Insider threats are a hot topic in the cybersecurity world due to the unique threats they pose due to their internal access to an organization.
While insider threat detection software is becoming increasingly more sophisticated thanks to behavioral analysis from artificial intelligence until these systems are absolutely perfect the human element is going to remain a challenge for organizational cybersecurity.
Even once insider threats are detected, the effort to contain the damage they cause requires immense time and resources. The 2020 Cost of Insider Threats Global Report from the Ponemon Institute indicates that it takes a staggering average of 77 days to contain an insider incident.
Insider threats take two major forms – malicious and negligent.
Malicious insider threats knowingly engage in the damage they cause, and negligent insider threats inadvertently cause harm through bad habits or by becoming victims of attempts from bad actors attempting to gain access to the organization’s data and systems. The Ponemon Institute report mentioned above also reveals that negligent insider threats cause 62% of security incidents – they will be the main focus for today’s article.
Are Insider Threats The Weakest Link In Cybersecurity?
Wherever a vulnerability exists and the motive to gain access to a given organization’s data and systems is strong enough, it can and will be exploited. A report from IBM found that in 2015 60% of all attacks against an organization were carried out by insiders, making employees considerable targets for nefarious persons to use as a method of gaining unauthorized access. As time goes on and technology becomes more sophisticated, so to will the methods of attack used against organizations.
What Makes Employees Vulnerable
The exact methods of turning employees into unwitting insider threats can vary, though they tend to exploit many of the same root causes – bad habits caused by their trusting nature or a lack of cybersecurity awareness.
Employees Are Humans, and Humans Are Far Too Trusting
Software is far more predictable and consistent than humans will ever be. While security policies are a necessary fundamental component of an organization’s cybersecurity plan, humans can’t exactly be programmed to follow them perfectly every time.
Anyone who has spent enough time in a building with keycard access doors can see the vulnerability of human trust play out first hand: Two people approach a keycard-enforced access door at the same time, Person A dis-engages the door lock with their keycard – what happens next?
In an entirely unrealistic security-centric utopia:
- Person A will pass through the door and wait for it to close completely, ensuring Person B remains on the opposite side of the door throughout the entire process.
- Person B respects their responsibility to patiently wait on the outside of the door until it fully closes and re-engages the lock.
- With the door now closed and lock securely, Person B now dis-engages the lock with their keycard and passes through, only continuing on after the door is verified to be closed with the lock re-engaged.
While the above scenario is technically the most secure process, it’s far from realistic.
Here’s what usually happens in the real world:
- Person A unlocks the door and continues on their merry way, maybe paying a half-hearted degree of attention to what Person B decides to do, maybe not; or
- Person A unlocks the door and proceeds to hold the door open for Person B with a minimal pause.
That’s not to say that the needs of organizational cybersecurity merit a dystopian reprogramming of mankind to eradicate pro-social behavior such as holding doors open for other people. Effective mitigation of negligent insider threats simply requires a realistic understanding that policies alone aren’t enough for cybersecurity – organizations also need to account for human behavior.
Social Engineering & Phishing
Cybersecurity is often heavily focused on external threats such as hackers attempting to remotely access an organization’s valuable data and systems from the outside, but with the power of social engineering, an organization’s greatest threat can actually be coming from the inside.
Social engineering is a form of deception used by bad actors to exploit the trust an organization’s employees have in their colleagues and other people. While external threats certainly need to be addressed, it’s not the only threat to an organization’s cybersecurity. Employees on the inside can inadvertently become vulnerabilities by being a little too helpful when a seemingly trustworthy coworker or familiar vendor begins asking for resources, information, or favors that fall outside of their usual scope of work.
The reason that social engineering is so effective against employees is that while humans aren’t as predictable as the technology they are responsible to protect, they do have known psychological quirks that make them easier to bypass than is ideal.
This can be seen in the case of Kevin Mitnick, who managed to gain access to a development server owned by Digital Equipment Corporation by simply calling them and pretending to be a lead developer in need of a password change. While Kevin’s social engineering stunt was made in 1979 and surely organizations have become more aware of these sorts of practices, something as simple as acting as if they belong can cause a stranger to go unnoticed by employees if they aren’t diligent.
Social engineering can take many other forms as well, including spoofing or compromising the accounts of trusted persons as a way of tricking employees into downloading malicious files or visiting dangerous links in a phishing attack.
Aside from direct exploitation, employees can cause vulnerabilities by engaging in bad habits. The source of their bad habits can come from genuine ignorance caused by a lack of consistent ongoing training, organizations not prioritizing cybersecurity in the culture of their workplace, or negligent disregard for the role their behaviors have for keeping the organization secure.
- Bad habits of employees include:
- Not locking down their workstations when not in use, giving passersby an opportunity to use their credentials undetected.
- Falling for phishing emails (clicking links to malicious websites, downloading malware from seemingly innocent files).
- Leaving sensitive information inappropriately accessible (leaving notes at their workstations, leaving printed documents unattended in the printer tray, etc).
How to Work With Employees to Mitigate Cybersecurity Threats
Employees are a significant vector for cyber threats but given the proper combination of empowerment, training, and resources they can be leveraged along with the organization’s existing cybersecurity infrastructure to become a critical asset for threat mitigation.
An organization that empowers employees to be advocates for cybersecurity in their workplace will have a valuable asset for proactively mitigating cybersecurity threats. Organizations can empower their employees through frequent ongoing cybersecurity training, providing employees with a clear path for reporting security concerns to their managers, and by openly acknowledging the critical role that their employees have in maintaining the security of the organization.
Are employees the weakest link in an organization’s fight against cybersecurity threats? Not necessarily – in fact, with the proper mix of policies, processes, products, and procedures the people of an organization can very well be its greatest asset.