Insider Risk: What Hybrid Companies Need to Know — and Do
Data and IT infrastructure threats have changed significantly in the past few years. In the past, the threats primarily came from outside hackers and bad actors. Today, with the rise of remote work and the proliferation of data, insider threats have become far more common.
A recent Microsoft survey of 300 security and compliance professionals in the U.S. has found that the average company will experience approximately 20 insider-risk incidents per year. That's more than one a month. And according to Microsoft, 40% of the participants said they expect these events to increase in the future.
Ekran reports that 98% of business leaders feel vulnerable to insider attacks. Not surprising consider the statistics and the fact that even the best protection can't prevent human error.
The Cost of Insider Threats
A Ponemon Institute study (pdf) conducted earlier this year found that in 2021, the cost of insider threats to the U.S. economy was over $15 million. That figure is up from $11.5 million just two years prior.
And it gets worse: The report also found that the longer companies take to contain incidents, the higher the cost, potentially going beyond the $17 million mark.
There have been numerous examples of insider incidents in the past. Twitter, for instance, fell victim to spear phishing in July 2020, when hackers gained access to 130 private and corporate accounts with more than a million followers to promote a Bitcoin scam.
How they gained access is a big part of the cautionary tale because it shows that no company is immune to the risk. In this case, the hackers simply used the phone, calling some of Twitter's remote workers, posing as Twitter IT engineers and requesting information about certain high-profile accounts. By collecting this information, they were able to access the accounts to promote the Bitcoin scam — and receive more than $180,000 from Twitter users who believed the information was legitimate because of the source.
Twitter was unaware of the scam until after the press noticed public accounts publishing the scam messages. The share price of Twitter fell by 4% as a result, and the company was forced to update security protocols and delay the release of its new API.
The financial cost of these inadvertent attacks is massive. But there's more. According to Deloitte, there are seven "hidden" costs to a successful cyberattack, including operational disruption, customer relations, brand reputation and loss of IP.
Related Article: What Is Identity Management (and Should Companies Care)?
The Types of Risky Insiders
The challenge for companies is educating employees to recognize and report a threat. IBM has identified four types of potential insider threats:
- The Pawn: An employee who performs malicious activities unaware of their actions. This includes downloading malware or disclosing credentials to fraudsters.
- The Goof: Ignorant or arrogant users who believe the rules do not apply to them. Due to incompetence or convenience, the user will actively bypass security controls.
- The Collaborator: Users who willingly cooperate with outsiders such as competitors, nation states or criminals.
- The Lone Wolf: A user who acts with malicious intent, often in exchange for financial gain.
According to Ron Gula, president of Gula Tech Adventures, an investment company with a cyber focus, any of the above insiders can have serious implications for the business because of the opportunities even the slightest entry point can provide.
"Attackers can leapfrog the compromised employees' computer and set up the company for blackmail, theft of intellectual property and critical damage to the company's reputation," Gula said.
So, whether the incident is inadvertent, as was the case at Twitter, or malicious, the damage will be the same. Companies must therefore train their employees to not only recognize the threat but understand the extent of the risk, including prosecution in some cases.
How to Future-Proof Your Employee Experience Strategy in 2023
A framework to navigate through economic uncertainty
The Essential Role of Communicators in Fostering Wellbeing in the Digital Workplace
Join us for practical insights on how digital communicators can support employees to thrive in the digital workplace
Addressing Employee Needs and Wants with a Digital Workplace
The workplace is getting more and more digital – both in how we work and where we work
Maintaining a Human-Centered Approach During Digital Transformation
When it comes to digital transformation - people drive change, not technology
The Evolution of Employee Recognition
Leveraging the power of appreciation to improve the employee experience
How to Build a More Innovative and Resilient Workplace Culture
What would happen if every member of your team came to work focused on finding solutions and creating better results?
Related Article: How Security Technology Enables the Digital Workplace
5 Ways to Minimize Insider Risks
While there's still some debate as to whether or not remote work increases the risk of cyber incidents, the fact remains that in today's digital workplace, there are many ways bad actors can gain access to a company's assets, regardless of where workers are located. From lack of training and misused resources, to distractions and unsecured networks, to unauthorized disclosure and corporate espionage, there are countless ways to get inside a corporation.
In its report, Microsoft says it's therefore best for companies to approach this risk from a holistic perspective. In other words, risk mitigation and awareness programs mustn't be limited to in-office or remote employees but should include the entire workforce.
Here are five ways to approach this:
1. Deterring: The first step, of course, is to deter potential threats. A cybersecurity research report said this includes having strong access controls, data encryption and usage or access policies that will discourage and deter insider threats.
2. Screening: This means blocking malicious threats from entering the business. Screening new hires is one of the best ways to handle this leg of the journey.
3. Multi-Authentication: Multi-authentication can prevent a great deal of cyber attacks, including those that stem from flawed user behavior such as poor password choices. To Cecily Wong, operations manager at cloud security company Styra, multi-authentication adds a layer of security that gives companies more control over access to organizational data and infrastructure.
4. Training: Whether they work in the office, from home or from an internet cafe in Sao Paulo, employees should receive proper training on the risks they, themselves, can create inadvertently. Training is still one of the best ways to protect the company from insider threats.
5. Creating backups: Regularly backing up the company's infrastructure is key to ensure that data can be recovered and retained. Hackers are very adept at performing significant data losses or using ransomware — and they're getting better. Being prepared is a great step toward mitigating the extent of the losses in the event of an incident.
About the Author
Kaya Ismail is a business software journalist and commentator with years of experience in the CMS industry.