Employee attrition is a natural part of operating any business, but with the Great Resignation leading millions of employees globally to head for the exit, it’s crucial to have an effective insider threat management program to ensure that staff don’t take company secrets with them, either intentionally (malicious) or by accident (negligent).
The risks of insider threats increased considerably during the pandemic. In fact, the cost of the average insider incident is now more than AU$20m ($US15.4m), according to the 2022 Cost of Insider Threats Global Report from Ponemon Institute.
The report also found that insider-led security incidents were occurring 44 per cent more frequently in 2022 than they were in 2020 as malicious, negligent (careless) and compromised insiders steal intellectual property, financial figures, along with product and strategic information.
Companies with large amounts of commercially sensitive information reported larger-than-average cost increases for insider breaches, with financial-services companies experiencing a 47 per cent rise over the past year and retail firms reporting a 62 per cent increase in insider-related losses.
Educational institutions, with their massive repositories of research and commercial-in-confidence information, are also prime targets for insider threats. The Australian National University is currently undertaking a five-year information security program that includes significant information on how to manage all kinds of insider threats and foreign interference.
With insider threats just one of many access-related security issues facing businesses – others include third-party contractors, outsiders stealing access credentials, and more – those companies already had their hands full shoring up their defences before the pandemic and the onset of the Great Resignation.
But with one recent Gartner employee survey noting that 38 per cent of workers are likely to look for a new job within the next 12 months, the threat of one of them damaging internal systems or taking proprietary data with them is greater than ever.
Changing labour market dynamics and chronic staff shortages, especially in the IT sector, have increased the likelihood of an employee already looking for another job with better pay and perks. Additionally, as the Great Resignation challenges businesses to get more proactive if they want to keep their employees, it is becoming increasingly important to protect and defend their data.
It also takes companies longer than ever to contain an insider threat incident when one occurs, rising from 77 days in 2020 to 85 in 2022, and this is a big deal. Incidents that take more than 90 days to contain had the highest average total cost per year of AU$23.93m (US$18m), while those that took less than 30 days to contain cost an average of AU$15.6m (US$11.2m). Yet regardless of how long it takes to contain, organisations can’t ignore the substantial costs these incidents are having on their operations.
So why has the time to contain an incident increased? Here are a few reasons:
- The insider threat incident often goes undetected, and the organisation is frequently notified after the fact
- Creating a clear timeline of what happened requires significant manual effort involving log analysis to piece together what happened and when. This is even more challenging because it requires pulling together data from disparate tools, varying logs and forensic analysis, often which are outside of cybersecurity’s control
- Logs have to be requested from IT for the user’s endpoint and each application, which requires collaboration outside the security and HR teams for further investigations
- The legal process is methodical and often requires more collection of evidence
- Remediation requires data recovery and sometimes updating security controls and policies
Short tenures mean bigger threats
Increasingly short-lived tenures, particularly involving in-demand technical staff that want larger salaries elsewhere, have complicated insider threat management by diluting notions of employee loyalty.
One recent HackerLife analysis found that the median stay at Uber is just 1.3 years, for example, compared with 1.9 years at Apple, 2.2 years at Facebook and three years at Netflix, as employees often have little individual buy-in to the culture and security practices of the companies they work for.
This could predispose opportunistic employees to quietly vacuum up proprietary information before departing or, in worst-case scenarios, actively plant malware on the company network before their access is revoked.
Reports suggest that ransomware gangs are even actively recruiting employees within big tech and other company sectors this year, offering AU$1.33m (US$1m) or more in cryptocurrency for help in gaining access to their employer’s network.
Increasingly prolific ransomware gangs like Lapsus$ are, with some success, trying to buy credentials for company VPN access and often contact targeted individuals by private messaging on encrypted services like Telegram.
In one recent Hitachi ID study, some 65 per cent of had been approached by cybercriminals for such assistance during December 2021 – well up from the 48 per cent saying the same a year earlier.
Plan to manage the threat
The prevalence and apparent success of such campaigns mean that an insider threat management program is now more vital than ever. With cyber fatigue and limited resources amongst the biggest challenges facing CIOs, cyber security teams are overwhelmed with the volume of alerts and the tools they need to effectively defend themselves from internal threats by manually piecing together alerts from disparate systems.
To be most effective, such programs need to consider a range of potential risk vectors such as remote employees, contractors, third-party vendors, departing employees, and others.
Not all insider threats are malicious or intentional. Employees may just see it as their right to take their work projects home for future reference, but that doesn’t reduce the potential exposure of that data once it leaves the company.
Negligent or careless insiders are the most common cause of exposure, with Ponemon Institute finding they comprise 56 per cent of incidents, and their mistakes are usually less impactful.
Although the average cost per incident is the lowest overall at AU$675,000 (US$485,000), given how frequently they’re happening, careless insider events collectively cost organisations an average of AU$9 million (US$6.6 million) annually.
For the most part, such breaches happen when users forget or ignore corporate guidelines, continuing careless behaviour such as using popular passwords everywhere, sharing credentials between users, using unknown USBs, and leaving systems unprotected.
Technology isn’t helping, either, since easy access to cloud services outside the IT department’s control makes data exfiltration particularly difficult to monitor, although network visibility platforms can provide crucial insight into employee activity.
Mergers and acquisitions are another potentially problematic source of insider threat, with two company cultures combining and the threat of redundancies hanging in the air.
Implementing an effective insider threat management program ultimately comes down to this simple truth: data doesn’t move itself; people move data.
And their intentions and motivations are varied, which is why adopting a modern approach to data-loss prevention that uses a people-centric security model is now more essential than ever.
To learn more about managing insider threats, watch Proofpoint's recent webinar by Clicking here.