Cybersecurity: It’s Time to Eliminate the Weakness Within

Back in the days of kings, knights, and castles, defending your fortress and securing the perimeter also involved looking in your own courtyard for threats that may already lurk within. The same is true with protecting your organization’s crown jewels today. It’s important to keep an eye on employees with insider information about how critical operations are run, where vital data is stored, the manner in which systems are set up and operated, and the vehicles for exchanging sensitive material.

While these people and their responsibilities are valuable to the success of the business, any weakness poses a serious security threat. Even though insider threats can be very costly to the business, (read our blog on the Impact of Cybersecurity on Brand Trust) they aren’t always intentional, as we’ll see. In this blog we’ll start asking the questions — and examining the answers — required to build a solid security foundation of insider threat intelligence that will help defend your data.

Why are insider threats so dangerous?

Simply put, insider threats are one of the primary reasons that organizations suffer security breaches today. We’ve compiled a few stats from research by Cybersecurity Insiders to highlight the current landscape:

  • 90% of cybersecurity professionals feel vulnerable to insider threats
  • 53% of cybersecurity professionals confirmed they experienced insider attacks in the past 12 months
  • 27% of organizations stated that during the past 12 months, insider attacks have become more frequent, while 46% stated attack frequency has remained the same

These threats are leading to the loss or theft of massive amounts of data, as well as the disruption of internal systems that negatively impact business profits and operations. In fact, that same report noted that 27% of insider attacks were responsible for damages between $100,000 and $500,000, while 24% of attacks caused damages exceeding $500,000.

Where do the threats originate?

One of the main reasons insider threats are so destructive is because of where they originate — from within. Outside threats are more easily blocked from perimeter security, such as firewalls guarding the network. Since insiders bypass front line defenses with granted access, they have a significant head start, making them far more dangerous than the anticipated attack from outside the company walls.

The source of insider threats isn’t always current employees, but can also be a former employee, a contractor who works for a supplier, a business associate who is granted access to a company’s network, or even an adversary using stolen credentials to pose as an employee.

If insiders carry out a threat with intent and malice, it’s typically because they are motivated by revenge, financial gain, ideology, exploitation of personal information, espionage, thrill, or simply bragging rights. Examples of insider threats follow:

  • Theft: A disgruntled ex-employee steals valuable information and sells it to the highest bidder to get even for being wronged by the company
  • Sabotage: A contractor is bribed by a nation state, forcing him to abuse his authorized access to a power plant and cause it to malfunction
  • Fraud: A business associate steals an employee’s credentials and sends an email under false identity to the finance department requesting a money transfer to her personal account
  • Fear: An employee is threatened with physical harm via email or another form of electronic communication unless he hands over his key card for the perpetrator to gain access to an unauthorized area

On the flip side, if the cause of a successful insider attack is unintentional, it’s most likely because the people who are responsible for the data leak have no knowledge that their actions were the cause. This usually happens when employees are careless with regard to following company policy, or don’t have the proper security training. For example, one of the most common scenarios is when an employee takes sensitive company data and stores it in a personal email program or unsanctioned cloud platform to facilitate access and collaboration. They don’t realize that this unofficial practice is highly risky.

Which assets are in harm’s way?

For purposes of examining the assets that are typically targeted, and therefore in the most jeopardy, we’ll focus on the intentional insider attacks. Data leaks that are unintentional tend not to target specific assets, rather they inadvertently expose assets because best practices are not followed. Therefore, there is no credible pattern of targeted assets.

Attackers aim to expose any asset that can be used to weaken the position of an organization, or to simply make money. Such assets may be trade secrets that are manipulated for political gain, or sold to illegal buyers for a profit. Commonly targeted assets we see today include:

  • Financial data
  • Employee files
  • Software code
  • Customer account information
  • Health records
  • Critical control systems

Targeted assets can also take the form of emails or recorded conversations containing controversial material used to embarrass a high-ranking executive or damage a competitor’s brand. These types of breaches may result in a damage control campaign being launched, a victim being thrust into the public spotlight, or an employee being forced to resign – all of which can do serious damage to a company’s brand.

In yet another scenario, a film production company could have its video content targeted for financial gain or just because the insider wants his own 15 minutes of fame. If the unreleased content finds its way to the public, it could result in a major loss of revenue from movie theatre ticket sales, DVD purchases, and online video rentals. The content could also be held for a ransom, threatening the company to pay up or risk the early release of its soon-to-be box office smash.

How do insider attacks find the targeted asset?

Let’s get down to the art of how insiders get data out of an organization, and the channels they use to carry out the attack. The first channel is the ever-popular internet with myriad options to get the job done. Unlike restricting outside attacks using methods to block and deny access, it’s a greater challenge when an internal attacker has already been granted access. At that point, insiders can exfiltrate data through GitHub or Dropbox if the applications aren’t blocked internally, or they can email data to their personal accounts.

Insiders can also use a physical storage device, such as a USB drive to copy off sensitive information. Because these devices have increased in data capacity and decreased in size, they have become a tool of choice for attackers because they can discreetly carry data right out of the front door. The same can be accomplished using personal devices to store and record sensitive information, because a person using his own phone at work is certainly not suspicious behavior.

The insider who commits the unintentional attack causes the leak by losing a device like a phone, laptop, or tablet where valuable data resides. If the data isn’t encrypted or falls into the hands of a criminal who can bypass the encryptions, the data is at risk to be stolen or compromised – or both.

How can data be protected?

As part of any cybersecurity plan, it’s important to have an insider threat program to help mitigate risk and prevent breaches. This type of program can be designed by first asking the right questions to help identify priorities and set objectives. That way success can be measured periodically and improvements can be made as needed.

Sample questions include:

  • What data or systems, if lost or compromised, would be the most damaging to the company?
  • Where are the data and systems located? On-premises? In cyber space?
  • Who in the organization has the most access to the most sensitive data or systems?

By evaluating the information gathered from these types of questions, organizations can develop the framework for a comprehensive insider threat program. At that point, decisions about processes and technology solutions can be made that will support the program and the viability of the business.

We’ll share our approach for setting up an insider threat program that is both efficient and effective for defending your company’s valuable assets in an upcoming blog. In the meantime, please visit us for more information at