Crossbow Labs

The Real Deal About Insider Threats

Whenever a crime is committed against an individual, it is most likely to have been done by someone the victim knows.

We often hear about various data breaches happening across the globe by hacker groups. If a person from a remote location of the world can hack into a company server and steal sensitive or confidential information which could disrupt the business temporarily, then imagine the level of damage that could be caused by someone who already has legitimate access to an organization’s digital systems and information.

We call them insider actors.

Insider Actors could be employees, trusted partners, third-party vendors, service providers or physical asset suppliers who have access to the organization’s data or computer systems.

Insider threat is defined as any risk to an organization that comes from within the business itself.

There’s a common misconception that small to mid-range companies are not targets of hackers.

That’s definitely not true.

Let’s use some stats here

Data breaches can happen to organizations of any size and in any industry. Recent studies reveal that more than 50 % of organization experience one insider data leakage event each month.

Some key findings from Fortinet’s 2019 insider threat report –

  • 68% of companies report feeling moderate to highly vulnerable to insider attacks
  • 68 % of companies report more regular insider attacks.
  • Since migrating to the cloud, 56% of organizations believe that detecting insider attacks has become significantly harder.
  • 62% of organizations report that privileged IT users pose the greatest risk of insider security to organizations.

So, the real question here is that “Are insider threats the worst threat to an organization?

Yes, the trusted nature of user access rights makes it difficult to detect beaches by standard cybersecurity measures. Insider-related incidents are more difficult to detect because the insider actors are aware of the cybersecurity approaches being implemented and know the exact location of sensitive data.

Waymo, the self-driving Google Car project, had a malicious insider attack. In this scenario, the insider was a leading project manager who stole trade secrets to launch a new venture with Uber’s plan to be bought. The developer was dissatisfied with Google, which contributed to his stealing of over 14,000 intellectual property files.

The property includes:

  • Light identification and range (LIDAR) diagrams and drawings, simulations and radar technologies
  • Fragments of source code
  • Recordings of test drives
  • Business intelligence and Marketing
  • Some figures put the value of the intellectual property stolen from Waymo as high as $1.1 billion.

Fortunately for Waymo, the company proved that the insider shared the trade secrets illegally, and Waymo was able to gain compensation from Uber which included Uber stock for 245 million dollars and a clause prohibiting uber from utilizing the stolen data on their hardware or software.

The major takeaway from this incident is that one cannot assume that all employees or insiders have plotted a scheme against the company due to an employer’s violation because the incident can most often be traced back to a very specific human error, natural to humans, known as carelessness or negligence.

Sometimes user negligence leads to biggest insider threats.

For the RSA (EMC security arm), the successful advanced, recurrent attacks on staff by clicking on targeted phishing attacks have affected 40 million employee records (the total degree of which is still not known).

The phishing attacks on RSA employees by two hacker groups associated with a foreign Government were flaunted by trustworthy colleagues and contacts. The hackers were granted access and were able to compromise their SecureID authentication tokens when the employees fell for the attacks.

One of the foremost shocking aspects of the attack was that RSA has been known for several years as a security provider. The attack showed that nobody is resistant to insider-caused data breaches.”

Ponemon Institute states that a company would need on average 197 days to identify a breach and 69 days to contain it.

Some studies have shown that in minutes or in days most insiders have been identified. Other research shows that detecting such a breach takes from months to years.

When insider actors breaches are exposed it can damage the reputation of a company.

Bad presentation of the culture of the company, negligence, and thus the erosion of trust in the organization. Even if a breach doesn’t come to public attention, and included the stealing of IP or other essential assets, the competitive advantage of the company may be adversely affected.

How Can Companies Reduce Insider Threats?

Inference from working in this field is that the insider breaches can happen for a wide range of reasons – from corporate espionage to negligence. Understanding “why you would possibly be a target for data theft “ is a good idea, because it will help you develop a robust plan and strategy for insider threats.

Knowing the types of threats is one part of the plan, understanding and recognizing how these breaches occur is the other important aspect. User behaviours to watch out for would be the first trigger to un-foil an attempt.

More insight in user behaviour, the better is the alerting system to recognise signs of an insider threat, boost the ability to actively detect and stop it before it gets out of reach.

A good solution to deal with insider threats is to holistically manage risk. This can only happen by implementing intelligent solutions, good housekeeping supported by a zero-trust policy. Read our take on zero trust policy here.

Concluding notes – Good housekeeping and staying employee-centric can never go out of fashion. While we speak about technology and cybersecurity, keeping the behavioural element in mind is the most critical element for determining the effectiveness of a cybersecurity program.