Insiders are today’s biggest security threat
By concentrating exclusively on outside threats, organisations are beginning to recognise that cyber threats also come from their own people, emphasising the need to implement employee awareness and education as well as creating a cyber resilience strategy that includes both technology and human-based defences.
As seen in Accenture’s recent research, there is a major gap many organisations are experiencing when it comes to cyber resilience planning. One aspect of the data highlights that 69 percent of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months.
In some cases, those insiders are driven by malicious intent – the desire to enrich themselves through the sale of sensitive data or to retaliate for a perceived slight or mistreatment. There are also cases where a company’s third-party contractors, vendors or temporary workers – essentially privileged users – have been responsible for their client’s network breaches, either through malice or by accident.
However, according to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those network openings were created innocently through accidental or inadvertent behaviour by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.
The types of insider behaviour
There are three types of risky insider behaviour, each requiring a different strategic approach:
Malicious: Malicious insider behaviour combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated.
Negligent: Negligent behaviour can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognise the importance of compliance, their workarounds can be risky.
Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. According to Verizon’s Data Breaches Incident report, accidents accounted for almost 30 percent of the information security incidents in 2015.
These results suggest that adopting and embracing technology as well as user-awareness training, incident response plans and stimulated security exercises – among other training exercises including safe spear-phishing tests, regular security training and safe social engineering tests – is essential in the fight against email and web-based threats.
Forming two lines of cyber resilience
Following our recent partnership with PhishMe and the announcement of Mimecast’s Internal Email Protect, we are now giving organisations even more visibility and control needed to effectively fight against insider threats, while helping users understand good security practices.
Here is how you can create a collaborative cyber defence against insiders using both technology and a human firewall:
– Assign role-based permissions to administrators to better control access to key systems and limit the ability of a malicious insider to act.
– Implement internal safeguards and data exfiltration control to detect and mitigate the risk of malicious insiders when they do strike, to cut off their ability to send confidential data outside the network.
Human phishing defence:
– Offer creative employee security training programs that deter potential malicious insiders in the first place and help others to spot the signs so they can report inappropriate activity to their managers. Then, back that up with effective processes to police and act swiftly in the event of an attack.
– Nurture a culture of communication within teams to help employees watch out for each other and step in when someone seems like they’ve become disenchanted or are at risk of turning against the company.
– Train your organisation’s leadership to communicate with employees to ensure open communication and awareness.
Our new anti-phishing solution transforms your employees into a powerful security layer with phishing awareness training that allows users to recognise and report real-world phishing attacks.