Guest Authored by Mark Jones, Associate Managing Director in Kroll’s Cyber Risk practice, and Cem Ozturk, Managing Director in Kroll’s Business Intelligence and Investigations practice
While there’s no shortage of commentary around cyberattacks perpetrated by external actors, insider threats—that is, those committed by people within the business such as current or former employees—don’t make the headlines as often.
The number of insider threats has trended upwards over recent years and many experts predict the current risk landscape brought about by COVID-19 could spur a significant surge in insider threat incidents as remote workforces and decentralised environments compromise the security of corporate networks.
Compounding this, insider threats are also often overlooked in most organisations’ risk assessments given the propensity to inherently trust employees. But for businesses who suffer through one, the impact can be devastating and widespread—with a 2020 survey finding the average insider attack can cost a business nearly $3 million.
However, like all business risk, insider threats can be managed by ensuring there is a balance of the right controls in place around people, process and technology. Trust and empowerment must be attached to the ways and means to hold responsible employees accountable for their actions.
Unpacking an Insider Threat
When discussing insider threats, it’s important to understand the different forms they can take in order to avoid the assumption that they are only ever executed by disgruntled employees.
Intentional insider threats involve malicious insiders who take advantage of their access to an organisation’s network in order to inflict harm, while unintentional threats typically involve human error or a disregard for business policies which can result in a cyberattack.
As a form of forensic analysis, insider threat investigations involve the collection and analysis of extensive amounts of data.
Knowing which data is relevant to a case and where to find it is key. In the event of a breach, consider some fundamental questions:
- Which systems were accessed?
- Were employees supposed to have access to that system?
- Was any data exported?
- Can the system activity be linked to an individual?
According to Kroll’s 2019/2021 Global Fraud and Risk Report, incidents caused by insider threats—including fraud by internal parties and leaks of internal information—account for 66 per cent of those reported by organisations.
This risk is exacerbated by the rapid take-up of cloud-based collaboration tools and the move to remote working, which can threaten secure networks and expose a business’s intellectual property.
The risks associated with insider threats are growing while at the same time becoming harder for organisations to manage. So, what can businesses do to better protect themselves?
Knowing where to look
While cyber risk discussions often centre around cyber criminals, insights gathered over years of extensive global fieldwork by the team at Kroll indicate that trusted insiders can actually pose a greater cyber risk to businesses, whether by accidentally or negligently exposing data, or acting with malicious intent.
For example, many incidents can be traced back to employees falling prey to a phishing email, sending confidential data to a personal email account that then gets compromised, or exporting data to a flash drive that ends up lost—seemingly innocuous actions that can have devastating repercussions for the businesses they work for.
To reduce insider risk, it’s imperative that internal policies, procedures and controls are as strong as the defences deployed against external threats. Some best practices that organisations of all sizes should establish or strengthen include:
- Make employee education an ongoing priority and reinforce a “security-first” mindset. Topical, engaging training sessions help foster a security culture.
- Implement data classification labelling, handling and encryption standards for the different data classifications created in your environment
- Enable and review audit logs, especially on confidential systems or network shares and regularly review for any abnormalities
- Practice the principle of least privilege and only assign users the access they need to carry out their specific duties
- Manage access to external sources, only enable email/website domains and external devices on computers required for business-related duties
In the event of the identification of a breach, an experienced breach incident response provider must be engaged to ensure data preservation in a forensically sound manner; the provider must then begin analysis before the loss of any critical evidence.