Businesses in every industry are affected by insider threats. Employees (past or current), contractors, or business partners can abuse their insider knowledge to cause financial, physical, or reputational harm to the company. Insider threats are one of the most common sources of damages businesses face.
Large corporations, classified as organizations with more than 75,000 employees, spent an average of $20 million in 2020 to resolve insider threat events; smaller businesses that were affected – those with a headcount below 500 employees – spent an average of $1.8 million. Credential risk is the most expensive type of insider attack – whether intentional or through negligence. On average, it costs a business nearly $650,000 per incident.
In a previous article, we outlined a few examples of insider threats and some ways to mitigate them. You can read that article by clicking here. Security Magazine, a leading editorial for professionals in the security industry, recently published an article highlighting the severity and increasing frequency of insider threats. The author, Maggie Shein, states:
A well-intentioned employee holding the door open for a stranger; a contractor getting his laptop with private company information stolen at the airport; a disgruntled cubemate posting company information on her social media platform of choice; a finance worker unwittingly giving password or computer access to a fake IT employee.
Insiders have always been potential risks to an organization, and yet with increased work-from-home situations and additional stressors heightened by the COVID-19 pandemic, security incidents from insiders continue to accelerate. According to the Ponemon Institute’s 2020 data, the number of reported insider incidents increased by 47% between 2018 and 2020.
The Cybersecurity and Infrastructure Security Agency (CISA) highlights ways to define, detect & identify, assess, and manage insider threats. All information contained below comes directly from CISA:
- Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors. This section provides an overview to help frame the discussion of insiders and the threats they pose; defining these threats is a critical step in understanding and establishing an insider threat mitigation program.
- Click here to see examples of insiders, what an insider threat is, different types of insider threats, how an insider threat occurs, and what resources are available to learn more about insider threats.
- Successful insider threat programs proactively use a mitigation approach of detect and identify, assess, and manage to protect their organization. The foundation of the program’s success is the detection and identification of observable, concerning behaviors or activities. Threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team.
- Click here to learn more about threat detection, threat indicators, and progressions of an insider toward a malicious incident.
- Threat assessment is the process of compiling and analyzing information about a person of concern who may have the interest, motive, intention, and capability of causing harm to an organization or persons. Threat assessment for insiders is a unique discipline requiring a team of individuals to assess a person of concern and determine the scope, intensity, and consequences of a potential threat. Threat assessments are based on behaviors, not profiles, and behaviors are variable in nature. The goal of a threat assessment is to prevent an insider incident, whether intentional or unintentional. No one-size-fits-all approach to a threat assessment exists. It should be holistic, respectful, and focused on helping the person of concern, recommending intervention strategies to prevent an insider incident, and mitigating the effects if a hostile act does occur.
- Click here to learn more about threat management teams, threat assessment processes, and assessment considerations.
- Proactively managing insider threats can stop the trajectory or change the course of events from a harmful outcome to an effective mitigation. Organizations manage insider threats through interventions intended to reduce the risk posed by a person of concern. The organization must keep in mind that the prevention of an insider threat incident and protection of the organization and its people are the ultimate goals. When an assessment suggests that the person of concern has the interest, motive, and ability to attempt a disruptive or destructive act, the threat management team should recommend and coordinate approved measures to continuously monitor, manage, and mitigate the risk of harmful actions.
- Click here to learn about management strategies, intervention and prevention considerations, and the use of law enforcement in threat management.
Help Net Security April 25, A. (2018, April 25). $8.76 million: The average yearly cost of insider threats. Retrieved from https://www.helpnetsecurity.com/2018/04/25/average-yearly-cost-insider-threats/
Insider Threat Mitigation. (n.d.). Retrieved from https://www.cisa.gov/insider-threat-mitigation
Insider Threat Statistics for 2020: Facts and Figures. (2021, March 18). Retrieved from https://www.ekransystem.com/en/blog/insider-threat-statistics-facts-and-figures
Shein, M. (2021, June 01). Walking the line: Navigating the insider threat. Retrieved from https://www.securitymagazine.com/articles/95322-walking-the-line-navigating-the-insider-threat