The annual
Chocked full of comprehensive data about what happened in the past year and where we are headed, this report is the gold standard for taking the temperature of how we are doing when it comes to keeping our data safe.
Among its areas of focus is some solid reporting on the state of insider threats.
While the vast majority (83%) of breaches are caused by external actors (ie. hackers), a sizable 19% of incidents are from internal threat actors. The report defines them as anyone who has been granted access to company resources, be they full time, part time, or contractors.
They are different though from say partners (read 3rd party) like vendors or others in your supply chain because those folks are a whole other kettle of fish.
In some cases, the insider threat actors cause us harm by making honest yet costly mistakes. They might misconfigure some settings or send sensitive information to the wrong person. It happens. Their hearts might be in the right place even if their good sense might’ve skipped out for a stroll.
But then there are those malicious insiders who intentionally cause harm, stealing, destroying, and generally being up to no good. These are people who were given trust and end up betraying it. But why?
To figure it out, let’s take a look at the report’s findings on motivations for these bad internal actors, and see how it impacts various industries.
They say that the only certainties in life are death and taxes. Well, add the reported motivators for insider threats to this list.
Unsurprisingly, financial motivation tops the list at a whopping 89%. This makes good sense as usual since most people do what they do for money. They see an opportunity to take something that they should not, and abuse the trust that was put in them.
Our winner is followed up by:
While math was never my strong suit, even this writer can tell you that these motive results come out to more than 100. What it says is something perhaps more important.
Malicious insiders are people who can have multiple motivations in their head at the same time.
Take for instance a disgruntled hospital employee who hates her boss, got a bad deal from management, and has access to credit card numbers that she can sell via her cousin.
As we dive into the different industries covered in the research, we see that motivations can clearly vary. Espionage is more likely to pop up in government or technology cases than say impacting SMBs at a more modest 7%.
Let’s run through them and see what we can learn.
Threat Actors: Internal 35% vs External 66%
Motivations: Financial 98%, Espionage 2%, Fun 1%, Ideology 1%
Healthcare comprises a lot of people with a lot of access to sensitive information. It is notoriously hard to defend because most of these people legitimately need to be able to interact with patient data.
While the motivation in healthcare related breaches fits the usual pattern of having financial at the top, the report points out that many of the data exposures are actually employees looking at data that they should not simply because they were curious about it. No intention to profit from it, but the organization can still be hit with a regulatory fine nonetheless.
Health is a fascinating area for spies as well. This is because it can provide valuable insights into how a country is preparing for a future crisis, or for research on a new vaccine that another country can use to help out their own researchers.
While grudges are not listed here as a motivating factor, it probably should be. Healthcare is a field with a lot of people under a lot of stress, working under tough conditions, so it follows that some may succumb to the pressure.
Threat Actors: Internal 34% vs External 66%
Motivations: Financial 97%, Espionage 3%, Ideology 1%, Convenience 1%
At first glance, this sector has the highest internal actor percentage of the categories under review. This is maybe not totally surprising since employees may see an opportunity to help themselves to valuables if they think that they can get away with it.
There is always the old joke about bank robbers robbing banks because that’s where the money is. But reading a little more into the report, this figure is a little misleading. They cite that misdelivery is actually one of the biggest issues when it comes to insiders. There is not a precise breakdown of how much is intentional vs mistakes, but it is a good reminder that we need to monitor our data handling with care.
Threat Actors: Internal 30% vs External 80%
Motivations: Financial 68%, Espionage 30%, Ideology 2%
Government is an interesting sector to target for a number of reasons.
First and foremost, government workers have plenty of access to information. Addresses, payment card details, and plenty more bits of sensitive data worth stealing, so there is more than enough motivation for a criminal actor.
But then there are the spies. For obvious reasons, governments spy on each other. Rarely is it the case that James Bond breaks into the government installation and steals the secret plans. In the real world, case officers recruit insiders to become traitors, either with financial or ideological means.
In some rare cases, you get a Reality Winner who makes mistakes and steals information that she then passes on to amateurs like The Intercept who expose her to the feds. By all accounts, she was hoping to influence public opinion and policy with her leaks, though not very effectively.
Interestingly, government is a sector where we see a fair amount of collaboration between internal and external actors. Apparently in 16% of cases, there were bad actors working on both sides of your so-called perimeter. This is up from the 2% of cases back in 2020, so it will be interesting to see why this trend is rising.
By all accounts, the category of data breaches caused by Miscellaneous Errors, aka someone doing something unintentionally bad that exposes data, has continued its decline.
It now only comprises 13% of the incidents. Whether it is better practices, or more likely technology as organizations have upgraded to cloud technologies, this is good news.
The one area where it appears to still be cited as an issue is in healthcare, though the reason stated is mostly to do with misdelivery where data is sent to or shared with the wrong people.
Apparently in 7% of cases, the attacks are carried out by the combination of internal and external actors working together to your detriment. They give the example of criminals who get themselves hired at the target company and then help their compatriots from the inside.
Regardless of the motivations, your organization still needs to protect yourselves from risky insiders. Below are a few ways to get started.
Insiders are always going to be harder to defend against because they are already inside your organization, and chances are they already know where to find what they want to steal.
There are a few measures though that we can take to try and prevent their actions and detect them when they do occur.
Gaining a baseline understanding of how a user acts within your systems is the first step in being able to detect when something is going wrong.
By continuously monitoring what an employee is accessing, sending, editing, etc, big changes that may be indicative of malicious behavior can throw up red flags. For example, if an employee is interacting with sensitive files that are outside of their purview for their job, then it may be a good idea to give them a little bit of extra scrutiny.
Add to this behaviors like working at off hours when their activity might otherwise draw less attention, and you can start to build a clearer picture of a potential employee threat.
Some of the biggest data thefts in history were not carried out by hackers a continent away. They simply walked out the front door.
Edward Snowden, Chelsea Manning, and more than a few other well-known names transferred files onto hard disks or even CDs.
Use solutions to stop users from being able to move sensitive files over to physical devices like USB sticks, external hard drives, and the like. In the cloud era with its much more granular controls, there is simply no justification for needing to so given the potential risks.
If all else fails, fill the USB slots up with gum.
In a similar vein to controlling transfers to physical devices, it is time to end the practice of allowing employees to use file transfer services.
Services like Box, Dropbox, and others are great tools if they are being managed by your IT team. But allowing employees to connect their own file transfer accounts is just downright risky shadow IT.
Block access to these services by setting rules in your monitoring software platform and encourage your team to use organizationally controlled services like SharePoint or better yet, Google Drive.
As we have noted previously, insider attacks are hard to stop because these are trusted people inside your organization.
As scary as an insider threat can be, please remember that the vast majority of your people do not want to do you wrong. They may make mistakes because they are humans, but they mean the best.
And the fact is that if we want them to keep doing their best, we have to give them respect and trust.
By providing active monitoring to pick up on irregularities that may indicate a threat, we can implement the security controls we need to protect our data without being draconian or disrespectful.
Because treating your people like a bunch of criminals is how you get them to act like thieves.
Be respectful and hopefully you will get the same treatment in return.