Every IT and security leader loses sleep over insider threats. They’re notoriously difficult to detect, costly to mitigate and can lead to widespread loss and reputational damage. Despite efforts to mitigate insider threats, current global risks and economic pressure are fueling the flame. There’s no silver bullet for insider threat protection, however a greater focus on culture, engagement and empowerment can make a real difference.
The Path to a Mega Breach is Paved with Good Intentions
Edward Snowden, the man behind the biggest intelligence leak in history, largely shaped how the world views insider threats. Since that landmark case, insider threats are often depicted as shadowy malicious characters, stealthy corporate saboteurs or dogged whistleblowers.
In reality, most insider threats are caused by well-intentioned employees who make mistakes or take security shortcuts. For instance, a Stanford University study shows that one in four employees admit to clicking on a phishing link. Sixty-three percent of security professionals report increased risk due to workers using unapproved AI tools, according to our latest CyberArk Identity Security Threat Landscape Report.
Even legitimate AI use can create significant risk. Reports this month indicate that a well-intentioned Microsoft AI team accidentally leaked 38TB of company data while contributing open-source AI learning models to a public GitHub repository. Additionally, numerous studies show that employees regularly use unmanaged personal devices to access company resources, violating corporate policies. These are just a few of the many ways that employees become inadvertent insider threats.
But it’s not just employees that represent risk: the infamous Target breach was one of the first to push third-party insider threats into the spotlight. Third-party partners, consultants and service providers who access sensitive corporate resources for valid purposes can easily become unwitting or malicious insider threats, and set off a far-reaching ripple across large, tightly interconnected digital ecosystems. This may be why security professionals indicate that third parties represent today’s riskiest human identities.
Building a Strong Cybersecurity Culture Is Imperative
According to the 2023 Verizon DBIR, 74% of all breaches include the human element, with people involved via error, privilege misuse, use of stolen credentials or social engineering. This means that cybersecurity must focus heavily on people – not just technology (though both ingredients are necessary.)
In the words of the famous management consultant Peter Drucker, “Culture eats strategy for breakfast.” Fostering a strong cybersecurity culture requires effort from everyone.
Management is responsible for setting the right tone (and modeling secure practices), defining processes to help identify and address risky behaviors and driving cross-functional collaboration. At the same time, it must empower employees with ongoing education and positive reinforcement that builds trust, changes attitudes and habits and, ultimately, creates more resilient organizations. There’s room for growth in this area.
A recent Wall Street Journal report shows that managers routinely miss opportunities to strengthen cybersecurity culture, citing over-emphasis on technology, failure to test incident response procedures and annual check-the-box training as typical examples. According to IBM research, these shortcomings could be fatal to an organization, as the average data breach now costs $4.45 million. Maintaining a security-first culture and mindset across the organization is simply non-negotiable.
Employees and third-party users must also understand why cybersecurity hygiene is so important and make more concerted efforts to be part of the solution. This starts by taking a hard look at how their habits may contribute to organizational risk, such as using unauthorized web apps, allowing family members to use their corporate devices or failing to protect credentials (by using weak passwords, reusing passwords for various purposes, saving passwords in browsers, etc.)
Six Ways to Encourage Bystander Engagement to Mitigate Insider Threats
Insider threat mitigation can also mean speaking up. If a worker sees something that seems off, it’s their responsibility to report it. On the flip side, their employer is responsible for encouraging this bystander engagement and vigilance by:
- Developing safe reporting methods to ensure that personnel reporting insider threat concerns remain anonymous and protected from potential retaliation.
- Prioritizing continued cybersecurity education to help people understand the ever-changing attack landscape and common social engineering techniques to watch out for, such as phishing, vishing and smishing. Workers can respond to potential threats more effectively with regular training and engagement.
- Outlining specific signs and behaviors that could indicate potential internal threats, including unusual data movement, use of unapproved apps or hardware and privilege escalation to access information and systems that aren’t core to job function.
- Communicating transparent and narrowly defined rules to employees and third-party users that reinforce personal accountability and emphasize the importance of company policies, procedures and information security best practices.
- Establishing policies and best practices for compliance, including separating or segregating duties (SoD) and requiring more than one person to complete a critical task.
- Dedicating security operations center (SOC) resources to handling and analyzing insider threat information and activity.
Top-to-bottom efforts to identify and act on insider threat concerns mean organizations can more effectively engage workers who display potential risk indicators. The right technology can also help drive positive outcomes when systems are correctly configured to address security gaps. For example, machine learning tools with adaptive security capabilities enable organizations to baseline user behaviors and reduce false positives in detecting cyber anomalies.
When it comes to insider threats, employees and third-party users are the first and last line of defense for safeguarding your organization’s most critical assets. But it’s up to you to empower them with the critical knowledge, processes and underlying technology they need to succeed.
Omer Grossman is the global chief information officer at CyberArk.