We all know the name, Edward Snowden. Variously described as a whistleblower, hero, or even a traitor, in the security community, he is what is known as an ‘insider threat.’ With Snowden and his wife recently seeking dual citizenship in Russia and the U.S., his story has been brought back into the spotlight, offering an opportunity to reflect on what his actions taught the world, and particularly cybersecurity professionals, about the danger of both malicious and unintentional insider risks.
By Trevor Daughney, VP, Product Marketing, Exabeam
A former contractor to the CIA, in 2013 Snowden copied and released thousands of classified documents to journalists, many relating to secret and controversial government surveillance activities in the U.S. and abroad. As details were gradually released in the media during subsequent months, the scandal surrounding Snowden grew, and having fled to Moscow, he has been living in Russia since, the subject of ongoing criminal charges from the U.S. government.
The Complex Nature of Insider Threats
Snowden’s story is just one example of the potential risk posed by insider threats. But his activities, while being the highest-profile, are by no means typical of the scenarios faced by most organizations, particularly in the commercial context.
In most cases, insider threats will take three key forms. The “compromised” insider is considered by many to be the most problematic because this person has generally done nothing but innocently click on a link or input a password. This is often the result of phishing campaigns, which present users with a link to an authentic-looking website to convince them to input login credentials or other sensitive data.
As the name suggests, the “malicious” insider is typically an employee or contractor who steals information for financial gain or seeks to disrupt or damage an organization to hurt, punish, or embarrass it. The various Apple engineers who were charged with data theft for stealing driverless car secrets for a China-based company are just one of many examples.
And alternatively, but no less dangerous, is the “accidental” or “negligent” insider. This can be particularly challenging, because irrespective of how much care organizations and employees take over cybersecurity, mistakes happen. Something as simple as an employee leaving a workstation unlocked in a shared area could result in a data breach. Accidental incidents can even happen to executives — for example, a CEO might not even think twice about sending sensitive information to their personal account to work on over the weekend. The point is, no one is immune from the risks associated with insider threats, so the way organizations approach these various challenges is central to their safety.
These are far from isolated risks. According to the Information Risk Research Team at Gartner, for example, insider threats account for 50-70% of all security incidents, and for security breaches specifically, insiders are responsible for three-quarters of them. The consequences can be severe, with the Ponemon Institute estimating that insider threats cost $8.76 million per year per affected company. This is not least because it takes an average of 280 days to identify and contain each breach — a frightening scenario for any organization to face. Unfortunately, the cost is only increasing with each passing year. From 2018 to 2019, the cost of a single malicious insider attack increased by 15%, from $1.4 million in 2018 to $1.6 million in 2019.
Protection and Mitigation
One of the biggest issues when it comes to insider threats is that they can be very hard to predict, let alone mitigate. If an outsider is trying to get around a firewall, for example, software and security protocols can be employed to prevent it. However, most traditional cybersecurity solutions don’t turn that focus inwards to reveal what happens within the organization.
While increasing awareness about insider threats has helped organizations address some of the core risks, there remain a series of steps that many still don’t apply as rigorously as they should. The first is simple: invest in training. Without a doubt, some accidental and compromised insider attacks can be prevented by simply training end-users on spotting and avoiding phishing attempts.
Next, focus on user behaviors. Most security protocols can benefit from user and entity behavior analytics (UEBA), and by understanding typical behaviors, security teams can more easily detect when a problem occurs. And thirdly, organizations should arm themselves with the technology infrastructure and tools to see the whole picture and address the layered challenge of insider threats. Systems powered by artificial intelligence and machine learning are now used by organizations around the world as the foundation for effective, proactive protection, with security information and event management (SIEM) systems one example of how these technologies are being applied to the risks posed by human error, negligence, and malicious insiders.
In the current climate of uncertainty and risk, organizations that can double down on their approach to insider threats will be better placed to protect their employees, systems, and data in the long term. A proactive strategy that blends technology and training can eliminate the insider threat blindspots that still pose a major risk across millions of organizations today.
About the Author
Trevor Daughney is Vice President of Product Marketing at Exabeam. Trevor is a marketing executive with a track record of building high performing teams to take enterprise cybersecurity SaaS and software technology and turn them into successful global businesses. Prior to Exabeam, he led enterprise product marketing at McAfee, Ping Identity, and Symantec. Trevor approaches marketing with a global mindset and builds on his experiences living and working in the US, Canada, and Asia. He has an MBA from the University of California, Berkeley.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
Related story: Insider Threats: A Byproduct of the New Normal