Attacks on organizations from external malicious actors seize headlines on a daily basis. These stories matter, because they’re an important reminder to both policymakers and businesses that threat actors are shrewd, smart, organized and sophisticated—so investing in cybersecurity efforts is critical.
What often gets less attention—both from the press and often from organizations as they design their security strategies—are insider threats. But insider threats remain a very real risk for most organizations, if for no other reason than they strike at the core of any company’s biggest strength and potential biggest weakness: its people.
Insider threats fall into two general categories: the malicious insider (an individual acting on their own behalf or at the behest of another party intending to deliberately cause harm) and the accidental insider (an individual who unknowingly makes an error that leaves the organization vulnerable to exploits). Insider threats are uniquely difficult to manage as well, given they can originate from current and former employees, business partners and vendors. Third-party applications and systems can also create significant financial and business risks for organizations.
Insider threats have increased by 47% from 2018 to 2020—and 40% of these incidents involved an employee with privileged access to company information, according to the 2021 IBM Security X-Force Insider Threat Report. The cost of these incidents has ballooned from $8.76 million to $11.45 million over the last two years. On average, organizations spent nearly $645,000 in 2020 to recover from an insider threat-related security event.
In the current threat environment, organizations can take several steps to prevent and better respond to insider threats, creating a comprehensive threat mitigation program that reduces their risks. Here’s how.
Confronting Insider Threats: What Are The Challenges Facing Organizations?
Many organizations aren’t fully prepared to handle insider threats because they don’t have full visibility into their technology ecosystem and lack the IT capabilities to detect these threats. Previous IBM research found that 47% of organizations said they didn’t have the ability to understand baseline activity inside their networks, while 35% said they weren’t well-equipped to detect misuse by company insiders.
“We don’t know our employees really well,” says Sidney Pearl, global threat management associate partner at IBM. “The bad guys know how to exploit multiple domains by which they can gain access, and if the bad guys know our employees better than we know them ourselves, you can see the dilemma we’re faced with.”
Insider threats incidents occur for several reasons. The X-Force Insider Threat Report found the underlying causes usually aren’t malicious but involve employee negligence, credential theft like stolen passwords and security gaps related to administrative access and privileged access management. In 100% of the incidents where an insider was confirmed or likely had administrative access, this elevated access played a role in the incident itself, the report found.
Addressing issues with privileged access management is one of the most effective ways organizations can begin to build a comprehensive threat mitigation program. Privileged users typically include executives as well as network and security administrators who have access to high-value systems or data within an organization. Some of these users, particularly within IT teams, often share credentials. All of these factors create heightened security risks for organizations and necessitate more stringent security controls and monitoring.
With remote work becoming the norm and more endpoints connecting to their networks, organizations need to refine their security strategy to prevent insider threats proactively. The business and financial risks are too great to risk.
“It takes about 77 days, on average, to remediate insider threats. The faster you can thwart these events before they actually occur, it’s going to prevent all of the costs that go into those remediation actions,” says Jason Keenaghan, director of product management at IBM Security.
To thwart insider threats and reduce their operational and financial risks, organizations must bring people, processes and technology together.
Key Strategies For Combating Insider Threats: Insights, Enforcement, Detection And Response
A multi-tiered approach that combines strategies and tools, such as a defense-in-depth strategy, AI-driven user behavior analytics, privileged access management (PAM) solutions and a zero-trust model, can reduce organizations’ security vulnerabilities.
A defense-in-depth strategy encompasses multiple security controls, including intrusion prevention and detection systems that monitor suspicious network activity; advanced firewall protections to control and gain visibility into network traffic; endpoint detection and response systems that monitor devices and applications that connect to an organization’s network; and strong passwords and multi-factor authentication to prevent authorized access to systems. The principle of least privilege—which ensures specific users, applications and systems only have access to the data necessary to perform their assigned business function or role—is also a cornerstone of this strategy and can minimize some of the risks associated with privileged access.
Along with a defense-in-depth strategy, Keenaghan says the most effective security approach for organizations will center on three key pillars: insights, enforcement and detection/response.
- Insights
IBM’s report found that 40% of security incidents were detected through alerts generated via an internal monitoring tool, while only 20% of incidents involved a person actually detecting and reporting it.
Insights are crucial because they provide visibility into your environment, so you can understand where your data is, who your users are, what endpoints are connecting to your environment and what risks they pose. User behavior analytics, which provide information on user behavior such as which files an employee accessed and which applications they used, is just one example of insights that can enhance security.
- Enforcement
Next, leaders must implement proactive security protections and controls, such as a zero-trust architecture, to minimize security risks.
Keenaghan says adopting a zero-trust approach can help organizations better detect insider threats. Under this model, network and security administrators assume all traffic entering the network is potentially malicious, and users, applications and systems must be thoroughly verified and authenticated before they are granted access.
- Detection & Response
Threat detection and response involves the ability to detect threats and respond to them in real-time to prevent these threats from infiltrating systems and applications.
“I look at this as the safety net,” Keenaghan says. “It’s along the lines of defense in depth—you’ve got all the protections and different layers on the front side, but with the detection and response, that’s where you can catch anything that falls through the cracks. This requires you to get insights from your entire environment, detect those anomalies and quickly respond.”
Protecting The Enterprise
In this ever-changing threat landscape, Pearl says it’s critical for organizations to be proactive because “the bad guys have more time, more money and more resources than most organizations ever will.”
He says a multi-tiered approach can be applied not only to insider threats but also holistically across your organization’s entire cybersecurity program. In doing so, your organization can powerfully combine a zero-trust model, robust privileged access management and solid threat intelligence to confront the bad actors targeting your environment.
“All of that combined will help a CISO [chief information security officer] and the organization be able to make better decisions and build a more constructive and mature operating environment that can thwart some of these activities,” Pearl says.
This article has been published from the source link without modifications to the text. Only the headline has been changed.