Why insider threats are cybersecurity’s next big challenge
This article is authored by Ajay Biyani, VP, APJ, India, Middle East & Africa, Securonix.
As we enter the second half of 2024, India's cybersecurity scenario is becoming more complex and challenging. A robust, proactive cybersecurity strategy is needed as advanced technology, cloud security and human factors converge rapidly. Organisations need to be at the forefront of this change to protect their assets and build trust among stakeholders.
Many organisations view cybersecurity primarily as a defence against external attacks. However, the Insider Threat Report 2023 by Cybersecurity Insiders, which surveyed over 326 cybersecurity professionals, reveals a different reality: Over half of the organisations said they have experienced an insider threat in the past year, with 8% reporting more than 20 incidents. This increase may be due to the shift to hybrid work models, increased access to cloud applications, and the growing use of gen Artificial Intelligence (AI) tools.
When we look at the maturity of organisations to handle insider threats, Securonix’s insider threat report reveals that while 66% of organisations feel vulnerable to insider attacks, 41% of organisations have only partially implemented insider threat programmes, pointing to a lack of comprehensive activity monitoring and advanced threat management. Only 29% of organisations feel fully equipped with the right tools to protect against insider threats, indicating a significant gap in many organisations’ security capabilities.
Effective cybersecurity requires understanding the various forms of insider threats. Insider threats may be classified into three categories: Negligent, complacent, and malicious. Every kind poses different difficulties that need a specialised approach to overcome them.
- Negligent insider: Though negligence is more prevalent, many organisations focus their insider threat programmes on dealing with interposers who have malicious intent. However, 60% of insider-related data breaches are mostly accidental and are caused by employees who inadvertently put the company’s sensitive data at risk. For example, an employee may leave a laptop or an unencrypted mobile device with private information unattended, opening the door for theft. Or an employee can unknowingly download a malicious phishing link and get trapped into a phishing scam. These scenarios put the organisation at risk even if the employees don't have malicious intent.
- Complacent insider: Employees who disregard fundamental security procedures, such as applying security patches, are known as complacent insiders. Both negligent and complacent insiders are mostly vulnerable to threats like email phishing. These employees are regularly tricked into clicking links and unintentionally installing malware that can infect the whole network with attacks based on the email phishing style.
- Malicious or vicious insiders: When employees purposely and knowingly compromise an organisation’s data, the problem becomes more complex. These individuals are known as malevolent insiders. Usually, they have financial incentives or resentment towards their company as the reasons behind their actions. In some cases, insiders partner with external agents to coordinate and launch threat attacks.
To safeguard an organisation’s data, it is crucial to recognise early signs of insider threats. One of the key indicators includes unusual patterns of access, where employees access systems or information at odd hours without any clear business need. Similarly, a significant increase in data downloads or copying, especially if the information is sensitive, could be a red flag for potential sabotage or theft. The use of unauthorised apps or devices can further expose the network to vulnerabilities, while employees who repeatedly violate company policies may be signalling negligence or posing a serious insider threat. Behavioural changes, such as increased secrecy, resistance to supervision, or sudden large purchases, are also important indicators of malicious intent that should be monitored closely.
Another key set of indicators revolves around security activities and interactions. Repeated failed login attempts and other security alerts tied to an employee’s account can point to unauthorised access attempts. A spike in workplace disputes or complaints, particularly between employees, may signal internal tensions that could escalate into an insider threat. Additionally, suspicious emails, large file transfers, or the use of personal cloud storage for confidential data raise significant concerns. Lastly, attempts by employees to expand their access to sensitive information by volunteering for extra tasks beyond their usual responsibilities, especially outside normal work hours, may indicate malicious intent. Continuous monitoring of these behaviours is essential to mitigate the risks of insider threats.
In the coming days, the cybersecurity landscape in India and the APAC region will likely face new challenges and evolving threats. As a result, preventive cybersecurity strategies will become even more critical to safeguard organisations.
Experts agree that combating the rise of insider threats requires more than just reactive measures. A preventive approach, including comprehensive cybersecurity training, can significantly enhance organisational best practices and awareness. When a complacent insider is detected, instead of resorting to harsh punishments, organisations should focus on corrective actions to prevent them from turning into malicious insiders. Simulating cyberattacks through mock drills can help negligent insiders develop a practical understanding of security concerns and learn how to effectively respond to threats and protect themselves from cyberattacks.
However, training alone is not enough. Effective defence also requires having the right technology. Continuous monitoring and enhanced visibility, such as those provided by User and Entity Behavior Analytics (UEBA) technologies, make it increasingly difficult for malicious insiders, particularly those in higher positions, to evade detection.
UEBA leverages advanced machine learning to analyse user activities, distinguishing between legitimate actions and potential threats. By integrating real-time data with historical behaviour analysis, it can accurately identify insider threats before they escalate, ensuring advanced threat detection while minimising false positives.
But what happens when an organisation lacks vast amounts of reliable, historical user or entity data? Catching a first-time offender or a user intentionally obfuscating their actions can be more challenging. This is where the emerging field of intent-based threat detection becomes crucial. Leveraging advanced algorithms and real-time monitoring, intent-based detection can quickly identify subtle indicators of insider threats, even when historical data is limited. By analysing the psychology behind user behaviour and language patterns, organisations can detect potential malicious activity before it escalates into a major security breach.
As the cybersecurity landscape continues to evolve, it’s essential for organisations to adopt a proactive approach that combines training, technology, and cutting-edge methodologies to stay ahead of potential threats. By fostering a culture of vigilance and equipping teams with the right tools, organisations can better safeguard their future against increasingly sophisticated insider attacks.
This article is authored by Ajay Biyani, VP, APJ, India, Middle East & Africa, Securonix.