A common debate in the cybersecurity stratosphere is the severity between insider and outsider threats – and which can cause more damage than the other. Cybersecurity companies are designed to prevent anything from coming in, but as time went by, the need to protect from within has risen. The reality is that one is not more severe than the other and, in many instances, an insider threat turns into and outsider threat – which can switch between the two depending on the circumstances over and over. An outsider threat is a deliberate attempt by and individual or group trying to break into or compromise a system. However, and insider threat can happen both deliberately and through complete human error or mistakes – meaning an insider threat may not even realise they are an insider threat. There are three ways we can catergorise an insider threat:
- Compromised Threat: This is when a cybercriminal gains access to an employees’ credentials without them knowing. This threat actor then uses these employee credentials for malicious intent. Thus, the employee becomes an insider threat without even realising, the difference is someone is operating under their name to commit devious acts within the organisation. This can be termed going from an insider threat to an outsider threat because, but the source of the threat originated from within.
- Negligent Threat: When an employee within an organisation mistakenly misuses sensitive company information or has revealed some sort of confidential information through email and external devices. This is purely down to human error and not caused as a result of phishing emails by a cybercriminal to obtain an employee’s credentials. This can also fall under the category of when an employee uses their personal devices that are not protected by their company for company purposes.
- Malicious Threat: This is when an employee regardless of rank uses their privileged accesses within an organisation for malicious intent. They may even use other employees’ credentials to commit their malicious actions. The key difference between a “compromised threat” is that the threat has always remained an insider – someone working for the organisation and never becomes an outsider threat until that employee leaves the organisation as no longer an employee.
What are experts saying?
According to Tessian, 90% of data breaches all originate from emails. According to George Vasey, Partnerships Manager at Tessian, “based on Tessian’s platform data, we estimate that a 1,000-employee company will send 707 misdirected emails and mis attached files per year. We also estimate that a 1,000-employee company will send 6,250 sensitive unauthorised emails per year.”
He highlighted that most of the time, breaches occur because of negligence or poor online housekeeping and often employees don’t fully realise the consequences of sending sensitive information in an unauthorised manner. Another was the commonality in which employees misdirect their emails to other recipients, which is totally down to human error but happens more often than people think. He also spoke about how employees who are malicious insider threats are mostly employees who are looking to leave their current employers caused by various reasons – and is a behavioural pattern which they can fortunately track. Though the most common form of breaches is still occurred through negligent and compromised insider threats.
George still emphasises though that even though his organisation has all these systems in place to deal with human error. There still is nothing stopping an employee with malicious intent from doing damage to an organisation – because no matter what, organisations place an element of trust in their employees and therefore they have privileged access to sensitive information because they need it in order to complete their job.
Zero Trust Model
According to Craig Harwood, Regional Director at CyberArk, “Zero Trust model uses a framework of advanced technologies that puts people through a vetted process regardless of whether they are an employee or not in order to verify their access. Zero Trust assumes that no one is to be trusted until they are verified to access whatever they need to, and this process will happen every time they try to access information.” This is termed security protocol, because just in case an employee is somewhere they are not supposed to be or doing something they are not supposed to, they can be identified or restricted access from. Zero Trust policies are also enforced in real time, as there are many processes in place that need to be followed and is not simply a single password and log in process, but a continuous process of validation such as:
- Multi-factor authentication
- Employees Geographic Locations
- Detecting suspicious logins or anyone logging in on foreign devices
- Anything installed on endpoint devices
- Restricting or granting privileges
- Authenticating new employees
- Temporary access to guest users
- Securing endpoints of registered devices and hardware
- Restriction access to certain websites and browsers
- Tracking behavioral analytics of remote users
- Updating policies and permissions to access or remove
- To contain compromises, breaches, and attacks
- Tracking loopholes in the system that need to be patched
- Preventing a compromised device from compromising others
Craig describes that all these above factors are put into place in order to put even the most trusted employees under the microscope every time their credentials are used somewhere or wherever they are using sensitive information. Zero Trust however, is just one of many things that can be used to track insider threats.
To conclude, there are many variables to insider threats and controlling human action can be difficult. However, the main thing is that insider threats can be mitigated and tracked, and there continues to be improvement every year into reducing these variables. An important factor to note is most insider threats happen out of negligence and not malicious intent, so education of safe online housekeeping becomes an automatic solution, while also understanding the role of your cybersecurity partner.