Who hasn’t heard about disinformation or fake news? And for those responsible for security, who hasn’t heard about the risk of insider threats? Both issues are well known, but how disinformation can affect cyber risk management might not be so obvious.

This article won’t tell you who’s right or wrong in a political debate. Instead, our goal is to bring to light how disinformation campaigns affect the threat landscape.

Whether due to mistakes or planned attacks, insider threats cost organizations millions. A Ponemon Institute survey found that insider threats grew by 47% from 2018 to 2020. The cost of insider threat events also increased by 31% from $8.76 to $11.45 million during the same time period. And they estimate organizations spend on average $644,852 to recover from an insider threat incident, regardless of the source.

The Disinformation Challenge

One of the biggest challenges today is knowing which information sources you can rely on. If someone claims something about a political, social or health issue, how do you know if it’s true? For security decision-makers, what happens if you aren’t even aware of what your employees share? And even if you do know, how do you handle these issues?

If that’s not enough, you might not even know who your employees are. With all the freelancing and online business going on, well-defined employee identities frequently blur. For example, it’s not uncommon for employers to issue freelancers a company email.

How Narratives Create Insider Threats

The world is facing a growing problem with false narratives. From a security standpoint, however, any compelling narrative, true or false, can increase risk. Problems occur when people become overly passionate about an issue or a cause. When this happens, they may let their guard down when they get a message that reinforces their belief.

For example, let’s say someone is very invested in a specific cultural, social, political or health issue. We’ll call it Cause-X. For that person, any correspondence received about Cause-X generates excitement. This means there’s less of a barrier when responding to phishing emails, links, text messages and downloads. And all of these activities can open the door to attacks such as credential theft and malware.

Social Engineering and Grooming

Sophisticated threat actors are sometimes true actors. That is, they pose as someone who shares a passion for Cause-X. From there, they build themselves up to be a trusted voice, friend or authority. They might even reach out with direct contact to generate a spirit of camaraderie (grooming), all with the intent to build trust.

Then when the actor tells their contacts to visit a website or download a document, the followers do so willingly. In this way, a company insider becomes a threat without even knowing it.

Fight Disinformation, Avoid Confrontation

One of the challenges leaders face is how to reduce the threat that disinformation brings to your company. First of all, it’s important you don’t engage as if it’s a political debate. Whether or not you agree with one side or another isn’t the point.

Instead, you should educate your teams about cybersecurity best practices. Continuously remind and teach them about email, social media and messaging attack risks — especially with devices connected to your company networks. You can even share informative videos about social engineering that can lead to a data breach.

True Insider Threats

Then there is the insider that has truly malicious goals. An employee could be a cyber criminal working as a double agent seeking to steal information. Or maybe they simply want to sell exfiltrated data on the darknet.

Disgruntled employees may also wreak havoc in acts of revenge against a company. Be wary of this especially during company mergers or reorganizations. During the transition, some workers may feel abandoned, left out or offended. At that moment, a former loyal employee may suddenly become a security risk.

HR, Privileged Access and Zero Trust

Given the digital nature of today’s business, the boundaries of a company are more fluid than ever. Employees come and go and also move within an organization all the time. That’s why it’s important for security to work closely with human resources to keep tabs on headcounts and access privileges.

For example, during the Great Resignation of 2021, millions of workers quit their jobs. How many of them left with company access privileges still active?

One of the best methods for preventing access-level-related insider incidents is to adopt least privilege principles to all users. This means all users have the lowest level of access needed to carry out their duties. For instance, a privileged access management (PAM) solution can be built around a zero-trust model.

In this model, the goal is to grant everyone with a user account the least amount of privilege possible. This reduces the chances that an insider will gain unauthorized access to data or assets. This approach becomes even more critical in the cloud where both human and digital requestors ask for access.

Identity and Access Management and Insider Threats

Effective access control can never be ‘set it and forget it’. People’s behavior and roles can change. And someone you once trusted might go rogue or have their credentials compromised. That’s why one of the most important cybersecurity trends now is Identity and Access Management (IAM). A key feature of IAM is adaptive access.

Adaptive access leverages machine learning and AI to analyze a host of parameters, such as user, device, activity, environment and behavior. This way, you can monitor access trends and be alerted to any aberrant behavior.

By taking the full context into account, authentication is more intelligent. This also means less disruption to normal business flow. The cybersecurity landscape is constantly changing. But adaptive technologies, such as IAM, help you stay ahead of nefarious actors.

Insider Threat Hunting

In addition to the preventative measures described above, threat hunting cybersecurity tools and strategies are also important. The 2021 IBM Security X-Force Insider Threat Report revealed that 40% of insider attacks were discovered by an internal monitoring tool.

Tools like user behavior analytics, privileged access management (PAM), SIEM, threat intelligence sharing and user training and awareness were estimated to save organizations an average of $3 million in terms of reducing or eliminating insider risks. Consider how they could protect you from an insider threat.

more from Incident Response

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…