Protection from insider threats is discussed by Igor Baikalov, Semperis Chief Scientist and former SVP of global information security at Bank of America, with 20 years’ experience in insider threat and risk monitoring.
Insider threats — cyber incidents carried out by trusted actors—are increasing sharply. As with all cyber attacks, most breaches committed by inside threat actors involve access abuse, whether the compromise was the result of negligence or malicious intent. The global economic slowdown has resulted in layoffs and general uncertainty, creating conditions that raise the risk of insider threat attacks, whether they stem from decreased resources for training, lack of security policy enforcement or from lower job satisfaction among employees—which can lead to retaliatory behaviour.
Insider threats are particularly dangerous because they involve access abuse by trusted actors who, to do their jobs, have access to critical assets and sensitive data across the organisation. But most security solutions focus on detecting illegitimate access. To adequately address insider threats, organisations need solutions that protect the core identity system itself by scanning for identity system vulnerabilities that insiders can abuse, detecting and automatically remediating risky changes, shining a light on attack paths into critical assets, and providing post-breach forensics to close backdoors left by malicious insiders. In particular, organisations in the midst of major transitions, such as consolidating business offices or reducing the overall workforce, need the ability to take action on suspicious activity from high-risk users—such as employees who are flagged as a flight risk or are slated for upcoming termination.
Although external malicious actors receive most of the media attention, insider threats—stemming both from negligence and from malicious intent—are on the rise. According to the Ponemon Institute’s 2022 Cost of Insider Threats Global Report, 67 per cent of companies experience 21 to 40 insider-related incidents per year—up from 60 per cent in 2020—with each incident incurring an average cost of $484,931. Insider threats are notoriously difficult to eradicate: It takes victim organisations an average of 85 days to contain an insider-related incident.
Access abuse
Anyone who has permission to access critical business assets can potentially abuse that privilege, either through negligence or malicious intent. Negligence can lead to system compromise in several ways, but the result is the same: Because of a mistake someone made—for example, an end user who left their laptop unlocked or an Active Directory admin who failed to follow defined employee off-boarding policies—privileged credentials are easy picking for malicious actors. An inside threat actor with malicious intent can use privileged access to compromise the organisation’s system for a variety of reasons, from monetary gain to revenge. Regardless of the intent, access abuse underlies insider threats. An identity-first security strategy that addresses every phase of the cyberattack lifecycle—including recovering from an insider attack if the worst happens—is critical to protecting organisations from insider threats.
Based on my experience addressing insider threat and risk monitoring at Bank of America, I can attest that the stark increase in inside threat incidents is a warning to organisations that haven’t yet implemented a comprehensive identity threat detection and response solution. Access abuse is the common element in insider attacks. Employees, contractors, vendors, and partners can inflict devastating damage on organisations, either out of carelessness or malice. Protecting against insider threats requires a concerted effort—a comprehensive strategy that addresses every phase of the attack lifecycle, including prevention, remediation, and recovery.
