Insider Threat Statistics for 2022 The seriousness of insider threat
11.08.2022
Back to blog listInsider Threat Statistics
What is an insider threat and who is an insider?
The term insider threat describes a security risk within an organization’s security perimeter. This does not mean that the insider should necessarily be an employee or executive of an organization. This person can be a consultant, a former employee, a business partner or a board member as well. According to the SearchInform statistics, up to 80% of information security experts believe, that internal incidents are more dangerous than external ones; 14% of respondents have faced situations, when hackers used an insider as cat’s-paws.
Thus, anyone with the knowledge or access to confidential and sensitive information, the organization's IT or network resources is a potential insider.
Common types of insider threats
You need to understand, what kind of person an insider is in order to be able to cope with the threat and mitigate corresponding risks. Insider may be a malicious actor, or so called turncloack, as well as an insider may be an unwilling participant, or so called pawn.
Turncloaks
A turncloak is a malicious insider who steals data, usually some sensitive information. For instance, a very common type of a crime, involving an insider is credential theft. In most cases, an insider is an employee or a contractor – someone who is supposed to be on the network and has legitimate credentials, but misuses that access for fun or personal gain. Motives vary from working for foreign governments to taking sensitive data to a new employer.
Pawns
A pawn is a regular employee who acts properly but makes a mistake that is exploited by a miscreant or otherwise leads to data loss or compromise. Whether it's a lost laptop, accidentally emailing a sensitive document to the wrong person, or running a malicious Word macro, the pawn is an unwitting participant of a security incident, who against his or her will becomes an insider.
Insider Threat Detection
There are certain common types of behavior indicating that person may turn out to be an insider – whether digital or in-person. It’s important for information security officers, security architects and their teams to monitor these indicators in order to detect potential insider threat and prevent cybersecurity incidents.
Below are the most common digital and behavioral signs, which can help to identify an insider.
Digital warning signs of an insider:
• Downloading or accessing significant troves of data
• Accessing sensitive data that is not part of job description
• Accessing data which doesn’t correspond with person’s unique behavioral profile
• Attempts to obtain data, accessible for privileged users only
• Usage of unauthorized storage devices (e.g., USB drives)
• Network crawling and searching for sensitive data
• Data hoarding, copying files from sensitive folders
• Emailing sensitive data outside the organization
Behavioral warning signals of an insider:
• Attempts to bypass security
• Frequent presence in the office outside of business hours
• Demonstrating dissatisfaction to colleagues
• Violating company policies
• Discussions about resignation or new career opportunities
Behavioral warning signs may indicate potential problems, however, digital forensics and analytics are the most effective methods to uncover insider threat. User behavior analytics (UBA) and security analytics help identify potential insider and alert if a user behaves suspiciously.
Combating insider threat
A data leak of 10 million records costs a company about $3 million – as the saying goes, "forewarned is forearmed." Because an internal insider is always on the inside, you can't rely on traditional perimeter-level security measures to protect your business. And since it's an insider – who is primarily responsible for such situations? Is it IT, HR, or is it even a legal issue? Maybe, dealing with an insider involve all three and the CISO's team as well? The right approach is the key to spotting and remediating insider related risks – advanced software protective solutions are strictly necessary to identify insider risks and protect against them.
Measures, required for defending against an insider's activities and responding to the threat:
• Monitor files, emails, and activities in your key data sources
• Identify and recognize where your sensitive data resides
• Determine who actually has access to this data and who really should have access to it
• Implement and manage a least privilege model across your infrastructure
• Delete global access groups
• Hold data owners accountable for managing permissions to their data and quickly delete temporary access
Apply security analytics to alert on abnormal behavior, including:
• Attempts to access sensitive data that is not part of normal activity
• Increased file activity in sensitive folders
• Attempts to modify system logs or delete large amounts of data
• Sending large amounts of data outside of the company’s perimeter via email or other data transmitting channels
It's equally important to have a response plan in place to handle the potential data leak threat:
• Identify risks and take action
• Disable and/or log off users when suspicious activity or behavior occurs
• Determine which users and files are affected
• Identify how dangerous the threat is and alert appropriate teams (legal, HR, IT, CISO)
Countermeasures:
• Recover deleted data
• Scan and remove all malware used during the attack
• Re-enable all bypassed security measures
• Conduct detailed investigation of the peculiarities of the security incident
• Alert compliance and regulatory authorities when necessary
The secret of protection against the threat is to monitor your data, gather information and trigger alerts when abnormal behavior occurs.
FAQs
Q: What are the motives behind an insider threat?
A: The basic motive for insider is money. 34% of data leaks in 2021 were caused by insider actions. 71% of data leaks were motivated by money. 25% of data leaks were motivated by espionage or attempts to gain a strategic advantage. The majority of insider actors want to make a quick buck with the data they stole.
Q: How do you recognize an insider who has legitimate access to sensitive data?
A: On the one hand, it’s OK that employees have access to sensitive data simply because it’s often required for quality performance of job duties. On the other hand, access to sensitive data is always a serious threat for information security. In the enormously rapid workflow of documents, when troves of documents, containing confidential data are proceeded and transmitted, the most efficient solution is automated protective software, which reads all data, both automatically and with the help of users and InfoSec officers marks it according to the type of data and its confidentiality level. DCAP class solutions deal with this task. For instance, SearchInform FileAuditor.
Q: How useful are watch lists?
A: We believe, that a watch list can be a useful option. The main prerequisite is that it helps to keep an eye on a likely insider and prevent incidents, but it may mistreat InfoSec officers. In order to mitigate risks, originating from typical “watch list” flaws, SearchInform has developed ProfileCenter, which helps to manage personnel, increase productivity and figure out if there is any human related threat, undermining colleagues’ or a company’s wellbeing. Our software traces all relevant indicators in dynamics. It should be noticed, that the system is unbiased and impossible to treat. Thus, watch list by ProfileCenter is an absolutely reliable option which will help to block malicious actions, conceived by an insider.
