Cyber-threats that come from within an organization – carried out by employees, former employees, contractors or business associates – represent a very real and growing concern for organizations. Risky behavior can be intentional, a la Edward Snowden, or inadvertent, as is the case with almost all of the data breaches stemming from cloud storage misconfigurations. In either case, the damage can be considerable.
In a recent survey of 179 IT professionals by Imperva released Wednesday, a full 43 percent said they believe they could execute a successful attack on their own organizations. When asked about how they would pull it off, 23 percent of them said they would use their company-owned laptop to steal information from their company, while 20 percent said they would strike from their personal desktop computer and 19 percent said their laptop.
Overall, only a third believe it would be difficult or impossible to carry out a successful insider attack, while about a fifth (22 percent) said they would have a 50/50 chance.
“Business’ continued reliance on data means more people within an organization have access to it,” said Imperva CTO Terry Ray. “The result is a corresponding increase in data breaches by insiders, either through intentional (stealing) or unintentional (negligent) behavior of employees and partners. While the most sensational headlines typically involve infiltrating an ironclad security system or an enormous and well-funded team of insurgents, the truth of how hackers are able to penetrate your system may be less obvious: it’s your employees.”
Often workers aren’t aware that their behavior is opening up risk for their companies – which partially accounts for the fact that high-risk behavior still abounds. This latter point is evidenced by stats from earlier in the summer from Dtex, which found in an analysis that 72 percent of its security assessments uncovered unauthorized use of high-risk applications by employees.
Also, 78 percent of assessments found company data being kept publicly accessible online – a 14 percent increase from last year; and a whopping 90 percent of assessments found company data being transferred to unencrypted USB devices (although this is a 5 percent decrease from last year).
Meanwhile, 60 percent of assessments found users actively attempting to bypass security measures through private or anonymous browsers (this, however, is not always an intentionally malicious state of affairs).
Nonetheless, employer confidence in their ability to keep tabs on this weak human link persists: The Imperva survey showed that nearly two-thirds of organizations believe they can detect malicious insiders, while 79 percent of organizations said they have a way to tell if their employees were accessing something they shouldn’t.
However, a third (33 percent) admitted it would take weeks or months to discover if an employee had gone to the dark side, while 14 percent said they would never know.
“Insider threats are one of the top cybersecurity threats and a force to be reckoned with,” Ray added. “Every company will face insider-related breaches sooner or later regardless of whether it is caused by a malicious action or an honest mistake. Every company can take some basic steps in their security posture to minimize insider threats, including background checks, monitoring employee behavior, using the principle of least privilege, controlling and monitoring user access, and educating employees.”