Dealing with issues of insider cyber risk can be different and nuanced. It’s hard to admit that someone from within the company could ‘not be who they say they are’, and it takes a group effort to get these types of programs off the ground.
However, over one-third of businesses are impacted by insider threats every year, and US businesses face about 2.500 internal security breaches in the aggregate per day. These cases are out there. No company with any zero-trust initiatives can responsibly look the other way.
The question isn’t why to build out an insider threat prevention program: it’s how.
The origin and impact of insider risk
To understand best how to combat them, it helps to know where insider threats originate and why.
As cited in TechJury, more than two out of three insider threats are caused by negligence. Fraud, financial gain, and intellectual property theft are the primary motivators, and ‘trusted business partners’ typically account for 15-25% of the cases across all industries. Nine in ten result from human error.
What starts as a careless, disgruntled, or simply ignorant employee maneuver can result in credential theft, data loss, and unforeseen damage. These aren’t insignificant encounters: Credential theft can cost upwards of $850,000 per incident, and companies are now spending 60% more than they did three years ago combatting the effects of insider risk. In most cases (85%), companies can’t even definitively determine the cost of the overall damage caused by these types of incidents.
Fortunately, some great products are out there to help organizations get a handle on the insider threat problem and make inroads into securing their digital enterprise from the inside out.
The top insider threat software products of 2023
Data Detection and Response (DDR) company Cyberhaven offers valuable insights into some of the top security tools designed with inside threats in mind. For a quick rundown, they are:
Finding the right solution to integrate with your existing stack is paramount to implementing an internal threat-resistant solution that will last. It also helps to define your insider-specific security strategy before you invest, so you’ll understand which tool (or tools) you’ll need. This all comes down to how you approach the development of your insider threat program.
Developing your insider threat program
When building out your insider threat approach, there are two methodologies, and both must be attended to.
One is dealing with the aftermath. This is the SOC-side action, tracking down threats once your tools give you fair warning. While this is imperative, it does leave gaps when alerts are too high and teams are too busy. Sometimes, things fall through the cracks.
Another method, and one that should be used in tandem, is prevention. This means vetting alerts before they get to the SOC so that the analysts know they’re valuable and worth looking into when they get there. To do this, high-quality alerts need to be generated. This requires a multi-point approach and combines user info with data info. Keeping an eye on your inside data – not just your inside workforce – is key to validating alerts. Did an errant employee gain unauthorized access to last year’s financial data or HR’s virtual Spirit Week flyer? The details matter, and finding tools that can give you multi-faceted data improve the quality of your alerts and your program overall.
Combatting insider threats comes down to more than just fancy tools and well-thought-out strategies, although those are integral parts. A key component of creating a culture that vets and rejects risky internal behavior is having everyone involved – because everyone is an insider.
Those with access to more data are more dangerous, technically speaking. Most organizations would agree: 55% identified privileged users as their greatest insider threat risk. While no particular subset should be watched more than others (per se), there are specific things each department can do as part of ongoing efforts.
Over half (55%) of companies use tools and activities to reduce insider threat, roughly the same number (54%) use DLP software, slightly less (50%) use UBA software, and 47% use employee monitoring and surveillance (participants could select more than one answer).
Whatever system you use, the key thing to remember is that your strategy supports user activity monitoring with an equal amount of data monitoring, so any remediation time is spent chasing real threats, not ignoring ‘too many’ alerts.
About the author: Katrina Thompson
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Insider Threats)