On July 15th, 2020, some famous personalities started promoting a “Cryptocurrency scheme” through the Twitter platform. The offer was to deposit Bitcoins to the specified accounts and get paid back in double. The scheme appealed many before it was busted by the security personnel at Twitter. Later, it was revealed that hackers managed to take control of Twitter accounts of some famous politicians and celebrities including EX-USA President Barack Obama, former vice president Joe Biden and CEOs of Amazon and Tesla companies. Although the hackers focused on stealing money through impersonation attack strategy, it could have gone worse if the agenda of the hack was political rather than financial. While the authorities are still investigating the incident, the initial findings suggest that the Cyber-attack was not possible without insiders’ support. The breach has once again reminded us of the importance of insider Cyberdefense. Organizations usually focus on external Cyber-threats as their policies and defense strategies are mainly against Cyber-attacks that originate from outside. In reality, protecting the business from insider threats is equally important and challenging as outsider Cyber-attacks.
There are a number of actors that can behave as an insider threat for enterprises. Examples include the organization’s current or former employees, contractors working on different projects assigned by the organizations, or business partners sharing the sensitive organizational resources.
Types of Insider Cyber Threats
The likelihood of becoming a victim of insider Cyber-attacks is always on the verge due to the following three types of insider Cyber-threats.
1) Malicious Insiders
2) Compromised Insiders
3) Negligent Insiders
Malicious insiders are inside threat actors who can harm an organization in many ways. They can be employees, contractors, or vendors having access to the systems, networks, or data of an organization. The malicious insiders can use the available access to physically target the infrastructure, defame the organization, or harm the logical assets of the organization by compromising the confidentiality, integrity, or availability of data at rest or transition. Malicious insiders are the high-risk entities since they have legitimate access to accounts and resources to cover all the tracks before getting caught in the act.
Compromised insiders are the most common type of cyber threats mainly because of their careless attitude. Employees of different organizations often become victims of Cyber-attacks without even knowing. The most common attacks targeting companies’ employees include phishing and social engineering attacks where the employees are tricked to either install backdoors or share sensitive information that could help attackers gaining unauthorized access. Compromised insider accounts can be a part of Persistent Cyber-attacks launched for stealing information on a consistent basis until the accounts are traced as a result of major incidents.
Though Cybersecurity awareness programs and implementation of security policies is becoming normal practice, still many organizations face Cyber-security challenges due to the negligence of its employees. Small negligence by insiders can lead to bigger Cybersecurity problems. The recent data leak by the Zoom video conferencing platform is a good example of insiders’ negligence; where the recorded videos of the customers were stored on an open-access server without password protection.
Insider Cyber Attacks Statistics
A) According to the “2019 Insider Threat Report” by Cybersecurity Insiders, 71% inside data breaches are due to compromised insiders. Negligent employees contribute 65% while malicious insiders 60% to the total number of insider breaches. The report suggests the following IT assets are most vulnerable to insider cyber-attacks.
B) According to the “2020 Cost of Insider Threats Global Report”, there is a 47% increase in insider Cybersecurity incidents since 2018.
C) In a Wall Street Journal research survey of 400 companies, 67% of organizations showed concerns about insider Cyber-threats.
D) According to the State of Cybercrime survey, 50% of organizations suffer from at least one malicious insider cyber-attack every year.
How to Manage Insider Cyber Threats
The aforementioned statistics indicate the need for well-defined Cybersecurity policies and strategies for insider threats. Although it is tough to distinguish between trustworthy and disgruntled employees, the following recommendations can greatly help organizations in mitigating the risk of insider Cyber-attacks.
1) Protect the Assets
Protecting the physical and logical assets is the basic goal of any Cybersecurity policy of an organization. Protecting organizations from insider threats can be achieved by applying the following assets identification and evaluation strategies.
i) Identification of Assets
The first step in mitigating insider Cyber threats is to identify the critical assets that can be targeted by the attackers. The critical assets can be any physical or logical assets that are necessary for an organization to carry out its operational and business activities. Examples include physical infrastructure, networks, systems, hardware, software, data, and even employees working for the organization.
ii) Evaluation of Assets
Once all the assets have been identified, the next step is evaluating the assets. There can be a number of checks including the following to perform the evaluation process.
- List of identified assets
- The role of each asset in the organization
- The potential vulnerabilities of the assets
- Available resources for the security of the critical assets of the organization
- Prioritization of the assets according to their role and vulnerabilities
Deploying the security measures according to the available resources and asset’s priority
2) Monitor Employees at Different Levels
One important strategy in identifying and preventing insider Cyber-threats is monitoring the employees at the network and host level. The actions that can be monitored at the network level may include network fingerprinting, installation of prohibited programs on the network, sharing information outside the network, etc. The host-level monitoring may include actions like privilege escalation attempts, data copying at a suspicious level, usage of unauthorized peripheral devices for transfer of data to other locations, etc. Different types of software solutions can be implemented to monitor and prevent the information assets of the organizations. Data Loss Prevention (DLP) tools can be used to secure the organization’s critical data, while Security Information and Event Management (SIEM) solutions can be used to monitor the network including the end-devices to detect and respond to any abnormal activities on the network and host level.
3) Monitor Remote Network Access Mechanisms
Some organizations may allow remote connectivity of its employees to access certain logical assets. There must be a strict check on the remote access of the employees to make sure that there is no inside-outside nexus of employees with abnormal behavior. Any suspicious connection from outside or inside should be suspended or terminated until a thorough investigation is done. The account access of retired or terminated employees must also be revoked to ensure no unauthorized remote access to the organization’s assets.
4) Third-Party Security Agreements
Scalability is a common issue in organizations with constrained physical infrastructure. With the evolution of managed solutions, many organizations opt for scalable third-party services like Cloud to meet their storage and computing requirements. Although the idea fascinates at first glance, the security and privacy risk is on the higher side with such third-party services. Therefore, organizations should discuss security and privacy agreement with vendor services to counter all forms of insider threats.
5) Pinpoint Suspicious Employees
One of the important strategies to discourage insider Cyber-attacks is to identify rogue employees in the organization. The following indicators can help to pinpoint the potential insider threat actors.
- Acting outside the jurisdiction
- Trying to access unauthorized data
- Staying in working vicinities in off-hours
- Violating policies
- Bypassing security parameters
- Copying a huge volume of data
- Sharing data outside the network
- Retiring or resigning from the job
6) Enforce Cybersecurity Policies
The risk of insider Cyber-attacks can greatly be reduced by developing and implementing Cybersecurity policies at an organizational level. There can be a number of policies that can be merged together to produce a master policy. Some important security policies include network and data usage policy, access control and accounts management policy, and incident response policy. Although the merger of multiple policies together can make a great Cybersecurity policy document, the policy can only be effective if it is enforced by the organization.
Organizations can’t be 100% immune to insider threats. If there is no malicious insider, there can be an unintentional act by the trustworthy employee that can help hackers to break in the security system of the organizations. Implementation of strong security policies, deployment of insider Cyber-defense systems, and regular training of employees can greatly reduce the insider Cyber-threats.
Insider Cyber-Threats Statistics References