How to Prevent Insider Attacks

Many organizations focus on cyber threats with external origins. These types of threats and mitigations include anti-malware, external firewalls, DDoS attacks, external data loss prevention, ect. The internet and unauthorized physical access to your facilities will always be risks and they need to be monitored and managed effectively. However, it’s easy to lose sight of an often overlooked cyber attack surface - the one on the inside. Insider attacks often catch organizations by surprise because they can be difficult to spot. Understanding what exactly contributes to the increasing number of insider threats and addressing these factors is the only way to secure your business against such attacks.

Impact of Insider Attacks

Insider threats to your network will typically involve those who work as employees or contractors for your company. They belong in your facilities and often have user accounts on the network. They know things about your organization that outside threats usually don't know, such as the name of your network administrator, specific applications you use, what sort of network configuration you have, and which vendors you work with. External cyber attackers usually need to fingerprint your network, research information about your organization, socially engineer sensitive data from your employees, and acquire malicious access to any user account. Internal attackers have several advantages that external attackers lack.

Inside threats aren't always malicious in nature. Some insider threats are purely accidental. Perhaps an employee accidentally leaves a flash drive with company information on it in a public coffee shop, or an employee accidentally clicks on a malicious link that introduces malware onto the network. According to the 2020 Ponemon Institute Cost of Insider Threats report, the average global cost of Insider Threats rose by 31% in two years to $11.45 million, and the frequency of incidents spiked by 47% in the same time period. The study also found that insider threat incidents cost the 159 organizations they surveyed an average of $8.76 million in a year! Malicious insider threats are more expensive than accidental insider threats, with  incidents caused by negligent employees or contractors cost an average of $283,281 each, whereas malicious insider credential theft costs an average of $648,845 per incident. The bottom line is that all of these incidents are very expensive and they must be prevented.

Insider vs Outsider Attacks

Inside threats can be much more threatening to your business than an external attack. Insiders already have authorized access to your buildings and user accounts. An outside attacker would need to work to find an external attack vector into your networks and physical facilities. Those are steps inside attackers don't typically need to do. It's a lot easier to privilege escalate from a user account you already have than to break into any user account in the first place. A security guard will scrutinize an unfamiliar individual, whereas they will wave hello at a known employee. The same can be applied to accidental incidents. I don’t know any sensitive information about companies that I’ve never worked for. A current or former employee often will, and it can be socially engineered out of them. 

The privileged access that insiders already have makes them a lot more difficult to detect and stop than outsider threats. When an employee is working with sensitive data, it’s very difficult to know whether they are doing something malicious or not. If an insider behaves maliciously within your network, they can claim it was an honest mistake and therefore it can be challenging to prove guilt. Insider threats can be a lot more difficult to contain than outsider threats. According to the 2018 Cost of Insider Threats study by Ponemon Institute, it took an average of 73 days to contain insider incidents. Only 16% of insider incidents were contained in less than 30 days. Even if a threat to your network lasted 20 days, imagine how much harm that could be done in that time, and the cost of recovery and damages to your reputation. 

What to Look out for

Inside threats are much more difficult to detect and contain than external threats. Since inside threats are more problematic, it is crucial to understand what you should be looking for to mitigate such attacks. 

Disgruntled employees can become malicious inside threats. Some of the most dangerous can be those employees who receive termination notices in advance. They may decide that since they are already being fired, that they no longer have anything left to lose. Depending on the type of business and the types of data that employees are dealing with, it may be beneficial to have the employee stop working for the company the moment they are terminated, and to suspend any accounts they use. 

Malcontented employees who are not being terminated also pose a risk. Some signs of disgruntled employees who may become malicious insiders include those who have frequent conflicts with supervisors and coworkers, and those who demonstrate declined performance and general tardiness. Frequent visits to websites with job listings are another clear indication of a disgruntled employee. Frequent trips to other cities or countries can be a sign of industrial espionage. They could be sharing sensitive and proprietary information with another company.

Another instance to watch for are employees who disregard cybersecurity best practices, such as locking screens, not using USBs or external drives, and not sharing passwords and user accounts, or does not take cyberthreats seriously. Also watch for employees who may requests network or data access to resources not required for their job, or searches for and tries to access confidential data, or someone downloading large amounts of data or attempting to access data they do not require. 


How to Mitigate Inside Threats

There are many ways to stay proactive and prevent inside threats to your organization. Several CISA products are available on the Insider Threat Mitigation Resources site. The primary resource, the Insider Threat Mitigation Guide, provides comprehensive information on how to establish or enhance an insider threat prevention and mitigation program. Federal, state, local, as well as non-governmental organizations and the private sector, are encouraged to use these resources freely to enhance their own security. 

At Vigilant, we understand the risks that both inside and outside threats can cause to a business, both small and large. We offer a variety of cybersecurity services and have vast experience assisting organizations with network, cloud, and cybersecurity.  Our goal is to proactively identify security risks and vulnerabilities that could allow someone to access confidential areas of a network or obtain unauthorized access to the organization. Our experts will work with you to deliver a remediation strategy to best protect your data. We offer social engineering tests as wall as penetration testing, network forensics, and other strategies and technologies to best serve you. Stay Vigilant and get in contact with us today to ensure you aren't vulnerable to inside threats. See our quick and free Infrastructure Assessment form if you are concerned about your infrastructure security, and our engineers will get back to you with suggested areas of improvement for your IT infrastructure. 

Topics: Data security, malware, data privacy, cybersecurity