Over the last two years, ransomware has been, without a doubt, the hottest topic in cybersecurity discussions in both the cybersecurity community and the general population. Major attacks like the one on SolarWinds and against Colonial Pipeline have dominated headlines — and for good reasons. Ransomware attacks are growing in frequency, complexity and sophistication while also becoming less expensive to execute. In no way am I downplaying the urgency to protect our infrastructures against them.

Yet lurking in the shadows, there is another cybersecurity threat that has not received the same attention in the media: insider threats.

Another Look at What Matters

In today’s cyber context, insider threats are those that come from individuals who have permission to use and know intimately the structure of our networks, e.g. employees, contractors, business partners or vendors. They are people with legitimate access to an organization’s network and systems who deliberately exfiltrate data. Their access is what makes the threat so dangerous. “Insiders” typically know where sensitive data lives, what protective measures are in place, can access files and folders, and can fly under the radar with relative ease. And while they often go overlooked in the greater scheme of cybersecurity concerns, insider threats represent 60% of data breaches.

“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever," said Dr. Larry Ponemon, Chairman, Ponemon Institute, at SecureWorld Boston.

Most organizations (68%) believe that insider attacks are becoming more frequent. Between 2018 and 2020, the number of insider attacks have increased by 47% with the associated cost increasing by 31% (from $8.76m in 2018 to $11.45m in 2020).

Currently only 1 in 10 organizations believe their cybersecurity measures meet the needs of their business, and the impact of COVID-19 has made the situation far more grave. Over three-quarters of IT leaders believe their organization is at greater risk of insider threats if the company adopts a permanent hybrid working structure — which may in fact evolve given that most employees apparently prefer it.

Inadequate Response

For several reasons, finding solutions for the insider threat is perhaps even more difficult than implementing measures to protect against foreign, external threats. Most companies and organizations rely on security awareness training — followed by company policies/procedures and intelligent automation — to protect themselves against insider threats. Ironically, while most employees say they understand company policies and procedures, comprehension (or lack thereof) does not help prevent these incidents — malicious or negligent. The early indicators of such actions distribute themselves across vast, siloed repositories that historically defied our ability to wrap our cognitively limited minds around.

Preventative Measures That Work

By focusing on manning the walls, the castle keep is left largely unprotected. The problem is that the insider has already been waved past the gates and is heading toward the crown jewels with the keys to the kingdom.

Enter machine learning-enabled network detection and response. At the most basic level, this potent combination learns what regular and irregular behavior looks like. By utilizing network data to observe how a system functions, how users interact and what resources they access, we can create a baseline of behavior.

With the baseline of “normal” behavior established, a machine learning-enabled network detection and response solution can then extrapolate what is unusual behavior — so when a user is accessing something they normally don’t, such as logging in from an unrecognized IP or exfiltrating a suspiciously large amount of data, it gets flagged.

Indications of this threat distribute themselves across diverse silos of data and are, consequently, elusive and not always easily detectable. Negligent insiders — employees who do not follow proper IT procedures — account for 62% of insider threat incidents. Consider the data analyst who, without authorization, took home a hard drive with personal data from 26.5 million U.S. military veterans that was stolen in a home burglary. The bottom line: insider threats are not going away — and the only effective, proven response, lies in advanced technology and analytics, such as user behavior analytics.