In the midst of a rising cybersecurity crisis, it’s worth keeping one thing in mind: the best way to infiltrate an organization is from the inside. With experts estimating that two out of every three data breaches are caused by insiders, insider threats remain a major concern for cleared organizations, demanding constant vigilance and alertness from facility security officers (FSOs).
According to a recent report from Ponemon Institute, the average cost of insider threat events has climbed 34% since 2020, reaching a new height of $15.38 million in 2022. Simultaneously, the time to resolve an insider threat incident has reached an average of 85 days – up from 77. While many factors can help to explain these alarming changes, one stands above the rest: insider threats are evolving.
Today – thanks to trends in the cyber landscape and a shifting global workforce – insider threats are not only rising across the board, but malicious insiders are becoming more dangerous and motivated than ever before. In this article, we’ll help you to understand why this is happening, and what cleared organizations can do to defend themselves.
The Evolution of Insider Threats
Insider threats have been a primary concern for government agencies and regulators since at least 2017, when the Director of National Intelligence (ODNI) issued the Security Executive Agent Directive (SEAD) Revision 3, which has since passed into federal law.
But many organizations have been primarily concerned about insider threat events related to accidental misuse of data or neglect, as these are the most common. Examples include:
- Opening a phishing email
- Leaving a highly sensitive laptop unattended
- Forgetting to log out before leaving work
- Using a weak or default password
According to Ponemon, “careless insiders” cost organizations $6.6 million every year, accounting for about three out of every four insider threat events. However, malicious insiders incur more costs per incident, and their activity is rising – this can partly be explained by the rise of Insider Threats as-a-Service.
Explaining Insider Threats as-a-Service
While malicious insiders – ranging from regular employees to privileged business users and executives – will occasionally go rogue for a variety of reasons, they are increasingly being recruited by outside actors to compromise their organization in exchange for payment or some other incentive.
Some of these ‘Insider Threats as-a-Service’ are lashing out or pursuing a political objective – but many more are simply opportunists seeking to profit from their privileged access.
A rise in malicious and sophisticated insiders is indicated by an increase in sophisticated techniques associated with insider threats: for instance, one study finds a 43% increase of burner email accounts among compromised insiders, who also diligently avoid attack techniques known by the MITRE ATT&CK framework.
The Lapsus$ Group
Recently, the Lapsus$ ransomware gang – responsible for hacking Samsung, and then dumping 190 GB of its internal data onto the web – has been openly recruiting insiders from major tech companies like Microsoft via its public communication channels.
This level of open recruitment for trusted insiders is unprecedented, suggesting that the practice is becoming more common and effective with time. But why are cyber actors depending on this technique in the first place?
The Perfect Storm
In 2022, a host of confounding factors are contributing to increased recruitment of insiders for malicious purposes. Among them:
- Resistance to traditional attacks – as organizations increase their cybersecurity budgets, some malicious actors are struggling to mount traditional cyberattacks. Recruiting insiders is comparatively easy – if a cyber actor can get one person in your organization to go along with them, they can gain access to protected systems that would take months or years to compromise from the outside.
- Dark web markets – today, the dark web is host to a thriving marketplace for trusted insiders. It is also a reliable place for malicious actors to profit from the data they have stolen. Over the past few years, dark web markets have seen continuous growth along with the general growth in cyberattacks.
- Rise of remote employment – since the beginning of the COVID pandemic, more and more employees are working from home. Not only does this create more vulnerabilities by extending the IT perimeter of your organization – it also makes patterns of compromised behavior harder to detect and report. In 2021, 75% of insider threat prosecutions were committed by remote workers.
- Employee attrition – the so-called “Great Resignation” which also accompanied the COVID pandemic has resulted in a higher rate of employee attrition, which is correlated with increased data theft due to insider threats. 56% of organizations report data theft as a consequence of employees leaving or joining their company.
- Geopolitical tensions – as real wars spill over into cyberwarfare, state-sponsored attack groups have greater motivation to target critical infrastructure, industrial manufacturers and government organizations; Insider Threats as-a-Service provide the perfect attack mechanism.
With all of this being said, how can FSOs and other security officers protect their cleared facilities and keep sensitive information away from malicious insiders?
Defending Against Malicious Insiders
While insider threats are impossible to detect with a 100% success rate, there are many indicators that can help organizations to spot them. To improve detection rates and prevent insiders from being compromised in the first place, FSOs should pour their efforts into three areas:
- Develop your Insider Threat Program (ITP) – all FSOs are required to maintain an ITP by the National Industrial Security Program Operating Manual (NISPOM). By developing and maintaining a strong ITP, FSOs can leverage the cumulative intelligence of their organization to track signs of compromised behavior and flag potential threats before they become actual threats.
- Collaborate with cybersecurity personnel – as the boundaries between physical and digital security shrink, FSOs stand to benefit from collaboration with CSOs, CISOs and other cybersecurity personnel. Insider threats involve a human and technology dimension – while FSOs are best equipped to monitor the human side, cybersecurity is best equipped to monitor the technology side.
- Invest in employee training – with negligence accounting for the majority of insider threat events, training personnel is one of the most actionable ways to prevent them. Ensure that employees are aware of your organization’s policies and that they put best practices into action.
Fight Insider Threats with Portal Commander
In order to fight the rising tide of insider threats, FSOs need reliable tools to gather and analyze intelligence. The latest version of Portal Commander™ provides your organization with everything you need:
- Insider Threat Reporting Module
- Anonymous Reporting
- Foreign contact reporting
- Contact information for the DCSA, DHS, and CIA
- Insider threat overviews with data visualization
Save time, optimize workflows and keep your organization safer: for a free demo, contact us today!