Critical digital and physical assets are becoming increasingly vulnerable due to accelerated connectivity, differing global regulatory requirements, joint ventures and business partnerships and security weaknesses within complex multinational supply chains. These factors have led to a rise in insider threats for enterprises across all industries.

An insider threat is an employee or third-party vendor that has access to a company’s network. While some insiders seek to compromise sensitive corporate data for monetary gain or out of spite, others do so accidentally due to negligence or lack of awareness.

According to the “2016 Insider Threat Report” by Crowd Research Partners, 75 percent of survey respondents estimated insider threats cost their companies at least $500,000 in 2016, while 25 percent reported costs could exceed that amount. The study also found that 74 percent of organizations are vulnerable to insider threats. Of that number, 7 percent reported that they were “extremely vulnerable.”

Get smart to shut down insider threats

Common Behavioral Indicators

The most common indicator of an insider threat is lack of awareness. For instance, employees with savvy IT skills often create workarounds to technology challenges. When employees use their own personal devices to access work emails, they often create new vulnerabilities within the organization’s physical security processes and IT systems.

The chief information security officer (CISO) must be aware of these patterns to detect suspicious motives, which requires a holistic and layered approach to user behavior analytics (UBA). The following are examples of behavioral indicators:

  1. Downloading substantial amounts of data to external drives;
  2. Accessing confidential data that is not relevant to a user’s role;
  3. Emailing sensitive information to a personal account;
  4. Attempts to bypass security controls;
  5. Requests for clearance or higher-level access without need;
  6. Frequently accessing the workspace outside of normal working hours;
  7. Irresponsible social media behaviors;
  8. Maintaining access to sensitive data after termination;
  9. Using unauthorized external storage devices;
  10. Visible disgruntlement toward employers or co-workers;
  11. Chronic violation of organization policies;
  12. Decline in work performance;
  13. Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
  14. Excessive use of printers and scanners;
  15. Electronic communications containing excessive use of negative language;
  16. Installing unapproved software;
  17. Communication with high-risk current or former employees;
  18. Traveling to countries known for intellectual properly (IP) theft or hosting competitors;
  19. Violation of corporate policies;
  20. Network crawling, data hoarding or copying from internal repositories;
  21. Anomalies in work hours;
  22. Attempts to access restricted areas;
  23. Indications of living beyond one’s means;
  24. Discussions of resigning or new business ventures; and
  25. Complaints of hostile, abnormal, unethical or illegal behaviors.

Remediation Pain Points

Insider threats are costly to remediate because they are very difficult to detect. A thorough investigation often requires companies to hire forensic specialists to determine the extent of a breach. It is also challenging to distinguish malicious activity from regular day-to-day work. For example, users who have elevated access privileges interact with sensitive data as part of their normal jobs, so it can be virtually impossible to determine whether their actions are malicious or benign.

Users who have elevated access privileges often cover their tracks by deleting or editing logs, impersonating another user or using a system, group or application account. Proving guilt is yet another pain point, since offending users may claim ignorance or human error.

Steps to Combat Insider Threats

Most organizations lack procedures to deal with internal threats. Moreover, security architecture models have no room for insider threats. Security infrastructures primarily prevent outside attackers from gaining entrance to the network undetected, operating under the false assumption that those who are granted internal access in the first place are trustworthy.

To properly account for and remediate insider threats, organizations must establish a comprehensive, risk-based security strategy that includes the following four elements:

1. Information Governance

It is of paramount importance to protect critical data assets from insider threats. Information governance provides business intelligence that drives security policies and controls. This improves risk management and coordination of information management activities. A solid information governance foundation enables organizations to adopt a risk-based approach to protecting their most valuable assets and installing sound data management procedures.

2. Advanced Forensic Data Analytics

User-based analytics are indispensable tools that provide detection and predictive measures to thwart insider threats. These solutions incorporate artificial intelligence and machine learning technologies that objectively analyze insider behaviors and generate risk rankings within the user population.

3. Incident Response and Recovery

External and insider breaches have their own nuances, but the impacts are similar and should leverage the same response program in anticipation of a major breach. Organizations must strive to build as strong an insider threat program as possible. It’s also important to develop an incident response program that considers both internal and external breaches.

4. Legal Considerations

An insider threat program cannot be successful without careful legal and regulatory considerations. For example, privacy laws pertaining to employee monitoring vary across national boundaries. In the U.S., the Electronic Communications Privacy Act (ECPA) allows employers, under certain provisions, to monitor their employees’ emails and other electronic communications. Meanwhile, the member states of the European Union (EU), in compliance with the European Convention on Human Rights, adhere to privacy laws under the Data Protection Directive, which regulates how organizations within the EU process personal information.

A Cross-Organizational Challenge

Combating insider threats is an organizational issue that crosses people, processes and technology and requires a detailed understanding of the organization’s assets and security posture. It also demands a clear separation of duties, continuous monitoring of employee behaviors and a formal insider threat program that includes IT, human resources, legal and all other business groups. With the proper resources in place, a CISO can gather the actionable intelligence needed to thwart internal attacks and gain visibility into the highest-risk users.

Read the IBM white paper: Get smart to shut down insider threats

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…