By David Barroso, Founder & CEO, CounterCraft
Whether it’s the purported 36% of employees that can still access to systems or data of an old employer after leaving a job or the 49% that have shared their login details for some reason, inside actors are definitely one of the most concerning threats to your cybersecurity.
Oftentimes, CISOs can overlook insider threat as an issue belonging to another department, such as IT or HR. However, statistics show it is one of the biggest security issues in any organization. The 2022 Cost of Insider Threats: Global Report reveals that insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.38 million.
Insider threat is not limited to employees stealing data from your organization. An insider threat needs to include your supply chain, former employees and any individual that has inside information about security processes and practices.
Here are the top reasons why detecting and preventing insider threat should be a priority on your to-do list:
1) An insider with trusted access can have high impact with a relatively low execution cost, meaning they can affect organizations of all sizes and industries.
This is inevitable— organizations need to trust their employees to be able to carry out various tasks. This trust spreads over a number of roles from temporary workers and contract staff to IT administrators, individual contributors, lawyers, auditors, third party contractors, and employees both current and past…all of them can turn into a malicious insider.
2) We are even more vulnerable to insider threat as we shift to the cloud.
According to the 2021 Insider Threat Report by Cybersecurity Insiders, 53% of cybersecurity professionals believe that detecting insider attacks has become harder since shifting towards the cloud. If insider threat was an issue before, as businesses and organizations move to the cloud, it has become even more pressing. Insiders with temporary or permanent access to the cloud environment (IaaS, SaaS, PaaS) can wreak havoc.
3) Sensitive data is particularly vulnerable.
Sensitive data is the major target by insider threat actors. Once they access this data, they can sell it, make it public, or use it for blackmail.
4) Breaches often occur over an extended period of time.
Time to detection is a real struggle when it comes to insider threats. The majority (some studies show over 70%) of insider breaches are discovered after months or years. The lost data and intellectual property grows exponentially over time. Organizations need a plan that provides for real-time detection of potential insider threats early on in the threat cycle.
5) Internal systems’ safety is at risk.
The access an insider threat has is often wide and deep. They have the potential and the capability to exert wide-ranging sabotage, damaging internal systems, data, and even critical services.
Recognizing Insider Threats
The first step in preventing insider threat is to notice risk factors. Insider threat has some widely accepted indicators, including employees:
- whose jobs are in danger
- who disagree with a company policy or have exhibited activist behavior
- under financial distress
- leaving the company
- who work at odd hours
- who seem to be experiencing unexplained financial gain
- with suspicious travel patterns
Staying aware of these general indicators of insider threat can help organizations take a big step towards mitigating the effect these insiders can have on your business’s security. Knowledge is power, and in this case simply paying attention to the actions of employees can be enough to raise a red flag.
So, How To Deal With Insider Threats?
Technically speaking, insider threats are a challenge that many security programs aren’t able to take on. A user with legitimate access and knowledge of an internal network is simply undetectable by traditional security software standards. Insider threat actors often do not exhibit the malicious patterns and signatures from known threat actors. So, is there a tool to help find them?
In this case, deception technology is one of the best ways to detect threatening internal behaviors. Being able to generate high fidelity alerts is a critical capability when you are swamped in millions of security events per day. Decoy servers and files that act as breadcrumbs are created and deployed within an internal network. These decoys and breadcrumbs are designed to be documents that have no business being accessed. Therefore, by definition, anyone interacting with the decoys is, at minimum, snooping around where they shouldn’t be and potentially out to do damage to the company. This means the alerts given by deception technology within an internal network are high fidelity, preserving teams’ resources and helping analysts to do their job well.
When it comes to creating the type of decoys and deception “campaigns” that will attract insiders and attackers, the most important factor is that they be realistic. It’s always a good idea when evaluating deception technologies to ask about the technology behind the decoys. Are they deployable across multiple endpoints? Can you deploy them externally, on internet-based platforms? Are they high-interaction? Can the activity on them be collected and analyzed in real time? The answers to these questions will reveal how effective the deception technology can be.
Shaping a defense against insider threats is possible, and a well-designed deception technology campaign is one of the only ways to achieve it.
About the Author
Entrepreneur, serial tech inventor, and visionary David Barroso is the CEO and founder of CounterCraft. Prior to founding the business and developing the Cyber Deception Platform, he was instrumental in the set-up of ElevenPaths, Telefónica’s flagship cybersecurity business, and led the cybercrime division at a leading pure-play European cybersecurity company. Barroso is recognised globally for his contribution to the industry as a captivating speaker, lecturer and thought leader, regularly found leading the debate about emerging threats at Black Hat and RSA conferences, among many others.
After 15 years in the cybersecurity arena, quantifying cyber risk remains central to Barroso’s inclination for research and development. His knack for innovation in response to emerging threats and his exceptional ability to guide stakeholders towards delivering advanced cybercrime, threat intelligence, and active defense solutions underpin his position as founder at CounterCraft.
David Barroso, Founder & CEO CounterCraft
David Barroso can be reached online at (EMAIL (firstname.lastname@example.org), TWITTER (https://twitter.com/lostinsecurity), LinkedIn (https://www.linkedin.com/in/davidbarroso/)) and at our company website https://www.countercraftsec.com/ and Social Media (TWITTER (https://twitter.com/countercraftsec), LinkedIn (https://www.linkedin.com/company/countercraft/) and YOUTUBE (https://www.youtube.com/c/CounterCraftSec)