Insider Threat: Threat Within Your Organization
Not all cyber threats come from malicious outsiders. Cyber threats could also come within your organization.
The recent data breach at the US regional banking giant SunTrust is an example of an insider threat.
According to SunTrust, a former employee of the company got hold of the contact details, including name, address, phone number and certain account balances of nearly 1.5 million of the company’s clients.
“Ensuring personal information security is fundamental to our purpose as a company of advancing financial well-being,” Bill Rogers, SunTrust chairman and CEO, said in a statement. “We apologize to clients who may have been affected by this. We have heightened our monitoring of accounts and increased other security measures. While we have not identified significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result.”
What is Insider Threat?
An insider threat refers to a current or former employee, business partner or contractor who has or had access to the organization’s data, network or system and inadvertently or maliciously misused that access which negatively affects the availability, confidentiality and integrity of the organization’s data or IT system.
A data breach, therefore, can either be a result of human error or malicious actions.
According to Verizon’s 2018 Data Breach Investigations Report, over a quarter or 28% of cyber threats involved insiders. The Verizon report covered 53,308 security incidents, 2,216 data breaches, 65 countries and 67 contributors.
Even as far back as 2016, Avivah Litan, a fraud analyst with Gartner Inc., told Krebs on Securitythat she’s been inundated with calls from organizations asking what they can do to counter insider threats.
“I’m getting calls from lots of big companies, including manufacturers, banks, pharmaceutical firms and retailers,” she Litan. “A year ago, no one wanted to say whether they had or were seriously worried about insiders, but that’s changing.”
Cost of Insider Threats
Ponemon’s 2018 Cost of Insider Threats, which studied companies located in North America, Europe, the Middle East and the Asia-Pacific region, found that companies in different parts of the world share the risk of having a serious data breach caused by an insider.
According to Ponemon, cyber incident costs resulting from malicious insiders are much more expensive than those made by negligent employees or contractors.
The average cost of each cyber incident arising from the negligence of an employee is $283,281, while the cost more than doubles ($648,845) if the cyber incident is caused by a malicious insider.
The costs taken into consideration by the Ponemon study are monitoring, surveillance, investigation, escalation, incident response, containment, ex-post analysis and remediation.
Examples of human errors include, employees failing to delete confidential information, sending an email to the wrong person or misconfiguring web servers, databases or publishing errors.
Verizon said in its 2018 Data Breach Investigations Report that human errors made up 17% or 1 in 5 data breaches.
In the information sector, insider threat greatly impacts an organization when an employee commits an error, for instance, by misconfiguring databases or publishing errors.
In a report that covers June 2017 to September 2017, RedLock said that 53% of organizations using cloud storage services like Amazon Simple Storage Service (Amazon S3) have inadvertently exposed their data to the public.
Although cloud storage is set on default as not open to the public, an inadvertent configuration or change of this setting to public will make this supposedly private data stored in the cloud open to the public.
According to the Verizon report, 13% of the employees in the healthcare sector who have abused their access to systems or data were driven by curiosity or fun, for instance, where a celebrity has recently been a patient.
Cisco’s 2018 Annual Cybersecurity Report, meanwhile, showed that insider threats are taking advantage of the cloud.
From January 2017 to June 2017, Cisco’s threat researchers examined cloud data exfiltration trends by employing a machine-learning algorithm – a software or computer program that measures the volume of documents being downloaded from the cloud, including the time of day of downloads, IP addresses and locations.
Cisco’s machine-learning algorithm profiled 150,000 users, all using cloud service providers, in 34 countries.
After 6 months of study, Cisco’s algorithm flagged 0.5 percent of users
for suspicious downloads. While this number seems little, this number actually represents 3.9 million documents downloaded from corporate cloud accounts.
Out of the 3.9 million documents suspiciously downloaded, 62% happened outside of normal work hours, while 40% took place on weekends.
Cisco researchers also conducted a text-mining analysis on the
3.9 million suspiciously downloaded documents. They found that the most popular keywords in the suspiciously downloaded documents were “data”, “employee” and “customer.”
How to Prevent Insider Threats
Here are some of the ways in preventing insider threats:
- Use of Machine-Learning Algorithm
Machine-learning algorithm, a software that measures the volume of documents being downloaded from the cloud, including the time of day of downloads, IP addresses and locations, is beneficial in tracking suspicious data downloading.
- Keep your organization’s data on a “need to know” basis. This means that only employees that need access to the data should have access to it.
- Encrypt sensitive data, that is, make your organization’s data next to useless in case it’s stolen.
- Deactivate Data Access to Former Employees
The use of Microsoft’s Active Directory (AD) service for centralized user account management, for example, allows the HR department to deactivate that employee’s AD record in case the employee resigns or is fired. This will prevent a departing employee to access corporate data or system.
At GenX, we offer IT services that will prevent cyber incidents arising from negligent and malicious insiders.