The Different Types of Insider Threats and How to Stop Them

Insider Threat

By Rama Krishna Murthy Gudipati, General Manager-India, Customer Success, Securonix

With the number of threats increasing, cybersecurity has never been more important for businesses and organisations. Most people think that cybersecurity is only needed to counter threats from external agents. However, recent trends reveal that close to 60% of the cybersecurity attacks can be traced to company insiders who have access to confidential data.  Based on Cyentia Institute’s Information Risk Insights Study, a data breach of 100M records can have a median loss of about $1M (with a small chance (3%) that it could cost 1000 times that amount).

This shows that conventional cybersecurity approaches that are concerned largely with rimeter protections against external threats are just no longer enough. These perimeters are increasingly permeable in a world of cloud applications and remote work environments, and attacks are growing increasingly sophisticated. Modern cybersecurity tools need to be focused just as much, if not more, on insider threats to protect company assets. 

Types of insider threats

To do this, it is necessary to first understand how insider threats manifest, and a good place to start is examining the three types of insider threats that organisations face: negligent insiders, complacent insiders, and malicious insiders. Negligent insiders are employees (or contract resources) who put the company’s privileged information at risk as a result of poor security practices like misplacing documents and data drives, or accidentally entering email information. Complacent insiders are employees who ignore basic security protocols like updating security patches. Both negligent and complacent insiders are vulnerable to being exploited through threats like email phishing. Attacks built on the email phishing format are frequently used to trick these employees into downloading links and accidentally launching malware that can compromise entire networks. 

The remedies are relatively straightforward for negligent and complacent insiders, strict employee compliance and awareness programmes go a long way while systems can also be designed around them. The situation is much more complicated with malicious insiders who are employees who intentionally and deliberately undermine the security of company data. They typically do so because of financial incentives or because they hold a grudge with their employer. As many as 65% of employees may be approached or targeted to become part of an insider-led attack. There have also been instances where it has been the insider that has sourced the external agents with whom to orchestrate the attack. 

A new kind of cybersecurity

A range of strategies can be employed to tackle the different types of insider threats outlined above. Training is an effective method to educate negligent insiders about different types of security threats and equip them with the tools to defend themselves against such attacks. Launching mock cybersecurity attacks can give employees a working knowledge of how threats need to be appropriately countered. A test-based format can be implemented to strengthen cybersecurity knowledge and best practices, and help organisations identify the weaker links in the ecosystem. Organisations can efficiently identify complacent insiders and devise multiple levels of penalties for repeated failures to adhere to cybersecurity protocols. 

These penalties should ideally not be too severe either to prevent the possibility of disgruntling complacent insiders to become malicious insiders. However, experts recommend that an approach built on proactive cybersecurity training can strengthen organisational knowledge and best practices. 

When it comes to malicious insiders we need to think outside the box and turn to solutions like the zero trust approach (ZTA) — the most advanced methodology to counter insider-led attacks. Built on the understanding that security perimeters can be breached no matter how strong they are, ZTA operates on the constant authorisation, authentication and validation of individuals’ credentials to access company data. This procedure applies to both employees and non-employees. Micro-perimeters are drawn around sensitive data sets so that only the limited number of people that need access to any given data set can have it, and even when they do, they need to validate their identity.

This constant need for verification leaves a trail on security information and event management (SIEM) tools that makes it harder for malicious insiders, especially those at higher levels, to operate with impunity. With a layer of rigorous machine learning (ML) models to track standard user behaviour, cybersecurity can identify malicious insider activity faster and respond quicker. This is why effective and strong ZTA requires not just exhaustive mapping and construction of a company’s data landscape but the implementation of monitoring and analytics frameworks as well to radically minimise the occurrence of insider threats. 

As threats become more complex and sophisticated, and continue to evolve with time, tailored solutions are the need of the hour. While it is not entirely possible to eliminate the possibility of insider threats, solutions such as ZTA can help limit insiders’ access to sensitive information and curb the occurrence of attacks.