Insider threats cannot be eliminated but zero-trust can limit the damage
No organisation can prevent insider threats from causing damage.
It is highly unlikely that an organisation that exists today has not suffered from some form of insider attack — caused by carelessness, malicious intent or by a compromised user. It is probable that numerous insider threats remain completely undetected in your organisation. Alarmingly, the frequency and impact of insider threats is growing rapidly.
The accelerated adoption of hybrid working combined with digital transformation initiatives are increasing the probability of accidental or malicious insider activity leading to serious costs and brand damage. The only approach that can be taken is one that assumes breaches caused by insiders will occur— and seeks to minimise the damage quickly, using multiple controls. These controls should include an insider threat program.
According to a Ponemon Institute study conducted, insider threats have increased in both frequency and cost over the past two years. The study reveals that credential thefts have almost doubled since 2020, validating that attackers have become far more sophisticated and target people.
The research also shows that the number of incidents caused by negligent insiders has tripled since 2016. As people move from one employer to another and as digital transformation initiatives continue to embrace hybrid working, mobile and cloud technology, this trend is set to continue.
Collusion between insiders and external threat actors is particularly difficult, if not impossible to defend against. Detecting this and other types of insider threats and gaining visibility into user and device behaviour is increasingly challenging.
People-centric, zero-trust approach is necessary to mitigate insider risk
To date, organisations have usually taken a defensive ‘castle-and-moat’ approach to cybersecurity — seeking to secure network perimeters and prevent threat actors from gaining access. Implicitly, this approach assumes that users with the right credentials are trustworthy and do not need to be authorised and authenticated every time they seek access to corporate resources. This approach has always had its faults, but its vulnerabilities are being amplified as data is increasingly stored in the cloud and employees connect to the network remotely — on a massive scale.
Managing insider attack risk requires organisations to adopt a people-centric zero-trust approach to cybersecurity, which assumes breaches will occur and seeks to limit the damage caused by all attackers, internal and external. All network traffic must be viewed as suspicious and the principle of ‘never trust, and continuously verify’ must be applied to all users —employees, partners, and customers. This approach requires all users to prove their authenticity each time they access a network, an application, or data.
A zero-trust approach is complex to implement. Organisations often have disparate legacy systems that hold critical data. These systems are typically difficult to integrate and visibility across them is a major challenge and resource intensive effort. A comprehensive approach is required to avoid creating more security vulnerabilities. Mitigating insider threats requires greater emphasis on basic cyber hygiene such as training and awareness and other aspects of a zero-trust approach including:
- Developing a program which identifies potential insiders based on context, user activity, data interaction and user risk profiles.
- Dynamically controlling access based on risk and context.
- Accelerating incident response times by detecting unusual activity more rapidly.
- Gaining visibility across all data movement in systems and networks. This enables anomalous behaviour to be detected more rapidly and response times to be swifter. Greater visibility reduces the average number of days it takes to contain an insider threat incident.
- Developing consistent and repeatable processes to detect and respond to insider threats based on context.
- Creating transparency that drives continuous improvement and enables cybersecurity postures to adapt to changing risk environments.
Insiders can cause long term damage by, for example, using their access to share data with competitors or taking company IP when an employee leaves to join a new company. Organisations must treat all network traffic as suspicious and adopt a zero-trust, continuous verification approach to ensure that the damage caused by even the most privileged insider is limited.
For this reason, an insider threat program which identifies user risk profiles and calibrates controls accordingly is necessary. The program also needs to focus on detecting suspicious behaviour based on real-time detection of anomalous behaviour from insiders, and rapid response. Additionally, on-going awareness programs will also mitigate the risk of errors from users.
Innovation in technology and changes in working trends are inevitable. Therefore, a people-centric, zero-trust approach to insider threat management mitigates the risk of intellectual property and critical data leaving your organisation.