Tackling the Top 5 Internal Data Security Threats Facing Businesses Today
Cybersecurity has never been what you might call easy. But it is safe to say that doing it well over the past few years has gotten objectively harder.
The reasons are many.
Ransomware-as-a-Service, the rapid shift to remote and then to hybrid, and the massive adoption of the cloud that massively improves productivity but opens a whole can of worms in terms of exposure that can harm an organization. The list goes on.
But while ransomware, APTs, and other criminal elements are keeping defenders at the parapets, the blue team continues to face risks from inside their walls.
According to Verizon’s Data Breach Investigations Report for 2022, nearly 20% of all data breaches were caused by internal threats. Albeit less common than the external threats, the insiders can be far more damaging in the quantity and quality of data impacted, as seen in the billion records reportedly impacted by insider threats during 2021 in contrast to the 250 million plus records that the outsiders got their hands on.
Organizations of all sizes and industries, from healthcare to finance to government, have faced considerable challenges from insiders as a steady stream of stories continue to hit the headlines week after week.
In light of these challenges, organizations are doing more to protect themselves from internal cybersecurity threats.
In this review, we will take a look at who are the modern internal security threats, why they are so impactful on their victims, and offer a couple of valuable tips that defenders can take to reduce their risk of an internal threat leading to a painful data loss incident.
And hopefully avoid seeing themselves in a Google alert for all the wrong reasons.
Defining the Internal Data Security Threat
In order to understand a problem, you have to first define it.
Unsurprisingly, opinions on what defines an insider threat are varied.
Hoping to find neutral ground, we used the Cybersecurity and Infrastructure Security Agency’s (CISA) straightforward definition of the insider threat, which they lay out as:
“Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization.”
While this explanation is beautiful in its simplicity and brevity, the answer is a bit more expansive, covering the different varieties of insider threats to data.
So what is an example of an internal security threat?
In their 2019 “Insider Threat Report” Verizon’s research team defines five kinds of insider threat scenarios:
- The Careless Worker (misusing assets) – Employees or partners who misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications and use unapproved workarounds; their actions are inappropriate as opposed to malicious, many of which fall within the world of Shadow IT
- The Inside Agent (stealing information on behalf of outsiders) – Insiders recruited, solicited or bribed by external parties to exfiltrate data.
- The Disgruntled Employee (destroying property) – Insiders who seek to harm their organization via destruction of data or disruption of business activity
- The Malicious Insider (stealing information for personal gain) – Actors with access to corporate assets who use existing privileges to access information for personal gain.
- The Feckless Third-Party (compromising security) – Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.
Let me add another character to the mix: The Unknowing Insider.
This person is similar to the Careless Worker in that they may be partially responsible for clicking on a phishing link that leads to their account being taken over, but that treads too far into victim blaming.
We need to be a little more understanding when it comes to having our creds popped. This is especially true since phishing is becoming harder to detect as the quality of the emails go up and more professional hacking crews figure out ways to defeat spam filters.
A common line that we often hear after a successful phishing attack is something like, “Why did they open the email?”. What we need to remember is that many workers, like accounts payable in hospitals, are tasked with opening emails with files from unknown senders as part of their duties. We should have a little more empathy for those folks who find themselves phished and their credentials compromised.
Compromised credentials were responsible for 50% of breaches according to the most recent Verizon Data Breach Investigations Report (DBIR). The damage from those creds being compromised is also on the rise with the Ponemon Institute’s “Cost of Insider Threats Global Report” finding that the cost jumped 65% from $2.79 million in 2020 for credential compromise to $4.6 million this year.
Adding insult to injury, in many cases, the victim did not take an active part in their own compromise by clicking on a phishing link.
The same report found that credentials are consistently among the most targeted bits of data that hackers go after. This is because the more credentials they can steal, the more opportunities they will have to keep carrying out crimes.
Think about it like this. Give a man creds from a dark web data breach and he will break in for a day. Teach a man to phish and he will hack for a lifetime.
Despite the apparent ease that an attacker can use compromise creds to wreak havoc by pretending to be an insider, it is still important to explain differences between the internal and external actors, and what it means for your organization’s security.
Explaining the Difference: External vs Internal Data Security Threats
When it comes to the challenges of dealing with external and internal threat actors, we find ourselves with a bit of a good news/bad news situation in both cases.
They are just, well, different challenges. One way to frame it is along the lines of quantity vs quality.
On the one hand, the vast majority of bad actors are still outside your organization, though the ratios depend heavily on which field you are in. Healthcare according to the DBIR has one of the highest levels of insiders, making up 39% of the incidents.
Insiders on the other hand are less common than most organizations believe them to be, and can cause way more harm if they so choose for a number of reasons.
Why are Internal Data Security Threats So Damaging?
They are already inside your perimeter
As members of your organizations, insiders have already been granted some level of access that allows them to access resources. This may include access to sensitive information or systems.
It is generally normal for them to be accessing information, be in the office where data is stored, or to ask for access to information that they do not have standing access to — within reason.
This means that the basic action of the insider accessing some data is not enough to set off alarm bells on its own. At least not without the proper context.
Furthermore, it now takes organizations an average of 85 days to contain a malicious insider threat according to the Ponemon Institute’s researchers. This time and access allows them to exfiltrate much larger amounts of data as seen in the billion records of compromised figures from the DBIR.
They know where sensitive information is stored
For the external threat actor, they need to go through the process of gaining access to your systems and then moving laterally until they find something interesting. This means gaining enough persistence and mapping out your environments to know where the good stuff is.
This process can take time and often leaves with the malicious actors walking away with whatever they could grab.
Insiders by contrast already know where to find what they are looking for, including often the scope of the resources. If they do not have the necessary access to reach their target data/system on their own, then they can figure out who to talk to to get it.
Insider threats are bad for business
In straight numbers, the Ponemon Institute found that the average cost of an insider incident was $15.4 million. For financial institutions, the number gets even higher to $25.2 million.
There are long term effects as well, both in terms of opportunity costs, lost revenue, and other income lost to a drop in confidence in your organization after a breach.
Revelations of an insider threat can make for bad PR because customers/partners may lose trust in you to operate securely with their data.
While most organizations are able to move past the bad press of a breach, even from an insider, it still deals them a pretty serious blow as they have to explain to customers, and regulators, what steps they are taking to ensure that this kind of incident will not happen again any time soon.
Unfortunately, we have plenty of evidence from well known cases of insider threats to understand how they can play out.
An Overview of Impactful Internal Security Threat Cases
As the DBIR points out, insider threats are less common than organizations may expect. But they do happen regularly enough that we have a body of knowledge upon which to base our research on.
The Snowden Leaks
Probably the most famous case in recent years is that of former National Security Agency contractor Edward Snowden. His leak in 2013 of a trove of government secrets to Wikileaks was a major embarrassment for the agency when he revealed numerous surveillance programs.
While many applauded him for exposing many of these programs, Snowden is believed to have caused significant damage to U.S. intelligence operations and diplomatic relations. Many US tech firms cooled on working with the American government, uncomfortable with the details of surveillance coming to light. The fallout internationally was also significant as fears of US snooping on communications led to a massive loss in revenues for American cloud companies. By some estimates, cloud service providers lost somewhere in the range of $25-30 billion in business from the revelations.
Vault 7
While Snowden’s leaks were significant, the Vault 7 leaks by former Central Intelligence Agency engineer Joshua Schulte may have been more damaging. Schulte was recently convicted for sending Wikileaks a range of CIA hacking tools, burning operations and potentially putting field agents at risk of real physical harm.
Hospital Insiders
With too many cases to count, one recent example of an insider improperly accessing electronic medical records (EMR) is the Phoenixville Hospital in a story that was reported in July.
According to the report, the employee accessed records that included massive amounts of personal identifiable information (PII) including social security numbers, dates of birth, addresses, and plenty of other bits that can be used by fraudsters for illicit purposes.
SIM Swappers
An often underreported phenomenon is how external threat actors will work with insiders to exploit their employer and hurt customers.
One common tactic for defeating Multi-Factor Authentication (MFA) is to have an employee at the mobile service provider illicitly port the victim’s phone number over to the criminals, allowing them to receive the SMS MFA code.
Europol has warned of this threat after this tactic was used for targeting the social media accounts of celebrities.
GigaFactory’s Employee of the Decade
Sticking to the theme of outsiders trying to turn insiders to the dark side, the news is not all bad.
In 2020, a Russian hacker attempted to bribe an employee at Tesla’s GigaFactory to help them infect the factory’s systems with ransomware through a bit of intentional negligence.
Thankfully for Elon Musk and his shareholders, the employee rebuffed the $1 million bribe and alerted the authorities.
Ubiquiti – The fox watching the hen house
In a bizarre case, an IT employee at game maker Ubiquiti stole source code from the company in a sizable breach.
It got weirder though later when he was brought in on the investigation team and used his role in a security capacity to delete logs that pointed to his being responsible for the breach.
He later attempted to further muddy the waters by claiming that the company was involved in a cover up before being found out by an outside forensics team.
Nuclear crisis averted
In a reminder that most illicit cyber activities are more get rich quick schemes and less Bond villains, a story from 2019 reported that the discovery of unauthorized use of computers at a Ukrainian nuclear power plant was not Russian hackers or terrorists.
Instead, the employees at the plant were using the free computing power to mine cryptocurrencies.
The employees used their access to hook up all sorts of unauthorized hard drives and systems to the plant’s machines before being caught by authorities, leaving everyone shaking their heads in disbelief and just general relief at how much worse it could have been.
These are just a few of the stories that pop up regularly of insiders acting stupidly and/or maliciously.
Given the ongoing risk of an insider threat situation joining this long list, organizations are taking steps to better understand their risks and are looking for ways to mitigate it.
Top 5 Internal Data Threats and How to Mitigate Your Risk
In talking about the risk, we need to first discuss the common types of data security threats facing every organization from a high level.
Going back to basics for a minute, let’s think about the CIA triad that lays out the ways that data can be harmed.
- Confidentiality – This is when the data is no longer private. Examples can be of leaks, ransomware crews threatening to release it, or possibly a politically motivated actor.
- Integrity – This asks the question of whether or not the data has been tampered with. If there is a breach of a bank or company records, can we trust that our data is still correct?
- Availability – Ransomware and DDoS classic, can we access our data or systems? Are we able to provide services? Given our modern reliance on digital systems for everything from managing data for medication distributions in hospitals to keeping traffic lights working, we need these systems to work as intended at all times.
What are the practical risks associated with insider threats?
With their access insiders can impact all of these areas of security with minimal effort if they so choose.
This means that they can:
- Sell data for criminal or espionage
- Destroy it to harm the victim organization
- Lock it down like a ransomware crew might
- In the case of governments or strategic resources like defense, technology and energy, we may also see the transference of that to a foreign power as a risk to consider
Here below are some more concrete examples of how these insider data security threats could play out and what organizations can do to prevent data loss.
An insider accesses files that they should not have access to because it is outside their role.
The risk:
This could be a healthcare worker looking at EMRs or one of a million other examples where an insider is accessing data that they have no need to do so in connection with their role.
Impact on the organization:
Every bit of access equals exposure. In highly regulated industries like financials or healthcare, it is enough that an unauthorized person gained access to resources that they should not have to bring down penalties on their organization.
How does the attack work:
All our insider has to do is use their access to view and/or impact resources outside the scope of their role. This could be a person from R&D viewing payroll information or some other combination of inappropriate use. Customer or patient data are very common examples of these kinds of targets for abuse.
How to mitigate the risk:
- Access limitations and micro segmentation protect data by siloing users ability to access
- All activity should be monitored using User Behavior Analytics tools that can track usage and behavior, creating logs for forensic investigations of what is being accessed and alerting on risky behaviors that fall outside of the baseline of normal behavior for what should be accessed.
Insider exfiltrates data via email, uploading it to web app, or downloading it to a device
The risk:
An insider decides to steal data from the organization
Impact on the organization:
The organization’s IP, secrets, customer data, and other valuable information could be compromised, violating confidentiality and compliance regulations and potentially leading the data to reach unfriendly hands.
How does the attack work:
Once the insider has accessed the data, they will download it to an external drive, send it out through an internet connection, or some other form of transmission
How to mitigate the risk:
- Work to prevent data loss by monitoring all channels of communication and data transference can help to detect when this malicious activity is occurring.
- There is also a potential for deterring such action if employees understand that they are being monitored and activities like these will set off alerts and be flagged for investigation.
Insider attempts to skirt detection or rules for safe and normal handling of sensitive data
The risk:
While possibly not malicious, such activities can lead to data being leaked or otherwise exposed.
Impact on the organization:
Beyond the regulatory penalties, the organization can be harmed if its IP or other valuable data is not securely managed. Poor work habits can lead to putting customers and future business at risk.
How does the attack work:
Less an attack and more failure to comply with best practices, the employee does not follow guidelines for how to handle sensitive information. One example might be granting access to sensitive information without clearing it through the proper channels in the name of efficiency.
How to mitigate the risk:
Detecting risky behavior before an incident occurs can save an organization money and headaches. By using UBA solutions to flag bad behavior, the organization can work with the employee to correct behavior and remediate as necessary.
Insider has their account taken over by an external actor who then abuses their creds
The risk:
An external actor can use the compromised account to access sensitive data or systems.
Impact on the organization:
The organization’s data can be at risk from all the CIA triad risk types, leading to breach.
How does the attack work:
Once an external attacker has possession of the compromised creds and defeats MFA if it is present, perhaps by using a phishing page to intercept the OTP, then they can move laterally within the organization to find their desired data, virtually undetectable because they are using legitimate credentials.
How to mitigate the risk:
- Monitoring behavior here is essential to pick up on suspicious actions.
- Use tools to detect changes to behavior that may be indicative of an intrusion
Insider unintentionally sends sensitive information to the wrong person or exposes it publically
The risk:
Sensitive data could leak out or become exposed
Impact on the organization:
Similar to the results of a malicious actor stealing information, this non-malicious and common human mistake can open the organization to liability and financial risk.
How does the attack work:
Again, less of an attack and more of a human mistake. Maybe the wrong email address got entered like if someone has a similar name to the intended recipient. Another possibility is that the resource was shared with a wider group of people than intended.
How to mitigate the risk:
- Activity monitoring is not just for catching malicious actors. If your UBA tool picks up on an irregular activity and shows what the mistake was, it can give the security team the opportunity to approach the person who made the error and help to quickly remedy the situation as best as possible.
- Use rules as guardrails to reduce the probability of such mistakes from happening.
Preparing for the not so Remote Future of Remote Work
The future of work is only going to continue to become more dispersed as more workers embrace the shift to remote, and the transition to the cloud brings even more challenges for defenders looking to secure their data on someone else’s machines.
By embracing the right sets of tools, organizations can give their employees the tools and trust they need to work more effectively and efficiently, all without sacrificing their security along the way.
Automating the collection of user behavior data with powerful analytics at scale is essential for organizations, enabling them to centralize their visibility over employee activities, flagging risky behavior before it becomes a breach.
Defend data against insider threats facing hybrid work
