SoS Musings #73 - Insider Threats Are Still on the Rise

SoS Musings #73 -

Insider Threats Are Still on the Rise

Security teams have traditionally prioritized responding to external threats such as ransomware, hackers, and nation-state threat actors because they feel more urgent and serious. But what if the threat comes from within, in the form of a fellow employee or even the C-suite? The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) defines insider threats as threats that an authorized insider will use their access to harm an organization's mission, resources, personnel, facilities, information, equipment, networks, or systems, either intentionally or unintentionally. Findings from Gurucul's annual "2023 Insider Threat Report," based on responses from more than 325 cybersecurity professionals, suggest that insider threats are a leading concern for all types of organizations, as only 3 percent of respondents are unconcerned about insider risk. The report found that organizations have never felt more vulnerable, with three-quarters of respondents revealing they feel moderately to severely vulnerable to insider threats, an 8 percent increase from the previous year. This increase in perceived vulnerability is accompanied by a considerable rise in insider attacks, as 74 percent of organizations report that attacks have become more frequent, a 6 percent increase over the previous year. Sixty percent of organizations experienced at least one insider attack, and 25 percent experienced over six insider attacks. Although not every insider threat is deliberate or malicious, when an insider breach occurs, the damage is exacerbated relative to other types of incidents.

Studies have highlighted the rise in insider threats. The Ponemon Institute surveyed organizations in North America, Europe, the Middle East, Africa, and Asia-Pacific for its new report on insider threats. Researchers interviewed 1,004 Information Technology (IT) and IT security professionals from 278 organizations that experienced at least one insider-caused incident. The report found that the total number of insider-led cyber incidents was 6,803 in 2022, with an average annual cost of $15.4 million. The highest number of reported insider incidents among all the organizations was 46. In addition, 67 percent of businesses experienced 21 to over 40 incidents annually. According to new research from the cybersecurity services company Bridewell, 77 percent of organizations within the US Critical National Infrastructure (CNI) have experienced an increase in insider-driven cyber threats over the past three years. Bridewell's "Cyber Security in CNI: 2023 Report" shares findings from a survey of 525 cybersecurity decision-makers in the transportation and aviation, utilities, finance, government, and communications industries in the US. The report highlights that insider threats range from criminal intent to individual negligence, with survey respondents reporting that an employee committed an act of intentional destruction at an average of at least every other week within the last year. Insider threats are especially prevalent in the CNI finance sector, with financial organizations experiencing an average of 41 security incidents caused by employee sabotage over the past year, along with 40 instances of data theft or misuse. According to the "2023 Insider Threats Survey" released by Capterra, insider attacks such as fraud, sabotage, and data theft affect 71 percent of US businesses, costing companies hundreds of thousands of dollars. Most businesses (79 percent) report that insider threats are more difficult to detect than external threats. Capterra's report highlights that businesses allowing excessive data access are significantly more likely to report insider attacks. However, only 57 percent of companies limit data access appropriately, while 31 percent grant employees access to more data than is necessary, and 12 percent grant employees access to all company data. One-third (34 percent) of companies that have experienced insider attacks report that the incident involved an employee with privileged access. The most prevalent form of insider attack, as reported by 38 percent of businesses, is data theft, followed by the misappropriation of assets (32 percent) and the disclosure of trade secrets (30 percent).

Research and development efforts are being made to improve the defense against or handling of insider threats. For example, Associate Professor Jingrui He at the University of Illinois Urbana-Champaign wants to address the issue of insider threats through a project aimed at detecting and predicting such threats. The C3.ai Digital Transformation Institute awarded her a three-year, $200,000 grant for her project, "Multi-Facet Rare Event Modeling of Adaptive Insider Threats." Her team wants to determine how to detect and model uncommon and adaptive insider threats in large organizations using multimodal data, such as computer logon and logoff activities, email exchanges, and web history. According to He, insider threats are typically infrequent and involve only a small percentage of employees, adding that adaptive insiders will alter their attack strategies in order to evade current detection systems. The team will integrate information from multimodal data sources to detect both outliers and rare category types of insider threats. Then they will examine insider threats' adaptive behaviors and present dynamic update techniques based on the models they develop. Researchers at the cybersecurity software company Code42 say today's security requires an empathy-first approach to insiders, citing findings from a Gartner survey indicating that more than half of insider incidents are non-malicious, meaning that the person who caused the problem was only trying to perform a work task, made a mistake, or tried to cut corners. Therefore, Code42 researchers believe treating them as if their actions were motivated by malice is a flawed strategy that could backfire. They recommend investigators demonstrate empathy and refrain from passing judgment. Otherwise, there is a substantial risk that the employee will repeat the same mistake or become disgruntled and disenfranchised. According to the researchers, a psychological shift is required to approach insider investigations with empathy, which is the first step in establishing trust in order to achieve the best possible outcome for the organization. The essential components of an empathic approach to insider investigations include connecting to understand, examining unconscious biases, educating, and more. Another study conducted by MIT Lincoln Laboratory says zero-trust architecture is a potential solution to cybersecurity insider threats. By treating every component, service, and user of a system as constantly exposed and potentially compromised by a malicious actor, zero-trust security principles could defend against insider threats. Each time a user requests access to a new resource, their identity must be verified, and every access is mediated, recorded, and analyzed. This approach combats internal threats by rethinking the data security model to secure all data and application assets at all times and in every state.

Insider attacks can damage a company's reputation, finances, and competitiveness. Therefore, businesses are encouraged to take a more proactive approach to prevent these incidents, and the SoS community should continue to explore potential solutions to combat insider threats.