Assess Insider Threats by Asking 6 Key Questions

May 1, 2023 Sam Flaster

Assess Insider Threats by Asking 6 Key Questions

The people closest to your business can sometimes cause the most damage. Yet while top-secret data leaks are headline news today, most insider threats are well-intentioned people who just screw up.

Humans: The Weakest Cybersecurity Link

The number of identities with access to sensitive data in your organization keeps growing, and increasingly, threat actors can count on two things. First, that someone with sensitive access will do something they shouldn’t, such as a business user who accidentally clicks on a link in a phishing email, a third-party contractor who falls for an MFA fatigue attack, a developer who hard codes credentials to save time or an IT admin who exposes troves of sensitive information after misconfiguring a cloud account. And second, that their victim’s organization isn’t equipped to stop or fix every snafu, every time.

According to Gartner®, Inc. estimates, lack of talent or human failure will be responsible for over half of significant cyber incidents by 2025.1

To Address Insider Identity Risks, Ask These Six Questions

As your organization looks inward, our CyberArk team recommends asking these six questions to help assess insider risks and ways to manage them better.

  • What assets matter most, and where do they live? As your IT infrastructure grows more extensive and complex, users work from everywhere, storing and accessing data in web applications, internal files, databases and services hosted on-premises and in the public cloud. You can’t effectively isolate and stop threats from reaching your company’s “crown jewels” without a clear understanding of what you need to protect and where these assets are stored.
  • Can we see how users are handling sensitive data? Based on CyberArk research, about 52% of the workforce identities in your company can access sensitive data. Yet like 48% of organizations today, you may have limited resources, visibility and control over how users are handling valuable and confidential assets. A consistent way to record, audit and protect end-user activity – particularly in web app and privileged sessions – is critical to quickly uncovering and mitigating insider threats.
  • Are we analyzing behavior to make more intelligent access decisions? According to Gartner, “A focused insider risk management program should proactively and predictively identify behaviors that may result in the potential exfiltration of corporate assets or other damaging actions and provide corrective guidance, not punishment.” 2Many security and compliance teams use AI to help contextualize user behavior data (for example, login date/time, device, location and privileged account use) and establish baselines for users across their access to web apps, resources and privileged accounts. This practice makes detecting risky behavior easier and gauging the likelihood of identity compromise – while enabling workers to operate without unnecessary disruption.
  • Are there ways we can improve the insider experience? University College London research suggests that the amount of effort required to do something influences what we think we see. In other words, people are likely to perceive challenging tasks – like repeated authentication prompts to access resources they regularly use – to be less appealing. And when the going gets tough, people take shortcuts and drive up insider risks. For some, this means storing files in Dropbox, sending information via personal email, sharing passwords or installing rogue applications – actions that may seem harmless, but can unintentionally put data and systems at risk.A 2022 Gartner survey found that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months, while 74% said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.3

    In CyberArk’s view, effective Identity Security anticipates and removes barriers, making it easy for people to do the right thing.

  • How do we bridge the cybersecurity expectation-reality gap? Overall awareness is up, and most people recognize that cybersecurity is everyone’s job, which is great and true. But that isn’t a defensible defense. Even if just 2.9% of employees click on phishing links (as the latest Verizon DBIR found), attackers still have plenty of opportunities to steal credentials and compromise identities. A Zero Trust philosophy assumes that humans will make mistakes. Instead of expecting that to change, it accounts for errors and how to minimize damage by promoting continuous authentication and authorization for all identities – human and machine – along with secure, least privilege access that’s granted just in time.
  • Are we tackling identity-based threats holistically? Organizations often use separate products to manage access for workforce and privileged identities, which require separate user and resource management and identity-related risk assessment. But without unified threat detection, a centralized source of data and standardized risk analysis and remediation policies, teams are more likely to miss, mishandle or respond too slowly to threats from both inside and outside.

You’ll need to gain stakeholder support to formalize insider threat protection as part of a broader Identity Security program. Convincing IT admins and other highly privileged users – who may initially resist scrutiny or change – is crucial. Another critical group to win over is leadership. Referencing current insider threat headlines can help frame the issue and drive a sense of urgency, while meaningful metrics are a must.

Because insider threats could be you, me or anyone else linked to an organization, intelligent privilege controls that were once designed for the most privileged user must now extend to every identity – enhancing visibility, detection and response, while maintaining the critical balance between security and usability.

1, 2, 3 – Gartner Press Release, “Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025,” February 22, 2023. https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Previous Article
Bad Droid! How Shoddy Machine Security Can Topple Empires
Bad Droid! How Shoddy Machine Security Can Topple Empires

The need for strong identity security protocols for humans has been a given for years. Your organization li...

Next Article
Australia’s Growing Focus on Critical Infrastructure Cybersecurity in 2023
Australia’s Growing Focus on Critical Infrastructure Cybersecurity in 2023

In recent years, several major cyberattacks targeted critical infrastructure in Australia, including a majo...