Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Some of the worst cyber incidents come from the inside. Use these tips to recognize and mitigate insider threats.
Insider threats, both inadvertent and malicious, have risen 44 percent over the last two years, with costs per incident up more than one-third to $15.5 million globally.
Common reasons insiders act out include political or personal beliefs, frustration or anger with the organization or its personnel, or a desire for recognition or financial gain.
Look for signs your business may be at risk and take steps to mitigate their risk before an incident emerges in your organization.
Ransomware attacks and major data breaches from external threat actors often grab the headlines, but organizations must continue to look inward for cyber incidents that can deliver some of the worst financial consequences. Consider that these incidents often arise through those entrusted with access to and within the organization itself.
Insider threats, both inadvertent and malicious, have risen 44 percent over the last two years, with costs per incident up more than one-third to $15.5 million globally. An average of $184,548 is spent to contain insider threats, with business interruption costs (23 percent of total) typically being the greatest expense.1
In a study of 6,803 insider incidents reported over a 12-month period:
- 56 percent arose out of negligence, with examples of conduct such as failures to secure devices, follow company security policy or to patch and upgrade devices.
- 26 percent were due to criminal insider activity– malicious insiders, including employees or authorized individuals who use their data access for harmful, unethical or illegal activities.
- And 18 percent of incidents involved credential theft to granting access to critical data and software. While credential theft represents the lowest number of incidents, it is the costliest, amounting to an average of $804,997 per incident.
“Insiders” are any individuals – including employees, contractors and vendors, among others -- with authorized access to business systems, data and assets, whether physical or electronic. They pose a threat because they can intentionally, negligently or unknowingly harm an organization as a result of their actions. These actions may include the exposure or theft of assets or proprietary or confidential information resulting in damage to the organization’s operational ability, integrity or reputation, and other financial, business or social consequences.
Our Uncertain Economy Is Not Helping the Situation
The number of companies experiencing insider incidents has risen in each of the past three years. In 2022, 67 percent of companies indicate they experienced between 21 and more than 40 incidents per year, according to a Ponemon study. And the situation is not predicted to improve in 2023.
The current increase in corporate layoffs, reduced compensation and benefits, and widespread economic uncertainty could raise the likelihood that otherwise well-meaning employees may be more likely to act negligently or maliciously in response to layoffs or other adverse changes to their jobs. Disgruntled or resentful workers may find their precarious work situation a rationalization for such activities as intellectual property theft or other criminal acts.
Nearly seven in 10 employees were more likely to take data right before they resigned from their company. Further, there is a 23 percent increase in unauthorized data transfers from employees the day before they were fired, and a 109 percent increase the day they lost their jobs.3
Insider Threat Motivations
Insiders who act contrary to an organization’s interests may do so with a wide range of motives, but common reasons include:
- Political or personal beliefs
- Frustration or anger with the organization or its personnel
- Desire for recognition or financial gain
Insiders who cause harm to an organization do not always act with the intent to so. An insider may unknowingly aid an external actor who uses social engineering – through business email compromise -- to create a false belief through a phishing message asking that funds be rerouted to a different account.
Insiders may act negligently or recklessly, in another manner, when they fail to respect the organization’s security policies or controls, such as using a personal device or account to conduct business, or by allowing unidentified persons into restricted areas.
Additionally, insiders may act with malicious intent. An example of this is the departing employee who takes confidential information with the intent to use it at, or sell it to, a competitor organization.
Nation states may seek to place personnel within an organization, or compromise ones already there through greed, loyalty or extortion, to aid efforts at espionage, theft of trade secrets or other proprietary information, or to cause damage or other harm. They often, target innovative intellectual property or critical infrastructure including energy, manufacturing and water systems or other industries. Nation states use more sophisticated methods to hide their activities and maintain and improve long-term access to the organization.
Companies that experienced between 21 and more than 40 insider incidents in 2022.
Source: 2022 Cost of Insider Threats Global Report | Ponemon
Recognizing Insider Threats — Signs Your Organization is at Risk
An organization may be at risk when insiders:
- Are not trained to fully understand and apply laws, mandates or regulatory requirements related to their work and how that impacts the organization’s security
- Lack training about the dangers and proper responses to social engineering, such as phishing emails
- Are unaware of the steps they should take to ensure that the devices they use — both company-issued and Bring Your Own Devices (BYOD) — are secured at all times
- Are sending highly confidential data to an unsecured location in the cloud
- Break the organization’s security policies to simplify tasks
- Do not keep devices and services patched and upgraded to the latest versions at all times
Three Steps to Mitigate Insider Threat Risk
1. Orient and Scope:
To appropriately counter the risk posed by insiders, businesses must first practice good information governance, and understand about their critical data – what it is, where it is stored, how it is managed, and who has access to it. They must also understand the roles and responsibilities of those who have authorized data access. Once businesses have achieved a sufficient level of clarity on where their insider risk exposures reside, they are better able to more effectively augment or introduce insider controls.
2. Thwart and Deter:
Denying sophisticated insiders the opportunity to advance their objectives requires implementation of layers of well-designed and tested security controls to security areas across multiple disciplines.
For some businesses, enhanced due diligence is performed prior to employment. Deterrence controls can include legally binding agreements signed during onboarding and offboarding, or efforts that seek to make the workforce more aware of insider threats and means of reporting suspicious activity.
Most businesses also have existing security architectures that are extendible to insider threat controls. These controls are preventative and serve as an obstacle to insiders attempting to execute an attack and discourage or dissuade insiders from committing a compromising act.
Automated and interconnected monitoring systems are becoming increasingly more sophisticated and continue to serve an important role in a businesses’ risk mitigation strategy. Just as importantly, businesses must understand that insider activity can be detected through other, non-technical means such as: anonymous sources, threat intelligence consumption, or tracking indicative insider behaviors.
3. Advanced Countering:
Once businesses have a formalized policy, fully resourced insider program, established and enhanced insider controls, and implemented steady-state monitoring mechanisms, they can choose to introduce more advanced mitigation capabilities. Businesses faced with some of the most resourced and persistent insiders can benefit from advanced, proactive mitigation strategies and tactics such as: honeypots, misinformation campaigns and advanced behavioral profiling.
Conceptually, these tactics reflect businesses moving from a purely defensive posture, to a more offensive one. For many businesses, these advanced countering strategies and tactics are not yet practical, or necessarily applicable, but for those businesses that are, introducing advanced countering strategies and tactics can have a significant positive impact on insider risk mitigation goals.
Increase in insider threats over last two years.
Source: 2022 Cost of Insider Threats Global Report | Ponemon
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Stay in the loop on today's most pressing cyber security matters.
Article 13 Min ReadFinancially Motivated Criminal Group Targets Telecom, Technology & Manufacturing
Article 15 Min ReadFrom Risk to Reward: Turning Data Breaches into Deal Value
Article 14 Min ReadTo Combat Cyber Risk, Businesses Invest in Resilience
Article 12 Min ReadFor Cyber Readiness, the CISO and CRO Join Forces
Article 19 Min ReadMitigating Insider Threats: Managing Cyber Perils While Traveling Globally
Article 38 Min ReadBuyer-Friendly Cyber and E&O Market: How to Take Advantage
Article 8 Min ReadManaging Cyber Risk through Return on Security Investment
Article 27 Min ReadTop 5 Cyber Threats To Mergers and Acquisitions
Article 15 Min ReadCyber Attacks: How to Rapidly Detect, Respond and Contain Damage
Article 12 Min ReadMitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Article 9 Min ReadESG Data: How Businesses Can Use Data to Gain an Edge
Article 12 Min ReadWhy ESG Is Even More Important In A Crisis Like COVID-19
Insights for HR
Explore our hand-picked insights for human resources professionals.
Article 9 Min ReadCOVID-19 has Permanently Changed the Way We Think About Wellbeing
Article 11 Min ReadDE&I in Benefits Plans: A Global Perspective
Article 13 Min ReadHow Data and Analytics Can Optimize HR Programs
Article 17 Min ReadWhy HR Leaders Must Help Drive Cyber Security Agenda
Article 10 Min ReadCase Study: The LPGA Unlocks Talent Potential with Data
Article 16 Min ReadNavigating the New EU Directive on Pay Transparency
Article 14 Min ReadHow to Design Better Talent Assessment to Promote DE&I
Article 8 Min ReadTraining and Transforming Managers for the Future of Work
Article 10 Min ReadRethinking Your Total Rewards Programs During Mergers and Acquisitions
Article 21 Min ReadBuilding a Resilient Workforce That Steers Organizational Success | An Outlook Across Industries
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
More Like This
Article 21 Min Read
Exit Strategy Value Creation Opportunities Exist as Economic Pressures Persist
With a robust exit strategy, financial sponsors can create value from day one and enable a strong long-term outlook.
Article 12 Min Read
Banks are Turning to Their Talent to Boost Their Cyber Resilience
As cyber attacks become more sophisticated, banks can shore up their cyber-security resilience efforts by building a partnership between business leaders and cyber technologists.
Article 15 Min Read
Four Ways Retirement Plans Can Reduce the Gender Savings Gap
Addressing the retirement pay gap issue between men and women starts with first acknowledging it exists. Then companies can conduct further analysis and adjust their benefit plans accordingly.