What is an insider threat?
Insider threats are cybersecurity risks that your employees can pose to your business. They can cover everything from planning and enacting malicious internal sabotage aimed at harming a company, to accidentally sending an email to the wrong recipient or inadvertently disabling a security control (the digital equivalent of forgetting to lock a door!).
These threats are almost unique as, no matter how much a company invests in security and how sophisticated their practices are, they will all carry a significant amount of insider threat. Any employee with access to sensitive data or intellectual property (IP) poses a potential threat, so it’s important to look at processes and procedures, and set about reducing this risk as much as possible while retaining the ability to function as a company.
What are the insider threat categories?
Because the range of potential insider threats is so broad, it helps to build categories to distinguish between the associated risks. These can be considered in terms of intent, which can in turn impact the resultant harm. At Egress, we break down insider threat actors into three categories depending on the intentions of the employee as well as their associated behavior.
Purely accidental or inadvertent
These cover where someone makes an honest mistake, such as sending an email to the wrong person because autocomplete suggests that person. This can expose valuable IP, personal information or market-sensitive data, and sometimes even have legal repercussions. Here there’s a certain amount of culpability on the part of the employee, but the blame should rest with the organization. People will always make mistakes, so organizations need to actively put in place safety nets to stop this from happening. Any company employees using email software to share data runs this risk of human error causing a data breach, so in the case of purely accidental insider threats we have to look at the support they receive from the organization to prevent mistakes far more than the individual themselves.
Here, the risk is associated with someone who is not looking to harm the company, but cuts corners or makes decisions that create risk all the same. If a client is likely to complain when they use email encryption, for example, they may choose to send data in plain text because “the customer is always right” or “it’ll make my life easier or help us work more efficiently than having to explain why encryption is being used, which will take time”. These cases can sometimes lead to internal tension, where advice from a sales team or relationship manager can contradict security best practice. When considering these cases, we assume that the employee was aware of best practice and made the conscious decision not to follow it (vs. an inadvertent error).
This can be the most damaging category of threat, where someone is setting out to hurt the company or to achieve personal gain by their actions. This could be an employee intentionally exfiltrating data to leak to a competitor, journalist or friend. It also covers employees who take data and IP with them to a new job, which is often the equivalent of leaking to a competitor. Employees who had their pay cut or were put on furlough during the pandemic represent elevated risk of this type of threat. Intentional malicious insider threats can vary greatly with the technical ability and patience of the employee in question, and represent a significant source of risk.
What are the consequences of insider threat?
The loss of data associated with insider threats can reduce competitiveness, harm a company’s brand and create legal liability that results in punitive action. Competitors gaining access to IP might considerably harm a company’s competitive advantage, wiping out benefits from design or product development and exposing strategically significant relations. To give just two examples, tech companies losing source code or medical companies losing patient records are likely to suffer considerable harm as a result. Data is a source of massive value for companies, which in turn makes it a source of potential risk in the hands of a rogue or careless employee.
If insider threats expose customers’ personal data, companies may be forced to disclose the breach under data privacy law such as the California Consumer Privacy Act (CCPA) or EU’s General Data Protection Regulation (GDPR). Under GDPR, fines for stolen data can be up to $24m (approximately) or 4% of the parent company’s global turnover, whichever is higher.
There is also a reputational hit associated with insider threats. Many people are wary of big companies and well-disposed to anyone who can be presented as a whistleblower, meaning insider threats can be a huge risk to a company’s brand. Reporting on breaches and leaks creates press headlines, which can hurt listed companies’ share prices and cause any company to lose customers. In the case of sensitive customer data, those whose data has been stolen or leaked may also decide to pursue a class action lawsuit, which can be another source of financial damage and keep the company’s name in the press for longer, causing a further reputational hit. Damage to reputation can also make it more difficult to attract and retain talent, which for many companies is an important source of competitive advantage.
How to detect insider threats in cyber security
As cybersecurity professionals know too well, there are often tradeoffs between functionality and security. It is not practical to impose full surveillance on employees or prevent them from accessing and moving company data around, and it is important to bear in mind that employees want to have autonomy and feel trusted. Security solutions should be minimally invasive while still reducing risk to an acceptable level.
To quote another security adage, when it comes to guarding against insider threats, companies should trust their employees but verify compliance. Well-structured policies and security controls go a long way to reducing accidental insider threats, and if implemented correctly should reduce reckless threats also. Data loss prevention tools help to identify data exfiltration that is suspicious or contrary to typical behavior, which also reduces this risk.
Egress research into insider threats found that 62% of CISOs rely on employees reporting email data breaches, and that 46% of employees were disciplined for such a breach, with 27% being fired as a result of their actions. This aligns particularly well with a previous Egress report finding that 24% of those surveyed believe ineffective systems are at the root of accidental breaches. When employees fear that they have made a mistake their first reaction is often to mitigate any consequences they might face, so many are incentivized to play down a breach or not to share it at all.
What to do if you’ve had a data breach
If an insider threat ever leads to a breach, it is important to have incident response policies and procedures at a technical-level as well as an organizational-level, and for these to be regularly updated and practiced in simulations. Identifying the source of the breach is a top priority; if it is a malicious insider then they should be remotely logged off, their access revoked and their devices wiped as urgently as possible. Even if the breach comes from recklessness or by an accident, scanning systems, temporarily revoking access and changing passwords of the related employee is best practice while determining the extent of the breach and identifying any remaining risk.
It is also important to look at what steps need to be taken by the company to reverse any of the potential damage resulting from the breach. Quickly locating invoices that may have been paid out due to the threat can allow a company to cancel them, and hand the details where necessary to law enforcement to assist with any investigation they may undertake. If a company uses message-level encryption, such as that provided by Egress Protect, then they will also be able to revoke access to sent items, and analyze open rates to help determine the company’s exposure resulting from the threat.
It may also be necessary to report the breach to regulators and data subjects, depending on the regulations your organization is subject to. For example, entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to notify data subjects who have had their data potentially or definitively breaches within 60 days of discovery of the incident, unless relevant law enforcement have sanctioned an extension of this. This involves sending a breach notification letter to the individuals by first class mail or by email where the individual has consented to be contacted electronically. The organization must also notify the Department of Health and Human Services (HHS) via the Office for Civil Rights breach reporting tool without undue delay and within 60 days of discovery if the incident involves more than 500 individuals. For incidents involving fewer than 500 individuals, the notification must be issues to HHS within 60 days of the end of the calendar year in which the breach was discovered.
Under GDPR if personal data belonging to an EU citizen is exposed during a breach, the timescales are much tighter. Here, the GDPR requires that a company report any personal data breach to the relevant regulator within 72 hours, and where a breach is likely to result in a high risk to the affected individuals, organizations must also inform those individuals without undue delay.
Finally, it will often be necessary for organizations that have experienced a breach to prepare a media strategy in response. Here, companies should aim to announce the incident quickly, rather than allow it to leak from an employee or customer, but should bear in mind that they may not know the full extent of the breach for days, weeks or even months. The announcement should be as assured and forthright as possible, without making specific assertions that could later be disproven. The announcement should come as part of a wider communication strategy that looks to provide affected individuals and other customers with all the relevant information they need.
How to prevent insider threats in cyber security
Much of defending against insider threats is getting the fundamentals of security right. Companies should segment their data according to the principle of least privilege, subjecting valuable IP and data protected by regulation to greater controls and restricted access. They should have an effective identity and access management program to support this, regularly reviewing implementation to prevent permissions creep. Effectively guarding against insider threats also means considering user behavior. Analytics-driven, intelligent security controls allow companies to set a baseline for employee behavior, which can in turn alert the security team to deviations from this behavior. This can be paired with data loss prevention software to automatically stop anomalous data exfiltration.
Egress uses contextual machine learning to mitigate insider risk on email. Our algorithms are able to deeply understand an individual user’s behavior and the ways they use email, including the relationships with recipients and the types of content they share with specific recipients. We then use this insight to stop email data breaches before they happen. This starts with Egress Prevent, which identifies abnormal behavior as people send emails – for example, selecting the wrong recipient via autocomplete or attaching the wrong files. Our software alerts users that they have made a mistake before the email leaves the inbox, so they have time to correct it. Our technology also alerts administrators to intentionally risky or harmful behaviors, and block data before it is exfiltrated.
Once we know an email is going to the correct recipients with the appropriate content, we also ensure the right level of protection is applied. This includes ensuring TLS is correctly enabled and appropriate to use, to automating message-level encryption via Egress Protect where more assurance and greater controls are required to keep sensitive data secure.
Advanced security like Egress Intelligent Email Security is a natural extension of broader training and awareness programs. While education is a key part of data security and helps to mitigate some behaviors, like taking “calculated risks” with sensitive data, it can’t stop all data breaches alone. This is particularly true for accidental breaches and malicious breaches. If it were possible to train away human error, people would no longer make any mistakes! Similarly, if someone sets out to harm an organization, education won’t be an effective tool in preventing that from happening. That’s why it critical for companies to address the technology they deploy to each individual employee as part of their risk mitigation strategy, helping them work effectively and efficiently, while assuring data is protected at all times from insider threats.