67% of CNI organisations have seen an increased cyber security risk from insiders - whether malicious or negligent - over the last three years (according to Bridewell research).
Insider threats aren’t a new risk for organisations; most businesses are well aware of the risk they pose and just how hard they are to detect. However, with a significant number of organisations citing insider threats as their biggest security concern of 2023, it is worth reviewing how this type of threat affects organisations and what can be done to address it.
For more insights into how and why insider threats are such a concern for organisations in 2023, see our Cyber Security in CNI : 2023 report or register for our upcoming CNI Research: Key Threats and Defence Strategies for 2023 webinar.
What is an Insider Threat?
The CISA defines an insider threat as:
“the potential for an insider to use their authorized access or understanding of an organization to harm that organization.”
While the different types of insider threat can be categorised in a number of ways, they all hinge on an individual leveraging their privileged access or knowledge within an organisation. This could be done by an employee with malicious intent; they may be looking to sell confidential information for profit, share intellectual property with a competing organisation or support the objectives of a malicious actor targeting that organisation. Just last month, an Apple engineer was charged with stealing thousands of files relating to their self-driving car technology and sharing them with a Chinese company.
Far more common, however, is the risk of the ‘accidental insider threat’. This is a scenario in which an employee unintentionally creates an insider threat through negligence. Employees that are unfamiliar with basic cyber hygiene or haven’t received phishing awareness training may accidentally allow themselves to be manipulated by a malicious actor into achieving a specific goal – such as sharing company credentials.
Are Insider Threats on the Rise?
The increased relevance of accidental insider threats was highlighted in Bridewell’s 2023 CNI research, which found that “accidental loss or disclosure of data” was the top risk facing CNI organisation’s IT environments. 23% of respondents respondents cited it as their top concern. When compared with Bridewell’s 2022 CNI research, where “accidental loss or disclosure of data” only ranked 12th place, this could indicate that inside threats are increasing.
Such a trend may stem from the wider adoption of hybrid and remote working practices, which create more opportunities for employees to make honest mistakes that harm the organisation they work for. For instance, employees working remotely are more likely to use personal devices for work purposes, use public WiFi, or use personal cloud storage on their work devices. Practices such as these can easily be exploited by malicious actors to become an insider threat.
The risk of accidental insider threats is particularly high for organisations that haven’t matured their security capabilities beyond traditional ‘ring of fire’ perimeter defences. These are infrequently optimised for securing remote working and can be bypassed by malicious actors through social engineering and phishing campaigns.
CNI organisations appear to be acutely aware of this risk, with 25% of respondents citing social engineering and phishing as the top two risks to OT environments (according to Bridewell’s research). More still 36% of respondents within the same research stated that the prevalence of social engineering and phishing attacks is likely to grow further due to the economic downturn.
How to Prevent Insider Threats
To avoid the heavy financial, reputational, and legal consequences of an accidental breach, firms must take steps to address the risk of insider threats.
For accidental insider threats, the best approach is to consistently educate employees on cyber security best practice and have procedures in place to identify potentially dangerous activity. For instance, prevent employees from using weak passwords on their accounts, provide them with phishing awareness training, and restrict their access to potentially malicious sites. It is also good policy to ensure employees only have the privileges necessary to performing their role; periodically reviewing and restricting employee access reduces risk in the event of a compromise.
For malicious or intentional insider threats, organisations should implement clear written policies and procedures related to data security standards, and conduct vetting and monitoring of staff exhibiting suspicious behaviour. For example, if an employee is accessing files in downloading a large number of files at unusual hours, or accessing sensitive information that is outside of the usual scope of their work.