale. Whatever the strength of a password, if it’s leaked once, it’s leaked forever, and all attackers need are for one set of keys to work to gain access to networks.

These kind of insider threats need protecting, and robust security policies and training are among the best methods for prevention.

“From a technical perspective, one of the simplest ways to protect company credentials is by ensuring staff do not reuse the same password, or not to use a password at all,” says Jake Rogers, CISO at digital assets manager, Copper.co. “Most people will only have two or three password combinations and rely on using the same password over and over, making an attacker’s job fairly straightforward and incredibly lucrative.”

Counter-measures might include biometric passwords and two-factor authentication via mobile devices, rather than relying on users to manage their own set of text-based passwords. 

Supply chain attacks, where a partner or secondary organisation to the primary target is earmarked by hackers, heap on further complexity. Managing your own organisation can be enough of a handful let alone worrying about the security protocols of partner businesses.

But worry about them you must: one solution could be that businesses set up strong security relationships with their supply chain partners, suggests Dr Nurse, putting in place robust controls, security-related service agreements, and continuous checks on partner access.

“Again, there is a balance to be maintained here,” Nurse adds. “Partners need to be aware this is occurring and why: the aim is not to express distrust to the extent it impacts the business relationship, but instead to raise the bar for security across the entire supply chain.”

When outsiders become insiders

The credentials market is booming and it only takes one stolen password to access your organisation. Here’s what you need to know

Now that almost everyone’s day to day existence is so bound up with their digital presence, passwords no longer guard an email account or two – they guard our entire lives. Disconcerting, then, that usernames and passwords can be bought for a dollar per million compromised accounts, as was the case in 2021 when 500 million LinkedIn user profiles were discovered for sale on the dark web. 

Attackers often put credentials up for sale in what’s known as a ‘combo list’, comprising hundreds of thousands of stolen username and password combinations. In 2021, the ‘Compilation of Many Breaches’ signposted the future of the credentials black market, when 3.2 billion combinations – about 40% of the planet’s population, if each person were represented by a unique password – were put up for sale. 

That’s bad enough news for individuals but for businesses, all it takes is a single stolen credential to gain access to corporate devices and networks, unlocking a lucrative promised land for attackers who can use compromised accounts to plant malicious files, or as a springboard to launch further attacks. Outsider attackers can, in an instant, become insider threats. 

For example, a cyber criminal ring led by a Florida teenager coerced a Twitter employee to give up credentials for corporate administrative tools, leading to takeovers of verified accounts used in a Bitcoin-promotion scam. The result was $117k stolen from customers and demonstrated the impact a compromised account can have.

Clearly, the cost of succumbing can easily bring the worst nightmare of every CISO into reality: ransomware, losing corporate secrets, vast customer data dumps, financial repercussions and reputational damage. Now, with techniques like ‘credentials stuffing’, where attackers purchase huge tranches of usernames and passwords and test their functionality with automation or even through dedicated search engines, stealing credentials is a low-risk, high-reward tactic, and it’s no wonder that it’s on the rise. In fact, for would-be attackers, it’s a no-brainer.

The landscape for credentials theft has “grown dramatically”, says Jake Rogers, CISO at crypto and digital assets company Copper.co, “and it now represents an entire industry for criminal enterprise”. 

This dramatic surge has occurred in tandem with the explosion in remote work: since home working became a necessity for much of the world due to the pandemic, credential thefts have almost doubled in volume. 

While full-time home working is unlikely to remain a permanent fixture for everybody, it’s almost certainly here to stay in some capacity, and this change in environment has introduced manifold new potential entry points in home networks and devices for organisations that operate without stringent remote work policies in place.

“It’s common for employees to mix personal computer use with work use,” says Dr Preethi Kesavan, head of the school of technology at the London School of Business and Finance Singapore (LSBF). “Unless employees are properly trained on bring your own device procedures, even the most comprehensive BYOD security policies will fail.”

Due to this, says Kesavan, LSBF now enforces employees to use VPNs on all their devices, including computers and mobile phones, so that they can connect to the company network securely. 

But even with technical measures like these, staff may unintentionally click on phishing links in emails – the most common form of credential theft. As effective as malware can be, social engineering can be even more useful because, provided it’s crafted well enough to bypass spam filters, phishing is a relatively simple process for the attacker. 

And because successful phishing attempts depend on user negligence, organisations “should foster a corporate culture in which employees are unlikely to misuse their privileges or exfiltrate sensitive data,” says Kesavan. By limiting unnecessary access for users, the benefits of stealing credentials are also limited. 

Successfully preventing breaches relies on a combination of running thorough technical security protocols as well as managing the human risks, adds Copper.co’s Rogers: “In our view, best practice incorporates a company-wide culture of education, collaboration and technical expertise.”

Testing the literacy of employee understanding around security could look like setting up faux honeypot attacks within an organisation, or implementing table-top scenarios with various stakeholders throughout the company.

For database company MongoDB, experimenting with scenario planning to simulate what organisation-wide responses would be has proved helpful. Although it’s difficult to predict what the actual outcome of an attack will look like, these exercises can provide an idea of questions that need to be answered, or protocols to be followed, in the event the attacks actually occur. 

“Some of the scenarios we’ve tackled include ransomware attacks, insider threats, and phishing mishaps,” says MongoDB CISO Lena Smart, who made a point of speaking with executive assistants as well as leadership due to their likelihood of being targeted. “We have representatives from all major business units including legal, finance, IT, HR, and our C-suite.”

Although attacks on organisations are inevitable, with a careful, proactive security culture in place, many credential thefts are preventable. Leaders should take heed and understand just how vulnerable their organisations can be to insider threats. 

“You need support from the top down in these events,” adds MongoDB’s Smart, “so it’s satisfying to complete an exercise where everyone in the room is comfortable with the role they play in helping keep us secure.”

The rise of insider threats

How has the insider threat landscape developed? And how safe do organisations feel?

While credential thefts have doubled since 2020, negligent insiders make up the majority of incidents

Percentage of incidents caused by each type of insider threat

The frequency of companies experiencing insider incidents has increased significantly

Percentage of companies that experienced over 21 incidents per year

And the time taken to contain an insider incident has also increased

Average time taken to contain an incident

Insider incidents are getting more expensive to resolve

The average overall cost per insider incident (USD)

2018 

2020 

2022 

And organisations are struggling to spot and resolve them

How difficult is it to detect and prevent insider attacks compared to external cyber attacks?

More difficult than detecting and preventing external cyber attacks
About as difficult as detecting and preventing external cyber attacks
Less difficult than detecting and preventing external cyber attacks

There is still a long way to go for organisations to feel protected from insider threats

How vulnerable is your organisation to insider threats?

Commercial feature

Why you need to rethink insider risk and data loss prevention

Business has changed – so you need an insider threat management programme now more than ever

Insider risk and data loss are major concerns for any business. But the last two years – which have seen employees working remotely, at home, or away from corporate IT networks, increased digitalisation and cloud-first applications – have made the problem even more acute. Insider threats have increased in frequency and cost since 2020, according to research company the Ponemon Institute. The average annualised cost of such threats is $15.4m per organisation.

“We see this in the news all the time,” says Brian Reed, director of cybersecurity strategy at enterprise security company Proofpoint. “Not only the shift in working patterns but in addition we’ve heard the buzzwords: the ‘great resignation’ and the ‘great reshuffling’. Security teams are racing to protect their data, yet at the same time, users with legitimate access to sensitive data and IP are racing just to get the job done. So, when they leave, it’s too easy for people to take intellectual property out the door with them.”

Data loss is a “fundamental issue”, says Reed – and one that firms need to take action on now to prevent long-term damage. To do so, it’s important that businesses rethink their approach to insider risk and data loss prevention.

The average cost per insider incident

The old ways of thinking about security have changed. “People have become your perimeter,” says Reed. “All those legacy security hang-ups we had around infrastructure, location and geography have largely been neutralised in the wake of this ‘work from anywhere’ world we live in.” Cybercriminals aren’t attacking infrastructure anymore but are trying to leverage access through the people who interact with the infrastructure. “It's not just script kiddies sitting in grandma's basement like it was 20 years ago, launching DDoS (distributed denial of service) attacks: it's a different world we live in – and we need to adapt and understand that.”

While the types of attack and how they’re launched have altered, so too has the definition of what an insider risk is to companies. More than half (56%) of insider incidents tracked by the Ponemon Institute are caused by carelessness, rather than deliberate actions. Employees are simply trying to get their job done and meet their organisation’s goals, they’re not necessarily thinking about the security risks. "You don't want to go after those people and harrass them as they can be your best internal defence," Reed says. “You want to help train those people, enable those people, and educate them.” In comparison, 26% of insider threats are from malicious insiders who need to be reprimanded, and 18% are from compromised users who need to be protected.

“Insiders aren't always your employees,” says Reed. They can be contractors, third parties or supply chain partners. “They're not always people inside of the four walls of your HQ sitting in your office.” This is why it’s more important than ever to set up an insider threat management programme.

Doing so isn’t easy, however. Establishing an insider threat management programme requires looking carefully at how your people and processes work before throwing cash and technology at the problem. Reed advises not limiting the scope of your programme to those in your information security and IT departments. Instead, you should consider how the entire company interacts including IT, HR, legal, compliance – and identify the weak links. “It's really about understanding the scope and boundaries of your programme, the people who are involved, your apps and your data,” he says.

Forrester's Best Practices for Mitigating Insider Threats 2021 Report details 10-steps to creating your insider threat management programme, and involves just one step that includes implementing technology. Steps one to nine are laying the groundwork that can enable the smooth deployment of the programme. And that requires ensuring everyone within your company understands the risk of insider threats – and the potential consequences of data loss. “A lot of these insider threat incidents you're invariably going to encounter are cases of good or careless people making bad decisions with good data,” warns Reed.

Proofpoint has helped thousands of customers worldwide develop and implement their insider threat management programme. “We're doing that in a single unified view, so that you can get visibility into the information users are creating and accessing, and the applications that they’re using, and establish both the context behind their risky behaviour and intent,” he says. This dovetails with the range of Proofpoint products that can protect business-critical data from cybersecurity incursions.

A lot of these insider threat incidents you're invariably going to encounter are cases of good or careless people making bad decisions with good data

In addition, Proofpoint takes a holistic approach, bringing in experts to understand the way a business works and advising companies on best practices and tools to shore up their data in the most sensible, cost-efficient and effective manner.

One such client is a large global pharmaceutical firm that was involved in the early days of research for the Covid-19 vaccine. “Obviously, they have lots of sensitive information,” says Reed. The company called in Proofpoint after it noticed unauthorised data access and several attempts to steal protected data deep in their legacy security tools in the stack. They instigated an insider threat management programme that helped identify, contain and remediate these risks.

Five signs that your organisation is at risk

• Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affect the organisation’s security.

• Employees are unaware of the steps they should take at all times to ensure that the devices they use – both company-issued and BYOD – are secured at all times.

• Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organisation to risk.

• Employees break your organisation’s security policies to simplify tasks.

• Employees expose your organisation to risk if they do not keep devices and services patched and upgraded to the latest versions at all times.

Ponemon Cost of Insider Threats Report, 2022

Ensuring your data doesn’t leave with your talent

The ‘great resignation’ means many organisations are scrambling to replace lost talent, but are they fully aware of the risks to their data?

Two years on from the beginning of the pandemic, the great resignation shows little sign of slowing. Many people are looking for more flexible or meaningful roles, while others are seeking a less stressful take on the daily grind. It’s a serious issue for businesses – and not just in terms of replacing lost talent.

When people leave, they often take vital data with them too. “The kind of data that’s lost when employees leave an organisation is as varied as the different types of businesses in operation,” says Sarah Edwards, a senior employment law solicitor and GDPR expert at Howarths. “Some examples of data that is often lost include things such as source code, information about operational processes, intellectual property, sales contacts and pricing information, presentations created by the employee and company financial data.”

Employees may mistakenly feel they have the right to take this data with them when they move on. “People often see their work as very personal, rather than necessarily belonging to their employer, and that makes controlling and monitoring access to data very important,” says Andy Swift, technical director, offensive security, at Six Degrees. “However, that is very easy to say but very hard to actually implement properly.”

The high staff turnover businesses are currently experiencing could increase their exposure to data loss. Edwards also points out that: “The portability of data and the increase in home and remote working has also increased the risk factor; data is no longer secured securely on company networks and is often accessed from home and easily downloaded onto external media devises such as USB drives or uploaded to cloud platforms.

Identifying risks

Although employees are bound to varying degrees of confidentiality, data increasingly resides on their personal devices – sometimes innocently and sometimes with the intention of exfiltration, says Ric Longenecker, CISO of Open Systems. “A common, and not-so-innocent, scenario is when departing employees plan to go into business for themselves, often using information or contacts developed while working for their prior employer.”

Disgruntled former employees also pose a serious risk to an organisation’s data. “Any access to infrastructure can be troubling, as a disgruntled employee can damage infrastructure or erase code repositories,” says Russ Ernst, EVP of products & technology at Blancco.

Not knowing who has access to what data can also lead to problems when people leave. “If data is held by one person, team or department or is anyway inaccessible or hidden from the wider organisation you are asking for trouble,” says Alistair Dent, chief strategy officer at Profusion. “It creates vulnerabilities where a sudden departure or disgruntled employee can cause a lot of problems. By de-siloing data, you can reduce any single point of failure.” 

This is important, as data loss can have a severe impact across many different areas of the business. “The risks are operational, financial and reputational. There are also regulatory risks in some sectors where the data lost – such as credit card details and other financial data – could result in fines, but the more common risks lie with loss of information or knowledge about how areas of the business function,” says Ms Edwards. “This is data that could give others a competitive advantage or information that could result in a loss of work.”

Longenecker raises another issue that could cause an organisation serious harm. “There is always the possibility of former employees viewing themselves as ‘whistleblowers’ and publicly releasing internal email and other communications that can have varying impacts, from embarrassed executives, damaged corporate reputations, a share price drop and worse,” he says.

Data protection

Organisations need to proactively tackle these risks to avoid sensitive data following former employees out the door – starting with ensuring their leaving processes are up to scratch. “In many cases, organisations do not have great departure processes in place and often fail to close or suspend exiting employees’ IT accounts, allowing them to log in and see information beyond their tenure,” says Longenecker.

“Redacting system access, expiring certificates, removing VPN access… there is a long list, and one of the pitfalls is often not keeping said list up-to-date,” says Mr Swift. “New systems with their own unique access requirements get brought online all the time, and making sure this list is reviewed regularly and updated is important.” However, so is acting upon it. “All too often we see policies for leavers, yet the reality of following the leaving process is often far from ideal,” Swift adds.

Properly managing mobile devices is another important means of reducing the risk of data loss. Ernst suggests that: “Enterprises can use an industry-recognised mobile device data management system to provide some form of data containerisation, have policies and checklists in place to remove access to data and retrieve assets, complete a data erasure process, and then monitor to see if the employee tries to access data after their departure date.”

Finally, Edwards advises employers to clearly communicate their expectations concerning the removal of data from company systems, who owns that data, and what it can and can’t be used for. “Investing in appropriate security systems, such as blocking downloads to external devices without specific permission or investing in specific data security software, is also a very sensible step to take,” she adds.