Connect with us

Hi, what are you looking for?


Identity & Access

On the Rise: The Enemy From Within

Under the Current Economic Conditions, Security Professionals Must Quickly Re-assess Their Approach to Defending Against Insider Threats. 

Under the Current Economic Conditions, Security Professionals Must Quickly Re-assess Their Approach to Defending Against Insider Threats. 

Many organizations are aware of the challenges related to external threat actors and therefore focus their efforts on creating deterrents to protect against these cyber-attacks. In doing so, they often overlook that the biggest threats can arise from within.

Over the last two years, insider-related incidents increased by 47% according to the 2020 Cost of Insider Threats Global Report by the Ponemon Institute. At the same time, the average global cost of insider threats rose by 31% to $11.45 million. These numbers are quite concerning, especially when bearing in mind that they came at a time of global prosperity and growth. The risk of company employees walking away with sensitive data or selling their access credentials has never been greater now that a record number of individuals have been laid off and face financial hardship due to the COVID-19 health crisis. So, what measures can organizations take to minimize their exposure to insider threats?

As we’re all painfully aware, external threat actors are taking full advantage of these uncertain times by launching a wave of new cyber-attacks, using phishing, ransomware, and credential stuffing tactics. In turn, organizations need to focus on improving cyber resilience while stretching their budgets further. However, employees and business partners can do just as much damage from the inside, whether due to malice or negligence.

Since insider threats are carried out by current or former employees, contractors, or other trusted business associates that have ― or had ― access to the organization’s IT infrastructure and sensitive data, these attacks are often difficult to detect as they occur under the umbrella of legitimacy. According to the 2019 Verizon Data Breach Investigations Report, insider threats represent an often-overlooked threat vector that significantly contributes to data breaches in verticals such as healthcare (59%), educational services (45%), information technology (44%), financial services (36%), and government (30%). 

Insider Threats Defined

The most common insider threats can be defined by the intent and motivation of the individuals involved. The 2019 Verizon Insider Threat Report defines five distinct insider threats based on data breach scenarios:

Advertisement. Scroll to continue reading.

• The Careless Worker: Employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications, and use unapproved workarounds; their actions are inappropriate as opposed to malicious, many of which fall within the world of shadow IT (i.e., outside of IT knowledge and management).

• The Inside Agent: Insiders recruited, solicited, or bribed by external parties to exfiltrate data.

• The Disgruntled Employee: Insiders who seek to harm their organization via destruction of data or disruption of business activity.

• The Malicious Insider: Actors with access to corporate assets who use existing privileges to access information for personal gain.

• The Feckless Third-Party: Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

Today’s economic climate exacerbates these risks, as pending furloughs or pay cuts may tempt employees to exfiltrate data to secure a new job, make up for income losses, etc.

Indicators of Insider Threats

Insiders have a huge advantage, as they’re familiar with the company’s IT infrastructure and often know where the most valuable data resides. Furthermore, they may be familiar with how sensitive data is being protected and know how to sidestep any security measures. In addition, insider threats are harder to defend against than attacks from external adversaries, since the behavior of insiders often blends in with typical business activity.

Nonetheless, behavioral analysis can be used to establish early indicators for insider threats. These can include:

• Activity at unusual times (e.g., signing into systems in the middle of the night)

• The volume of data traffic (e.g., downloading terabytes of data sets)

• The type of activity (e.g., access unusual resources)

Tools such as User and Entity Behavior Analytics (UEBA) as well as Data Loss Prevention (DLP) systems are often deployed for these purposes. However, the fact that employees are currently mandated to work from home blurs the intelligence provided by these tools, since behavioral baselines typically used to identify abnormal activity have been dramatically altered. In addition, some employees might not be monitored by these security tools in remote work scenarios, which impacts visibility into their actions. 

Best Practices for Protecting Against Insider Attacks 

Besides relying on advanced detection technologies, organizations can take the following steps to help reduce the risk of insider threats:

 Enforce Segregation of Duties – Separate duties, especially for sensitive or shared processes and tasks. This ensures that no individual can complete a single task alone. In this context, organizations can for example leverage so-called “access zones” to tie the rights a user has to specific resources.

• Establish the Concept of Least Privilege – Only assign access privileges necessary to perform a regular task and require privilege elevation to gain access to sensitive resources. This approach limits unauthorized or unintended actions. 

• Implement Access Requests and Approval Workflows – Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.

Under the current economic conditions, IT security professionals need to quickly re-assess their approach to defending against insider threats. Since the near-term deployment of behavioral analytics tools for monitoring insider activities is not a viable option for most organizations, consider enhancing basic cyber hygiene practices by implementing segregation of duties and just-enough, just-in-time privileged access.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...