Insider threats pose a silent but devastating risk to organisations of all sizes. These threats, often from trusted employees or contractors, can result in significant data breaches, operational disruptions, and irreparable reputational damage. The financial implications of insider threats are staggering. According to Statista, in 2023 [1], the cost of a data breach by a malicious insider amounted to 4.9 million US dollars per data breach. This underscores the urgent need for proactive measures to protect sensitive information and maintain operational resilience.
Insider threats can manifest in a variety of insidious ways. From disgruntled employees intentionally leaking sensitive information or sabotaging critical infrastructure to negligent employees falling victim to phishing scams, the potential for damage is immense. Even seemingly trustworthy individuals, such as financial advisors, can be compromised through blackmail or extortion, leading to devastating consequences.Action is needed now to mitigate these risks. With insider risks accounting for more than seven out of ten cybersecurity breaches [2], C-level executives, cybersecurity leaders, and strategists must prioritise mitigation.
Foundational Cornerstones for Insider Risk Initiative
A comprehensive insider risk mitigation strategy requires a robust foundation built upon strong cyber and physical security controls and effective employee communication. By establishing this solid foundation, organisations can significantly bolster their resilience against internal risks.
- Cyber and Physical controls – Organisations must ensure that fundamental cyber and physical security controls including employee vetting, security awareness training, joiner, mover, and leaver processes, and technical controls, including access management and endpoint security, are in place and effectively functioning. An effective vetting process would have detected the North Korean fake IT worker who tried to infiltrate KnowBe4 [3].
- Effective Employee Communication – Organisations must effectively communicate their insider threat plans to employees, fostering a sense of ownership and joint responsibility for data security with their employees. This needs to be done in an open and transparent manner to empower employees to feel more confident and capable in detecting insider risks. Employees are often the first line of defence, detecting suspicious activity such as colleagues accessing unusual amounts of data or phishing emails that bypass filters [4], and their vigilance can become critical in stopping a data breach. Furthermore, effective communication becomes both a deterrent and a shield for sensitive information. A good example is Google’s emphasis on employee communication, which encourages reporting security concerns [5], fostering a trusting environment where employees feel empowered to contribute to security solutions actively.
Advanced Monitoring & Detection
Organisations must build upon a strong foundation of cyber and physical security controls to effectively mitigate insider risks by complementing this with advanced monitoring and detection capabilities to reduce their vulnerability to internal threats significantly.
- Monitoring Use Cases & Abuse Cases – The vital use cases and abuse cases that must be implemented include the following..
- Critical security breaches – Specific use cases include unauthorised data access, exfiltration, manipulation, and privileged account misuse. When done correctly, it puts organisations in control of their data, like Google’s response to an engineer copying hundreds of confidential AI files to his personal Google Cloud storage [6].
- Policy and procedure violations – Specific use cases include unauthorised access to websites, violation of acceptable use policy for laptop use, and excessive internet usage. They significantly impact organisational compliance and data integrity.
- Human error and negligence – Specific use cases include sharing sensitive information with the wrong distribution list or wrong email addresses. Often these violations are a cry for better employee organisational processes and systems designs.
- The industry-focused risk – Specific use cases in this include suspicious transactions, insider trading, collusion, and unauthorised account activities related to financial activities or asset transfers, lifestyle changes among Politically Exposed Persons (PEPs).
- Technology Strategy – To implement the monitoring use and abuse cases, organisation should combine Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Data Loss Prevention (DLP) and User Entity Behavior Analytics (UEBA) technologies to effectively monitor for insider threats, gaining a comprehensive view of security events, endpoint behaviour, data movement, and anomalous user actions. The business case to justify this investment for large organisations is clear, knowing the average cost of a data breach in 2023 was $4.45 million [7], with insider threats being among the costliest incidents[8], and it unlocks regulatory compliance such as GDPR, HIPAA, and PCI-DSS. However, for small and medium enterprises (SMEs), adopting SIEM, EDR, DLP, and UEBA technologies requires a strategic, phased approach that considers their size, the value of their assets, the impact on the organisation, and the incremental benefits of each technology. A suggested path for small and medium enterprises (SMEs) includes starting with a SIEM for initial visibility and then integrating EDR to detect and respond to threats at the device level. As the organisation grows and data protection becomes more critical, DLP solutions should be deployed to safeguard sensitive information, and finally, UEBA will be incorporated for advanced analytics to identify and mitigate insider threats through behavioural analysis. This incremental adoption path optimises cybersecurity investments, ensuring return on security investment. Successful implementation of monitoring technologies requires careful planning, stakeholder management, and continuous improvement to overcome challenges like false positives, alert fatigue, and other employee concerns.
Compliance and Ethics
Striking the right balance between vigilance and employee privacy requires legal and ethical considerations.This is due to the complex web of regulations, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and the California Consumer Privacy Act (CCPA) and local labour and workplace surveillance laws.
Transparency is crucial. Organisation are required to have a legal basis for data collection, minimise the data gathered, and be upfront about their purpose and security measures. This mitigates fines, as seen in the €32 million penalty levied against Amazon France Logistique for breaching some articles of GDPR [9] .
Conclusion
In conclusion, for organisations to manage their insider risk, they must implement the foundational cyber and physical security, communicate and collaborate with employees, build continuous, tamper-proof monitoring that can detect and respond legally and ethically to a wide range of employee use and abuse cases.