Cybersecurity professionals across all industries are focused on keeping threats out of an organisation. And with good reason. From business email compromise attacks (BEC) to malware, and ransomware, there are a host of threats that, once inside an organisation’s defence, can do significant damage.
The public sector has always been a popular target with cybercriminals, with education in particular bearing the brunt of much of that activity. In recent years, however, the frequency, sophistication level, and cost of cyber-attacks against the sector has increased. Education saw the largest year-on-year increase of email fraud attacks of any industry in 2019, with 192% growth, averaging 40 attacks per institution.
Additionally, in the midst of the global Covid-19 pandemic, cyber threats targeting the healthcare sector have also seemingly heightened, in particular ransomware attacks. And the worst is yet to come. In October 2020, the FBI warned US hospitals and healthcare providers to expect an “increased and imminent cybercrime threat… leading to ransomware attacks, data theft, and the disruption of healthcare services.”
Both of the aforementioned industries are a strong target for cybercriminals, mainly due to the masses of highly sensitive information they hold. While this confidential data is a treasure trove for cybercriminals trying to infiltrate an organisation’s infrastructure from the outside in, organisations must also consider the threats they may face from within the business, especially if this data falls into the wrong hands.
Insider threats increasing
Insider threats are on the rise, increasing by 47% over the past two years. Today, almost a third of all cyber-attacks are insider driven.
Just like outside threats, those that stem from within have the potential to cause significant damage, costing businesses an average of $11.45 million last year.
Not all insider threats are malicious, however. When we consider unintentional threats – such as the installation of unauthorised applications or the use of weak or reused passwords – this figure is likely much higher.
Whether due to human error or malicious intent, threats from within are notoriously difficult to defend against. Not only is the ‘attacker’ already within your defences, using systems and applications you provided them, but in the case of malicious insiders, they may be able to use privileged access and information to actively avoid detection.
Understanding insider threats
When constructing a defence against insider threats, it’s easy to make the case for the old cybersecurity adage: trust no one.
However, this approach is not practical nor conducive to the flow of information required to run a modern-day business.
Fortunately, there are several less drastic steps that can be taken to detect insider threats – or better still, to stop them before they take root.
The first step is to understand exactly what drives an insider to pose a threat to your organisation. Motivating factors can generally be grouped into three categories:
- Unintentional: From careless data handling to installing unauthorised applications or misplacing equipment or reusing passwords, careless employees can pose a serious threat to your organisation.
- Emotionally motivated: Threats of this nature are posed by employees with a personal vendetta against your organisation. Emotionally motivated malicious insiders may seek to cause damage to your reputation by leaking privileged information or disrupt internal systems for maximum inconvenience.
- Financially motivated: There are many ways to profit from privileged access, be it through the leaking of sensitive data, selling access to internal networks or disrupting internal systems in an attempt to affect company share price.
Whatever the intent behind them, insider threats can occur at any level of your organisation. With that said, actions that take place lower down the business hierarchy may be harder to detect.
Pandemic psychology driving insider threats
The global pandemic has driven a global shift to remote working. This in itself presents a number of cybersecurity implications for security teams working to keep threats out of the organisation, but also leads us to believe that working outside of the usual perimeters of the office provides the perfect conditions for an increase in insider threats.
For many global organisations, employees are working outside of the norms and formalities of an office environment – and many are not used to this yet. They may be unsettled, distracted by chores and home life, and more prone to making basic mistakes.
The more relaxed home environment may also lend itself to potential bending and breaking of the security best practices expected in the office. This could mean using personal machines for convenience, using corporate machines for personal activity, writing down passwords, or failing to properly log in and out of corporate systems.
If we take a look at this through the lens of the healthcare industry, we come up against more potential drivers to the increase of insider threats. The pandemic has undoubtedly overwhelmed hospitals and health institutions globally. Healthcare professionals and nurses are rushed off their feet, often leaving them with less thinking time than they typical may have and potentially less diligence due to this. When we take into account the sheer volume of sensitive data these employees have access to, an unintentional leak could be catastrophic.
In addition, since the start of the pandemic, we’ve seen hundreds of COVID-19 related phishing attacks, imploring victims to click links, download attachments and share credentials. It only takes one absent-minded employee to jeopardise the security of your entire organisation.
Defence in depth
The only effective defence against insider threats is a flexible, robust, multi-layered strategy that combines people, process, and technology.
Insiders are unique because they already have legitimate, trusted access to your organisation’s systems and data in order to do their job – whether employees, contractors or third parties, this unique attack vector requires a unique defence. Though it is not possible to block access to those who need to work within your networks, you can ensure that access is strictly controlled, and only afforded on a need-to-know basis.
Start by implementing a comprehensive privileged access management (PAM) solution to monitor network activity, limit access to sensitive data, and prohibit the transfer of this data outside of company systems.
There should be zero trust between your technology and your people. There may be a good reason for an access request or out of hours log in, but this cannot be assumed. Controls must be watertight, flagging and analysing every log for signs of negligence or foul play.
Supplement this with clear and comprehensive processes governing system and network access, user privileges, unauthorised applications, external storage, data protection, and more.
Finally, defending against insider threats is not solely a technical discipline. As the biggest risk factor for insider incidents is your people, they must be at the heart of your defence strategy. Monitoring and reporting on not just the risk, but the activity leading to risk…stop the security event when you see the activity that introduces it.
You must aim to create a security culture through ongoing insider threat awareness training. Everyone in your organisation must know how to spot and contain a potential threat, and, whether intentional or not, how their behaviour can put your organisation at risk.
This training must be thorough and adaptive to the current climate. While today’s working environment may feel more relaxed, security best practice still applies – perhaps now more than ever.
Rob Bolton is Senior Director, Insider Threat Management, International at Proofpoint