Insiders Causing 20% of Cybersecurity Incidents: Verizon

Twenty percent of cybersecurity incidents and 15% of data breaches investigated by Verizon in 2018 originated from within an organization, with financial gain (47.8%) and pure fun (23.4%) the top motivators.

So severe was this discovery by San Francisco-based Verizon’s in its Data Breach Investigations Reports series, the dataset and caseload analysis has been refocused into the Verizon Insider Threat Report.

“Some industries generate monetizable data such as bank, payment, or PII (personally identifiable information); others have customer lists or bidding information. In short, all types of companies have assets of value—and employees who could threaten these assets by misuse ranging from inappropriate web use to storing sensitive data on a thumb drive to stealing a coworker’s identity,” the insider threat report revealed.

Insider attacks, which exploit internal data and system access privileges, are often only found months or years after they take place, making their potential effect on a business significant. However, Verizon noted its report, many organizations often treat insider threats as a taboo subject.

“For far too long data breaches and cybersecurity incidents caused by insiders have been pushed aside and not taken seriously,” Bryan Sartin, executive director security professional services, Verizon, commented. He added, companies are too often hesitant to recognize, report or act against employees who have become an organizational threat. “This has to change. Cyberthreats do not just originate from external sources, and to fight cybercrime in its entirety we also need to focus on the threats that lie within an organization’s walls.”

Profiled within specific case scenarios from Verizon’s own investigative caseload five insider personalities were identified:

The Careless Worker. These employees or partners misappropriate resources, break acceptable use policies, mishandle data, install unauthorized applications and use unapproved workarounds. “Their actions are inappropriate as opposed to malicious, many of which fall within the world of Shadow IT (i.e., outside of IT knowledge and management).”

The Inside Agent. Insiders recruited, solicited or bribed by external parties to exfiltrate data.

The Disgruntled Employee. Insiders who seek to harm their organization via destruction of data or disruption of business activity.

The Malicious Insider. These are employees or partners with access to corporate assets who use existing privileges to access information for personal gain.

The Feckless Third-Party. Business partners who compromise security through negligence, misuse, or malicious access to or use of an asset.

The report also noted, “External attackers can compromise systems in hours or even minutes, while it can take months or more for organizations to detect intrusions. Since insiders have fewer barriers to overcome and compromises don’t require circumventing controls, the time-to-compromise and time-to-exfiltrate metrics for insider threat actions are grim,”

The report provided practical advice and countermeasures to help organizations deploy a comprehensive insider threat program, which should involve close co-ordination across all departments from IT security, legal, HR, to incident response and digital forensics investigators.

“Detecting and mitigating insider threats requires a different approach compared to hunting for external threats,” Sartin continued. “Our aim is to provide a framework that enables companies to be more proactive in this process and to slice through the fear, uncertainty and embarrassment that surrounds this form of insider cybercrime.”

Verizon, which sits between the sources and victims of cybercrime daily, presented countermeasures, condensed here, to help reduce risks and enhance incident response efforts:

1. Integrate a comprehensive insider threat program with other existing strategies such as a risk management framework, human resources management and intellectual property management to strengthen efficiency, cohesion and timeliness in addressing insider threats.
2. Refine threat hunting capabilities such as threat intelligence, dark web monitoring, behavioral analysis and endpoint detection and response solutions to search, monitor, detect and investigate suspicious user and account activities, inside and outside the enterprise.
3. Perform vulnerability scanning and penetration testing to identify gaps within a security strategy, including potential ways insider threats could maneuver within the enterprise environment.
4. Implement personnel security measures including human resource controls (such as employee exit processes). Also, security access principles and awareness training can mitigate incidents associated with unauthorized access to enterprise systems.
5. Employ physical methods for access such as identity badges, security doors and guards to limit physical access as well as digital access methods including card swipes, motion detectors and cameras.
6. Implement network perimeter and segment security solutions, such as firewalls, intrusions detection/prevention systems, gateway devices and data loss prevention solutions to detect, collect and analyze suspicious traffic potentially associated with insider threat activities.
7. Employ established endpoint security solutions, such as critical asset inventories, removable media policies, device encryption and file integrity monitoring to deter, monitor, track, collect and analyze user related activity.
8. Apply data ownership, classification and protection, as well as data disposal measures in order to manage the data lifecycle and maintain confidentiality, integrity and availability with insider threats in mind.
9. Employ identity, access and authentication management measures to manage limit and protect access into the enterprise environment.
10. Establishing an incident management process to include an insider threat playbook with trained and capable incident handlers.
11. Have a retained incident-response resource available to conduct a full-spectrum of deep-dive investigations.