Insider threats are individuals with legitimate access to the company’s network who use their access, whether maliciously or unintentionally, in a way that causes harm to the organization. Insider threats could be employees but they can also be former employees, contractors or business partners who also have access to company networks or data. Checkout this nice image below which shows types of insiders:
Insider threats account for 60% of cyber attacks, and they are incredibly difficult to detect. In fact, most cases go unnoticed for months or years.
It takes an average of more than two months to contain an insider incident, with Ponemon Institute showing more than 77 days to contain each insider threat and IBM Security reporting that time to identify + contain was in average 280 days. Almost a year!
97% of IT leaders acknowledge that insider breach risk is a concern for their organization, with 78% saying that employees have accidentally put data at risk (reckless employees) and 75% claiming that it was intentional (malicious employees). Whether it was intentional or not, one thing is sure: your data is at risk!
What are the causes and who are those insider threats?
Here is a nice diagram created by a research company Egress, which shows typical causes of insider threats, with sharing data to personal systems and leaking data to competitor being largest portion of it. Basically, if we look closely and calculate all of the below, it shows that 93% are employees that are about to leave the company (taking data to new role, selling it to competitor, unsatisfied due to a loss of a job, blackmailed employees by cyber criminals and more).
The “departure risk”
“Departure risk” is an employee who is about to terminate their employment with a company for various reasons. These employees typically show departure risk behavior patterns when their browsing behavior and email behavior indicate they are leaving the company. This behavior is pertinent to insider threats because over 80% of departure risk employees tend to take data with them, anywhere from 2 weeks to 2 months prior to their termination date.
Image below shows how data is exfiltrated and via which channels:
Still, most popular way with almost 44% of all data exfiltrated is forwarding emails to personal email account. Sounds amazing, don’t you think?
Some of the other ways such as:
- aggregating and storing data in specific folders,
- exfiltrating data to unencrypted usb devices,
- or exfiltrating data to external sites (WeTransfer, Google Cloud, MegaUpload, etc)
TIP: Make sure you have a system in place that would alert you on all of those activities + that could block the specific transfer actions or encrypt the company sensitive data so it couldn’t be used outside the company. Such a solution is Data Loss Prevention + User Behavior Analytics. We’ve got you covered in one platform!
User Behavior Analytics (UBA)
Operates as an early warning system discovering a potential threat or a precondition for a violation and alerting to possible risks by detecting a number of abnormal activity episodes outside or inside the corporate network.
Classification of sensitive data is a must!
Devising an effective data loss prevention strategy requires IT leaders to understand what types of data are most vulnerable from which type of internal breach. Top of the list for both accidental and intentional internal breach risk is employee data, including personal identifiers and salary information, closely followed by company intellectual property. Interestingly considering the current regulatory climate, customer data including personal identifiable information (PII) was ranked third.
So, do you know which data is sensitive? Where it resides? Who has the access rights? These are the major questions you need to answer to.
TIP: Implementing DCAP solution (data-centric audit and protection) for automated file system audit, search for access violations and monitoring changes in critical data.
What can you automatically solve with FileAudit solution:
- Classification of vulnerable data: finds files in a document flow that contain critical information, and assigns a certain type to each file (personal data, trade secret, credit card numbers, etc.)
- Access rights audit: facilitates confidential information access control – automatically monitors open resources, files available to a specific user or group, privileged accounts.
- Critical documents archiving: makes shadow copies of critical files found on a PC, server or network folders, saves the history of their revisions. Confidential data archive helps in incident investigation and ensures recovery of lost information.
- User activity monitoring: audits user operations in a file system. The specialists responsible for risk mitigation always have their information about changes made to a file updated (creating, editing, moving, deleting, etc.).