Harikrishna Kundariya, Co-Founder and Director, eSparkBiz Technologies

The status of cybersecurity has evolved towards preventing not only external attacks but also safeguarding private information from any potential risks. To put it bluntly, in my opinion, the most underappreciated yet the most dangerous cybersecurity threat comes from within the organization: insider threats. Cybersecurity threats can be broadly classified into two categories: Insider and Outsider.

The primary category is insider threats, wherein, employees, business partners, and contractors with authorized access to company sensitive data harm or neglect to act. Saboteurs become the most active offenders or unintentional threats arise from lack of training or user mistakes. The critical systems and sensitive information are often accessible to the insiders. Therefore their actions have huge ramifications such as loss of money, bad reputation, and legal issues to say the least.

According to research and studies, insider threats alone take up to 22% of the percentage of total breaches emphasizing the need for strategic actions against this worrisome trend.

Establish a Robust Access Control Policy
Insider threats can be fixed effectively by implementing a strict access control policy. This ensures that only specific individuals can access sensitive data and critical systems. Access to sensitive data and systems should always be provided based on the least privilege model. In simplest terms, an employee should only be provided with the necessary required access to perform their job. In most cases, this will involve limiting access to sensitive information such as customer data, financial records or Intellectual property to only those who need it for their role.

Implement User Activity Monitoring
An Organization should always be on the defence side and monitor user activity on its network and systems for any signs of a suspicious activity or abnormal behaviour. This could include looking for abnormal times to log in, as well as when files are transferred and sensitive data is accessed. Most of the time, insider threat subtly shows as changes in ordinary user behaviour, like employees accessing files they don’t typically need or massive amounts of data downloaded or requests to sensitive parts of the network. Many companies provide user activity monitoring tools which help track behaviour within an organization and give alerts of abnormal activity in real time.

Enforce Strong Authentication and Password Policies
Weak authentication can expose the systems to inside threats. There are policies that organizations should impose regarding systems such as multi-factor authentication (MFA) before gaining access to critical systems and sensitive data. MFA is a procedure whereby users logging in are asked for their fingerprint scan or a time-specific single-use passcode sent to their mobile devices. Besides MFA, it is also important to emphasize a consistent password policy throughout the organization. Passwords should be hard to guess, different from one another and timely rotated.

Employee Training and Awareness Programs
Not all insider threats are malevolent acts, in most cases, carelessness and lack of knowledge play a crucial role. Employees are a major vulnerability to the organization especially if they haven’t been trained on how to operate safely online, meaning, they could inadvertently expose the organization to risk by opening phishing emails, picking weak passwords, and mishandling sensitive information.

Organizations should tackle the aforementioned issues by rolling out consistent cybersecurity training every month or quarterly. Training should include; how to recognize phishing, how to secure sensitive information and how to properly deal with company property.

Data Encryption and Secure Communication
Regardless if it is sensitive data being stored or it’s in the process of transfer, utilizing encryption allows the data to remain unreadable without the requisite key. Even in case there is unauthorized access made by an employee the information will not be usable. Emails, files and databases that carry sensitive data need to be encrypted as well, such as intellectual property, and personal and financial records. All forms of communications, external and internal, should be encrypted for the dissolution of any chances of intellectual property theft.

Develop an Insider Threat Response Plan
The creation of an insider threat strategy is crucial to an organization as no security measure is enough to eliminate all insider threat risks. The organisation must have predefined protocols on how to handle a case when an insider breaches the company as replacement of technology and mitigation of losses can be a part of the process. An efficient response mechanism should have well-defined communication and reporting procedures for an incident as well as working protocols with law enforcement.

Regular Audits and Security Assessments
It is also prudent to emphasize the necessity of regular audits and security assessments as measures for enhancing the security of the organization’s assets. Audits of this kind should also look at user access control reviews and other insider threats triangulation such as systems logs and employee behavior patterns. Routine audits also assist these firms in determining opportunities for further improvement of their operational readiness investigative processes.

Foster a Culture of Trust and Transparency
While it’s important to put technical safeguards in place, creating a culture of trust and transparency within the organization can also help mitigate insider threats. This is because employees who feel valued and respected will have less incentive to engage in malicious acts that threaten the organization. Establishing trust comes down to being accessible to employees, supporting their aspirations, and dealing with problems as they arise.

Conclusion
Insider threats are perhaps the most dreaded and critical challenge for any organization, however, they can be countered using a mix of robust access mechanisms, training of employees, monitoring of users’ activities and an effective incident response plan. With the right risk mitigations in place, organizations will protect their greatest assets, including data, systems, and reputation from deliberate and unintentional insider threats. Taking into consideration the shifting nature of cybersecurity affairs, protecting systems and information against insider threats and penetration is still a top priority for organizations.

The Report, independently conducted by Ponemon Institute, is issued every 2 years and is now in its fourth edition. It surveyed over 1,000 IT and IT security practitioners across North America, Europe, the Middle East, Africa, and Asia-Pacific. Each organization included in the study experienced one or more material events caused by an insider. The report reveals that over the last two years, the frequency and costs associated with insider threats have increased dramatically across all three insider threat categories, including careless or negligent employees/contractors, criminal or malicious insiders, and cybercriminal credential theft.

“Months of sustained remote and hybrid working leading up to “The Great Resignation” has resulted in an increased risk around insider threat incidents, as people leave organizations and take data with them,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. “In addition, organizational insiders, including employees, contractors, and third-party vendors, are an attractive attack vector for cybercriminals due to their far-reaching access to critical systems, data, and infrastructure. With people now the new perimeter, we recommend layered defenses, including a dedicated insider threat management solution and strong security awareness training, to provide the best protection against these types of risks.”

“This year’s report reveals that organizations in the Middle East and Africa have experienced the highest number of insider-related threats over the past 12 months, and are the most likely to experience credential theft,” said Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint. “It is therefore imperative that organizations in the region remain alert and foster a strong security culture among its employees through effective and ongoing security awareness training underpinned by a people-centric cybersecurity approach”.

This year’s 2022 Cost of Insider Threats Global Report key findings include:

• Organizations impacted by insider threats spent an average of $15.4 million annually—that’s up 34 percent from $11.45 million in 2020. The total average cost of activities to resolve insider threats in the Middle East and Africa over the 12 month period was $14.29 million – which is 22 percent higher than the cost incurred in 2020.
• The overall number of incidents has increased by a staggering 44 percent in just two years. The frequency of incidents per company has also gone up with 67 percent of companies experiencing between 21 and more than 40 incidents per year, up from 60 percent in 2020.
• The negligent insider is the root cause of most incidents. 56% of reported insider threat incidents were the result of a careless employee or contractor, costing on average $484,931 per incident. This could be the result of a variety of factors, including not ensuring their devices are secured, not following the company’s security policy, or forgetting to patch and upgrade.
• Malicious or criminal insiders were behind 1 in 4 incidents (26%) at an average cost per incident of $648,062. Malicious insiders are employees or authorized individuals who use their data access for harmful, unethical, or illegal activities. Because employees are increasingly granted access to more information to enhance productivity in today’s work-from-anywhere workforce, malicious insiders are harder to detect than external attackers or hackers.
• Credential theft incidents have almost doubled since the last study. At an average of $804,997 per incident, credential theft is the costliest to remediate. The intent of the credential thief is to steal users’ credentials that will grant them access to critical data and information. A total of an average of 1,247 incidents (or 18%) involved cybercriminals stealing credentials.
• The time to contain an insider incident increased from the last study. It takes an average of nearly three months (85 days) to contain an insider incident up from 77 days in the previous study. Incidents that took more than 90 days to contain cost organizations $17.19 million on an annualized basis, while incidents that lasted less than 30 days cost an average of $11.23 million.
• Financial services and professional services have the highest average activity costs. The average activity cost for financial services is $21.25 million and professional services is $18.65 million. Service organizations represent a wide range of companies including accounting, consultancy, and professional service firms.
• Organizational size affects the cost per incident. The cost of incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $22.68 million over the past year to resolve insider-related incidents. To deal with the consequences of an insider incident, smaller-sized organizations with a headcount below 500 spent an average of $8.13 million.
• North American companies are spending more than the average cost on activities that deal with insider threats. The total average cost of activities to resolve insider threats over a 12-month period is $15.4 million. Companies in North America experienced the highest total cost at $17.53 million. European companies had the next highest cost at $15.44 million.

Five signs that your organization is at risk:

• Employees are not trained to fully understand and apply laws, mandates, or regulatory requirements related to their work and that affect the organization’s security.
• Employees are unaware of the steps they should take to ensure that the devices they use—both company-issued and BYOD—are secured at all times.
• Employees are sending highly confidential data to an unsecured location in the cloud, exposing the organization to risk.
• Employees break your organization’s security policies to simplify tasks.
• Employees expose your organization to risk if they do not keep devices and services patched and upgraded to the latest versions.

Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute commented, “Insider threats continue to climb, both in frequency and remediation cost. That said, we are seeing the risk of malicious insider threats increase – with more users accessing business data from outside the confines of the office. This can blur the security team’s ability to identify and differentiate between well-meaning employees, and malicious insiders trying to siphon sensitive business data.”

The Report surveyed organizations in North America, Europe, Middle East, Africa, and Asia-Pacific with a global headcount of 500 to more than 75,000 over a two-month period concluding in September 2021. In this year’s study, we interviewed 1,004 IT and IT security practitioners in 278 organizations that experienced one or more material events caused by an insider. A total of 6,803 insider incidents are represented in this research.