How the insider has become the no.1 threat

By Jon Fielding, Managing Director, EMEA at Apricorn.

  • 1 year ago Posted in

The insider threat is now twice as likely as phishing to be the cause of a breach. That’s according to a recent survey by Apricorn of over 200 IT security decision makers which found insider threats were the biggest threat with 40% citing these (22% unintentional and 20% intentional) as the main cause of a data breach within their organisation. For comparison, almost a quarter (24%) of breaches were found to result from ransomware attacks, a fifth phishing emails (21%) and lost/stolen devices (18%).

The results may seem surprising given that phishing attacks usually dominate the headlines until we look at the cause of this surge. Non-malicious insider threats can, to a large extent, be attributed to an increase in the remote workforce. The same survey revealed that 48% of mobile workers knowingly put corporate data at risk of a breach in 2023, revealing that hybrid or remote working is playing a role. But the increase in malicious attacks is also due, in part, to the economic pressures people are now under, allowing organised criminal gangs to brazenly recruit insiders.

Complicit recruits

It’s a combination of events that the ISC2 has also picked up upon in its Cyber Workforce Study 2023 which found that 52% had experienced an increase in the insider threat over the past year, with 71% attributing this to economic uncertainty. Moreover, of those who had contact with a malicious insider, 39% said they or someone they knew had been approached to become one, revealing just how widespread the practice is and that insiders may well be recruiting other insiders.

In fact, the problem of malicious leakage has doubled compared to last year, with a fifth of organisations reporting they had suffered a breach attributable to malicious employee during 2023, according to the Apricorn survey. There is a certain resignation to this with almost half (48%) admitting that their company’s mobile or remote workers have knowingly exposed data to a breach over the past year, a rise from 29% in 2022, while 46% stated that their remote workers “don’t care” about security, up from 17% the previous year.

For the organisation, this means the insider threat has not only become more pronounced but harder to counter. It requires effective management on two fronts in terms of managing the remote/mobile workforce and dissuading employees from swapping cash for credentials/data. For these reasons, businesses need to reinforce the security culture through staff awareness training and step up their policy enforcement, in addition to applying technical controls to ensure data is protected at all times.

That’s not what is happening today. The Apricorn survey found only 14% of businesses control access to systems and data when allowing employees to use their own equipment remotely, a huge drop from 41% in 2022. Nearly a quarter require employees to seek approval to use their own devices, but they do not then apply any controls once that approval has been granted. Even more concerning is that the number of organisations that don’t require approval or apply any controls has doubled over the past year (17% compared to 8% in 2022). This indicates a hands-off approach that assumes a level of implicit trust, directly contributing to the problem of the insider threat.

Bringing insiders back

So, what needs to happen for organisations to exercise control and to help mitigate the risk? Firstly, we need to see a more proactive approach, starting with staff awareness programs that must be relevant and meaningful. The processes they advocate should not impede workflow because overly prescriptive controls can create obstacles that frustrate users and encourage them to seek workarounds. A balance needs to be reached to make the controls workable.

Secondly, while employee devices are here to stay, it’s imperative that the organisation exercise some control over their use. There are now numerous ways to remotely manage the end user device and endpoint connectivity. Zero Trust initiatives, for example, are rapidly making the VPN obsolete in providing a secure means of access. The principle behind zero trust is never trust and always verify so that every access request is treated as potentially malicious until it is authenticated. It’s an approach which is much more suitable for distributed networks than the trust traditionally assumed within the perimeterised network. Zero Trust also exercises the concept of least privilege, where the individual user is only given access to the data required to do their job, thereby limiting the potential for a malicious user to infiltrate the network.

Encryption should also be more widely used to protect data at rest, in transit and in use, helping to prevent the interception or loss of data. However, the number of businesses encrypting physical devices has declined markedly over the past two years. Only 12% encrypt data on laptops today compared with 68% in 2022 and only 17% desktop computers, down from 65%. Similarly, only 13% encrypt mobile devices versus 55% in 2022, 17% USB sticks, down from 54%, and 4% portable hard drives, down from 57%. It’s a rapid decline that suggests the focus has shifted to other data protection methods, leaving these devices unnecessarily exposed.

Prioritise recovery

Finally, in the event that data is compromised or stolen, the business will need to ensure it can rapidly recover, which makes an effective backup strategy a must. Ideally there should be provision for physical local backups to be made as well as sending data to a centralised cloud-based repository. The 3-2-1 rule is well known in providing a belt and braces approach in this regard. It advocates that at least three copies of data should be held on at least two different media with at least one held offsite, preferably offline and encrypted.

Taking these steps can help ensure end users and their devices are effectively managed, reducing the opportunity for employees to compromise data whether that be intentionally or unintentionally. Going forward, the likelihood is that both instances will increase. Cutbacks are seeing staff workloads grow, increasing the potential for error. The cost of living crisis is beginning to bite deeper, making those same staff more susceptible to criminal recruitment. And, at the same time, organisations have taken their eye of the ball, failing to maintain best practice procedures such as the use of backup and encryption to protect data. It's therefore vital that we get ‘back to basics’ to stem the flow of data being liberated by insiders.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.