Over Half of Companies Get Hit by Insider Attacks

The post-pandemic era can aptly be described as a golden era for cybercriminals, with a monumental rise in the number of cybercrimes across the globe. Cybercrime gangs are firing on all cylinders, launching a barrage of sophisticated cyber threats that cause significant damage to organizations of every size across all sectors. But some threats are grown a little closer to home. In a recent survey by Cybersecurity Insiders, more than 60% of companies experienced an insider attack in 2022, and many of those attacks had expensive, damaging outcomes. Three-quarters of survey respondents said they feel moderate to highly vulnerable to insider threats, an increase of 8% over 2021. Every business needs to address the growing problem of insider risk immediately.

Malicious insider threats aren’t the most significant cyberattack vector for businesses. In the 2022 Unit 42 Incident Response Report by the Palo Alto Networks, insider attacks comprised only 5.4% of the reported incidents. However, even this tiny percentage made a more significant dent for organizations as insiders have a better understanding of sensitive data and have access to privileged information. That small percentage of reported incidents can lead to substantial damage fast. According to Verizon’s 2022 Data Breach Investigations Report, malicious employees are behind about 20% of data breaches. The attacks that insiders are involved in are, on average, ten times bigger than those conducted by external actors.

A recent example of how much damage a malicious insider can do quickly helps illustrate the danger. In November 2022, news broke out about a hacker group, WhiteInt, whose mastermind was an associate director at Deloitte’s cyber unit. The hacker group had operations across India and offered paid services of accessing emails, personal data and phone numbers of VIPs for private investigators globally. After being exposed in a sting operation conducted by The Sunday Times and the Bureau of Investigative Journalism, the mastermind Aditya Jain was terminated from Deloitte. But the damage had already been done to the company’s reputation.

• What are the motives behind insider attacks?

Malicious insider attacks can come from anyone with the proper access to a company’s computer systems and data, including current employees, former employees, contractors, business partners or business associates, suppliers and vendors. Over 90% of malicious insider incidents are preceded by employee termination or layoff, and if that employee still has a valid access credential, they can wreak havoc quickly. Like most other cyberattacks, a malicious insider’s prime motive is financial gain. However, malicious insider threats can also result from espionage, retaliation or a grudge toward the employer. Stealing data or proprietary information is the top malicious insider action, but disgruntled employees make other damaging moves too.

• Even non-malicious insider actions can lead to a data disaster

However, it’s important to remember that not all insider threats are malicious attacks. Some bad outcomes, like a data breach, can happen because of employee negligence or ineptitude. Many of those threats can be neutralized through security awareness training. For example, over 65% of accidental insider threats come from employees interacting with a phishing message. But with regular exercise using phishing simulation, companies can dramatically reduce the likelihood of an employee falling for a phishing trap. Insider threats come from various employee actions and behaviours, whether malicious or accidental. Does a Gartner study classify insider threats into four categories: pawn, goof, collaborator, and lone wolf:

1. The pawns: Pawns are those employees who fall for social engineering lures and give up their sensitive information to the hackers by downloading malware or disclosing credentials on a spoofed website.
2. The goofs: Goofs are ignorant or arrogant employees who do not follow an organization’s security protocols. In their ignorance, they bypass an organization’s security controls, leaving data and other sensitive information vulnerable and giving threat actors easy access to systems and data. These are generally non-malicious acts. Gartner report found out that the goofs cause 90% of insider incidents.
3. The collaborators: Collaborators, also known as turncloaks, collaborate with outsiders, such as the company’s competitors or nation-state actors, to steal privileged information. They misuse their access to steal intellectual property that could lead to business operations disruptions, financial losses and reputational damages.
4. The lone wolf: A lone wolf acts independently without any external influence or manipulation to harm their employers. Often, the lone wolf has elevated levels of privilege and access within the company, enabling them to steal information without getting caught. Lone wolves primarily work for financial gains.

• These tips can help you prevent and remediate insider threats

1. Perform risk assessments: organizations, at all times, should be aware of the location of their critical assets, vulnerabilities and threats that could affect them. The risk assessment should include all the risks caused by insider threats. After that, prioritize the risks and enhance your cyber defence according to risk priority.
2. Continuously update and enforce security policies: The threat landscape evolves continually; therefore, you must update your security policies regularly to thwart the threats. Additionally, work harder to implement these security policies for all employees interacting with your IT environment.
3. Employ a security operations center (SOC): An SOC monitors your critical attack vectors and alerts you upon finding any suspicious activities. SOC experts proactively detect and eliminate an attack before it could harm your organization.
4. Deploy intrusion detection and prevention systems: Intrusion detection and prevention systems help you monitor and control remote access from all endpoints. It can flag any unusual activities, allowing you to remediate the issue quickly. Also, ensure all remote access to ex-employees is terminated immediately when they leave the organization.
5. Enable surveillance: Not all insider attacks are conducted through digital means. Hence, you should have 24/7 management of your critical facilities to prevent theft of your essential resources.
6. Monitor the dark web: Most of the stolen data and sensitive information lands on the dark web forums for sale these days. If it falls into the wrong hands, your organization’s future might be in jeopardy. That’s why you should monitor the dark web for credentials and other information exposure through dark web monitoring. Finding the direction early can help you prepare for any eventualities.
7. Add a cybersecurity component to offboarding: Former employees are a security threat, even if they leave on good terms. Removing their access to systems and data is critical. A study showed that 83% of former employees surveyed said they continued to access accounts at their previous place of employment, and 89% could still access sensitive company data after leaving the company.

Source:ID Agent