Insider breaches — those caused by employees and leaders within an organization — are among the costliest and hardest to detect of all data breaches. Two-thirds of total data records compromised in 2017 were the result of inadvertent insiders, according to the “2018 IBM X-Force Threat Intelligence Index,” and insider threats are the cause of 60 percent of cyberattacks. Meanwhile, misconfigured cloud servers and networked backup incidents caused by employee negligence collectively exposed over 2 billion records last year.

While organizations focus significant resources on the mitigation of external threat actors, insider risks are likely to pose an even greater financial threat to the enterprise. According to the Ponemon Institute’s “2018 Cost of Insider Threats” report, the average cost of insider-caused incidents was $8.76 million in 2017 — more than twice the $3.86 million global average cost of all breaches during the same year.

Traditional approaches to managing insider threats have focused extensively on the use of awareness training and access governance to reduce risks. While these activities are critically important, they’re likely not enough to mitigate all types of employee risk. Humans are enormously variable, and failing to account for all types of insiders could result in costly security incidents.

Read the Report: SIEM and UEBA, Better Together

The Five Types of Insider Threats

The inadvertent insider, the most common form of insider threat, is responsible for 64 percent of total incidents, according to Ponemon, while criminal behavior comprises 23 percent of incidents. Human risks are more complex than simple negligence and malicious intent, however.

Inadvertent insiders include both employees who don’t respond to training and those who create error through mistakes such as misconfigured cloud networks. Within the criminal category, there are instances of collusion, long-term malicious behavior and sabotage. A thorough understanding of the following five distinct categories of insider risk is essential for security teams to develop comprehensive safeguards.

1. Nonresponders

A small but significant percentage of the employee population is made up of nonresponders to awareness training exercises. While these users may not intend to behave negligently, they’re among the riskiest members of the population since their behaviors can fit consistent patterns. In 2017, Verizon found that an average 4.2 percent of people targeted in any given phishing campaign will click the malicious link. Individuals with a strong history of falling prey to phishing campaigns are most likely to be phished again.

While employees who consistently behave in insecure ways are generally a minority of the populace, the total impact of employee mistakes is staggering. Ponemon research found that 63 percent of incidents recorded last year were caused by all categories of negligence.

2. Inadvertent Insiders

Simple negligence is the most common form of insider threat, and also the single most expensive category of employee risk. Insider threats who fit this category might generally exhibit secure behavior and comply with policy, but cause breaches due to isolated errors. Basic misjudgment — such as storing intellectual property on insecure personal devices or falling for phishing schemes — caused two-thirds of breached records in 2017, according to the X-Force report.

Threat actors are increasingly savvy to the vulnerabilities caused by inadvertent insiders. X-Force analysis of the most common criminal tactics used to exploit employee error in the last year revealed several patterns:

  • Thirty-eight percent of external actors attempted to trick users into clicking a malicious link or attachment.
  • Thirty-five percent of external risks were attempts at man-in-the-middle (MitM) attacks.
  • Twenty-seven percent of external threats attempted to exploit misconfigured servers.

3. Insider Collusion

Insider collaboration with malicious external threat actors is likely the rarest form of criminal insider risk, but it’s still a significant threat due to the increased frequency of attempts by professional cybercriminals to recruit employees via the dark web.

One study by Community Emergency Response Team (CERT) placed the frequency of collusion, including insider-insider collusion, at 48.32 percent of all insider-caused incidents. Insider-outsider collusion, meanwhile, comprised 16.75 percent. These incidents took several forms:

  • About 37 percent of incidents involved fraud.
  • About 24 percent of incidents involved intellectual property theft.
  • About 6 percent of incidents involved combined fraud and theft.

According to the same source, insider-caused incidents, which include collusion, are among the costliest categories of a breach and may take four times longer to detect than incidents caused by insiders who fly solo.

4. Persistent Malicious Insiders

Most commonly, criminal insiders exfiltrate data or commit other malicious acts with the goal of financial rewards or other personal gain. A Gartner study on criminal insider threats found that 62 percent of insiders with malicious intent are categorized as “second streamers,” or people seeking a supplemental income. Seniority had little correlation with this category of behavior. Just 14 percent of persistently malicious insiders were in a leadership role and approximately one-third had sensitive data access.

So-called “second streamers” may exhibit sophistication in remaining undetected to maximize the personal benefits of data theft. This group of individuals may exfiltrate data slowly to personal accounts to avoid detection, instead of completing large data exports which could raise flags in traditional network monitoring tools.

5. Disgruntled Employees

As a final category of criminal insiders, disgruntled employees who commit deliberate sabotage or intellectual property theft are also among the costliest risks to an organization. The Gartner analysis of criminal insiders found 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.

Disgruntled employees can fit many behavioral sub-patterns. Some frustrated employees may start digging for information access without specific goals. Other employees may have very specific data intent from the moment they give two weeks notice, and set out to sell trade secrets to competitors.

Detecting and Responding to Patterns of Risk in Human Behavior

Human endpoints are likely among the greatest security risks in the enterprise, but insider threats are variable. There’s no single approach which can mitigate all categories of employee risk. Awareness training doesn’t account for individuals who are non-responders to education or searching for a second income stream.

There’s no complete patch for human endpoints. Increased awareness of human threats and tools for behavioral analytics are likely the best way to safeguard against the significant range of insider threats within the enterprise.

Start With Data Protection

The most valuable data and systems in the enterprise are the most vulnerable to any category of insider threat, including risks created by both negligence and criminal intent. To create transparency, organizations should discover and classify at-risk assets. Ongoing monitoring and cognitive analytics can safeguard intellectual property and sensitive data records against all categories of cybersecurity threat.

Adopt Behavioral Analytics

While each employee on a network behaves in deeply individual ways, changes in an individual’s patterns can predict risk. Artificial intelligence and behavioral analytics are exceptional tools for detecting risks in subtle patterns of workplace habits and information consumption. User behavioral analytics can mitigate all categories of insider threat with deep analytics to predict risk propensity.

Assign Risk Scores

Cognitive applications for behavioral analytics can assign risk scores to proactively identify potential insider risks before a breach has occurred. When employees are at heightened risk for error or criminal behavior is identified, organizations can respond with mitigating controls, heightened access management or, in extreme cases, account quarantine to prevent data loss.

Reduce Vulnerabilities

One of the greatest safeguards against both insider and external actor threats is strong security hygiene to address basic vulnerabilities in enterprise security. Maintaining continual compliance can facilitate transparency and data protection around critical assets. Patching and network monitoring can reveal compromised systems or employee threats from the moment they occur, not months after the incident.

Mitigating Internal Threats

While ransomware, cryptojacking and other external threats are among the most widely-discussed enterprise security risks, insiders are the cause of the statistical majority of data breaches. Negligence, criminal insiders and stolen credentials were linked to the majority of lost records last year. X-Force research reports a 5 percent year-over-year increase in the frequency of insider threats.

Understanding the enormous variation in human behavior is important in creating adequate safeguards against insider risks. With tools for compliance, data protection and user behavioral analytics, it’s possible to proactively protect against both inadvertent error and criminal intent within the network.

Read the Report: SIEM and UEBA, Better Together

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…