Cyber Security Awareness Month: The Top 3 Types of Insider Threats Putting Companies at Risk

In 2022, cybersecurity was a top concern for c-suite executives, board members, department leads, and IT teams. And their fears are undoubtedly justified as we head into 2023.

As October is Cyber Security Awareness Month, we’re reminded of the continuously tumultuous, disruptive, and unpredictable business environment, where data breaches and cybersecurity incidents threaten to undermine brand reputation, erode precious revenue, and push customers away when it matters most.

According to IBM’s most recent Cost of a Data Breach Report, data breach recovery costs exceeded $4 million in 2021, a record and 10 percent year-over-year increase. Meanwhile, several factors, including ransomware attacks, phishing scams, and other cybersecurity concerns, are similarly increasing in frequency, scope, and severity.

However, while companies often invest heavily to defend their digital perimeter against external threat actors, Verizon’s 2022 Data Breach Investigation Report found that 82 percent of breaches involve a common and often-overlooked vulnerability: insiders.

Insider threats are employees, contractors, and other trusted third parties with legitimate access to company data and IT infrastructure who intentionally or accidentally compromise data privacy or network integrity. These trusted entities are profound vulnerabilities for every organization.

Fortunately, this threat is controllable, and companies can take steps to address insider threats before they cause a significant cybersecurity incident. For decision-makers and cybersecurity teams, here are three insider threats putting companies at risk.

#1 Oblivious Insiders

Insiders have tremendous access to company data and customer information. According to one analysis, the average employee can access nearly 11 million files, a startling total that is even more extensive for larger organizations and major corporations.

Protecting this information is an important responsibility, and oblivious insiders are not prepared to meet the moment.

For example, 83 percent of organizations experienced a successful phishing attack last year as insiders were tricked into sharing their account login credentials with threat actors.

In total, it’s estimated that one-third of employees are poised to fall for a phishing scam at some point, requiring companies to immediately equip oblivious insiders to become defensive assets.

Whether falling for a phishing scam, engaging with a social engineering attack, or accidentally sharing company or customer data, oblivious insiders put privacy and security at risk.

#2 Negligent Insiders

When it comes to defending against insider threats, there is a meaningful difference between oblivious and negligent insiders. Oblivious insiders are unaware of the threats, while negligent insiders act carelessly, flouting company standards and cybersecurity best practices.

To illustrate, one industry analysis found that 36 percent of employees “admit to finding ways to work around security policies.” In addition, the study found that 64 percent of employees acknowledge using personal devices to access company data while only 43 percent say those devices are security enabled.

In addition, cybersecurity best practices, like enabling two-factor authentication and regularly updating strong, unique passwords for all accounts, are habitually ignored. More than one-fifth of people report using the same password for every online service.

Furthermore, 24 percent use the same password for most things, and 25 percent use the same password for more than one account. Collectively, the vast majority of people are putting company data and IT at risk through negligent but fixable online behavior.

The consequences of inaction can be catastrophic. For instance, the highly publicized and incredibly expensive ransomware attack on Colonial Pipeline was made possible by an employee’s outdated account credentials that were compromised in a separate breach and leveraged to exploit the company’s network.

#3 Malicious Insiders

Of course, some insiders will act maliciously, intentionally stealing, distributing, or misusing company data. Their motivations are multifaceted. Some are looking to sell sensitive information on the Dark Web, and others might be disgruntled current or former employees trying to punish their employer.

Since insiders are inherently trusted, their actions are often undetected when they act maliciously, causing extensive damage to data privacy and network security.

High-privileged users are the most likely to behave maliciously, but any employee with access to company data can undermine data privacy or network security, requiring companies to identify and implement solutions to prevent insider threats from undermining their defensive posture.

How Businesses Can Respond

The “human element,” including social attacks, errors, and misuse, poses a significant vulnerability to a company’s cyber readiness, requiring a response that accounts for insider threats.

First, every organization needs the capacity to detect insider threats. This includes preparing staff to identify observable, concerning behaviors that could indicate a threat. At the same time, software solutions can help detect possible threats, allowing security teams to investigate an attack’s veracity.

Investigative capacity will determine a potential threat's scope, intensity, and consequences, letting companies respond to insider threats with precision and impact.

Finally, companies need to develop the capacity to prevent insider threats. This proactive approach allows businesses to avoid the most serious repercussions of a data breach or cybersecurity incident.

In today’s high-stakes business environment, investing in insider threat detection and prevention is an obvious next step to ensuring that a company’s most valuable and vulnerable asset – its people – is prepared and accountable for keeping the organization cyber-secure.