What is an insider attack and how does one start?

Insider cyber attacks are a common cause of data breaches, and the volume of attacks, as well as the overall cost of one, are steadily increasing year over year. In 2020, the average price tag for companies hit was $11.45 million, up from $8.7 million just two years before.

Insider attacks occur when an employee uses their authorized access to intentionally or inadvertently harm an organization by stealing, exposing or destroying its data. Whether the attack is caused by a malicious or negligent insider, the repercussions are the same. However, negligence is something you can actively work to avoid. This article will help you gain a better idea of how a negligent insider threat originates and what can be done to prevent an attack from costing your company millions.

How do insider threats emerge?

Insider attacks start with an insider threat. This can be an employee or other authorized individual, such as a contractor, who maliciously uses their access to compromise an organization’s sensitive data. They can work alone or on behalf of an outside hacker or hacker group, and their intentions often stem from a place of vengeance, greed or competition. That’s why you’ll likely hear of insider attacks coming from:

  • Disgruntled ex-employees who want to punish their previous employers by exploiting sensitive information
  • Individuals seeking huge financial gains from selling personal data
  • Employees planning to deflect to or even start their own rival company using consumer information stolen from their previous employer to give themselves a competitive edge

Negligent insider attacks are just that: a result of careless behavior but not driven by malicious intent. Employees or contractors who facilitate these attacks aren’t doing so on purpose, but because negligent insider threats are responsible for 62% of cyber incidents, it’s important to note which seemingly harmless actions could lead to a full-on attack.

Negligent insider threats

Improper use of company equipment

Especially in today’s remote work environments, the lines between how employees use personal devices for work purposes or work devices for personal purposes are blurred. Rather than switching between two devices, employees may have personal and work accounts set up on one for convenience. This opens up the floodgates to risk, however, because a majority of people aren’t nearly as safe as they should be when using devices for personal versus work purposes.

Sending sensitive data to a personal email

Those who do this likely do so with good intentions. Perhaps it’s to spend extra time on a task outside of the office without bringing home one’s work laptop, or to consult a roommate, friend or spouse for help completing that task. The latter happened at Boeing in 2017 when an employee sent a spreadsheet containing the personal data of 36,000 colleagues to his non-Boeing-employed wife for formatting assistance. It was still considered a data breach although it was quickly contained and the risk of harm was deemed to be very low.

Regardless of intent, sending sensitive data to one’s personal email takes it out of its company’s control and places it in an unauthorized, unmonitored location and thus, at risk.

Phishing attacks

When email ascended as a primary means of communication in remote work environments, cyber criminals saw an opportunity to phish and seized it. Purporting to be bosses, managers or other leadership roles, they deceived unsuspecting employees into exposing loads of sensitive information. Phishing emails aren’t new, but they’ve become increasingly sophisticated at disguising themselves, especially since the start of the COVID-19 pandemic, so it’s no surprise most companies view them as an ongoing top problem.

Poor data security enforcement

Having data security technology is one thing, actively using it is another. With everything else information security teams have to worry about, even the most essential tasks — updating antivirus software, backing up information or securing databases, for example — can fall to the wayside, leaving customers open to phishing attacks and their data vulnerable to exploitation.

Human error

While most negligent insider threats can be attributed to human error, some seemingly innocent mistakes have repercussions far deeper than a “Sorry, wrong person,” message can fix. Accidents that could lead to serious attacks include:

  • Emailing sensitive information to the wrong person or people, and
  • Setting broad access privileges for a shared document, allowing anyone with a link to get in and view or modify the data it contains.

Why so serious? Once this information is out there, it’s out there. You can’t unsend an email after it’s been delivered. If caught in time, you may be able to restrict access on a shared document before too much damage is done, but if any copies were made in the meantime, they’re out of your control.

Solutions to combat insider attacks

While neither malicious nor negligent insider attacks can be entirely prevented, there are certain precautions organizations can take to significantly reduce the risk.

User training and awareness

Employees need to understand what’s at stake in order to ensure they’re using your organization’s data in the safest way possible. Communicate the actions and behaviors that could put sensitive data at risk of compromise, such as falling prey to a phishing attack, and provide examples of what these might look like. It’s important to note, cyber attacks of all kinds are quickly becoming more and more sophisticated, so a good rule of thumb is to recommend that employees perpetually exercise caution while using sensitive data.

To preemptively combat malicious insider attacks, your cultural approach to data security should also try to remedy dissatisfaction among employees, as this could eventually create disgruntled individuals who would exploit data out of retaliation.

User behavior analytics

This technique uses machine learning to evaluate typical user activity as it pertains to your organization’s sensitive data and send alerts if any unusual behavior, such as a user accessing the network at abnormal hours or working with data atypical of that user’s role, is detected.

Data discovery and classification

This will identify the location, volume and context of all the data your organization possesses, whether it’s on premise, on endpoint devices or in cloud repositories. From here, the data can be protected based on its level of sensitivity, which includes designating user access privileges.

Privileged access management

This mechanism grants access only to users who require sensitive data to fulfill their work responsibilities. This lowers the risk of sensitive data access credentials being stolen, and in the case that an insider attack occurs, it can be traced to the user source, which helps reduce the time it takes to contain the attack.

Monitoring tool

After sensitive data has been properly discovered, classified and protected, it should be monitored at all times using an automated tool. While this is similar to user behavior analytics in that a data monitoring tool sends alerts after detecting unusual activity, data monitoring will actually monitor data sites rather than users themselves. This ensures you’re protected from all sides, especially in the event of a negligent insider attack. Whereas a malicious insider will exhibit abnormal behavior, a negligent one likely won’t. Instead, telltale signs of an attack will occur directly within the data.

Data remediation

If an accident occurs where sensitive information gets distributed to the wrong end user(s) within an organization, a data remediation tool can properly dispose of duplicate data or rectify any modifications made to it so nothing is left vulnerable to compromise.

Prevent insider attacks with a holistic approach to data security

Spirion Sensitive Data Platform automates the vital processes of sensitive data discovery, classification and remediation to ensure your organization is safe from the threat of malicious and negligent insider attacks. It seamlessly integrates with additional security solutions, such as privileged access management platforms, and even enhances their capabilities with its granular approach to data classification.

SDP can also be complemented by other powerful tools in Spirion’s suite of data security solutions, including Sensitive Data Watcher, which offers ongoing data monitoring on endpoints and notifies if unauthorized or abnormal activity is detected. Explore your options for insider attack prevention with Spirion today.