informa
5 MIN READ
Commentary

Why Don't CISOs Trust Their Employees?

Executives fear "malicious insiders" as top cyber threat to companies, research shows. Reasonable steps to secure and monitor systems may prevent reputational damage but are not enough.

The changing hybrid or fully remote work model has brought numerous cybersecurity vulnerabilities as companies have less insight into the way employees are working remotely in a post-pandemic world. As much as human resources and IT can warn employees to only use company devices, avoid private data exchanged on cellphones, and avoid using corporate credentials for personal business (think e-commerce, gaming, or dating websites), it's impossible to fully safeguard against cyber vulnerabilities driven by unmonitored employee activity.

Exacerbating this existing problem is the emergence of threat actors like Lapsus$, a relatively new data extortion group exemplifying the growing challenges ahead. Lapsus$ obtains illicit access to organizations using advanced social engineering techniques, as well as directly bribing or tricking employees and partners of its victims. Lapsus$ focuses its efforts on gathering highly detailed knowledge of its victims or any outsourcing partners working for them in areas such as customer support or IT help desk services. The group has repeatedly advertised their intention to buy access to data, credentials, or any valuable information about its victims and, in contrast to other ransomware actors, does not even deploy ransomware. The model — as many analyses indicate — employs a pure extortion and destruction model with victims already including the Brazilian Health Ministry, Microsoft, Nvidia, and Samsung.

When it comes to cybersecurity, employees are a wild card as human error or malicious intent can never be fully eliminated. Ponemon Institute's "2022 Cost of Insider Threats: Global Report" reveals insider threat incidents have increased 44% over the last two years, with costs per incident up more than a third at $15.38 million. These incidents are a combined result of employee negligence, criminal intent, and user credential theft.

Insider Threats Increasing

Insider threats are undoubtedly on the rise, but they are far from the most common cause of data breaches. IBM's 2022 "Cost of a Data Breach Report" as well as Constella Intelligence's "Pulse Survey Insights" research evidence that phishing is still the top cause of data breaches over the past year — nevertheless, Constella's recent survey of 100 executives revealed that the most feared cyber threat by cybersecurity leaders is the malicious insider, although malicious insiders accounted for around 10% of the most damaging attacks that surveyed organizations faced over the past year.

A malicious insider is an employee who steals information or turns a blind eye for financial or personal incentives, in many cases compromising internal credentials for their own illegal benefit. Examples of these individuals include disgruntled former or current employees selling insider knowledge or access to third parties for financial gain. Though it is virtually impossible to safeguard against all malicious insider threats, basic monitoring of activity, limiting access to intellectual property, and a healthy culture all reduce the chances of an employee choosing to steal or sell information or access for personal gain, but let’s be clear: It’s not enough.

Fallout From Malicious Insiders

Nearly 80% of respondents in Constella's survey said they monitor for insider threats. So, why are executives so fearful of malicious insiders? Is money being spent on a less-likely attack vector? Are resources being poorly optimized due to paranoia?

The presence of malicious insiders highlights three important insights:

Reputations can't be easily repaired: Damaged reputations can all too often be the true cost of a cyberattack, as nearly 60% of companies affected by a data breach are likely to go out of business due to the consequences and costs of reputational damage. Rebuilding an organization's reputation or the loss of intellectual property to competitors are genuine threats to business continuity.

Disgruntled employees signal a bigger problem: With new moral, ethical and personal standards governing the work domain, employers are under pressure to ensure their employees feel supported by a well-aligned and responsive company culture. The prospect of disgruntled employees amid increasingly polarized public debates in which companies are asked to take a side increases the likelihood of discontent.. And an employee seeking retaliation may be incentivized to act on a malicious insider threat.

If this insider were to whistle blow about the company or publicly share why they stole data from their employer, the public and media may be alerted to a bigger question: Why was this employee disgruntled? Did the company's leaders fail to reinforce a positive culture? Was something unethical occurring? Whatever the reason, a malicious insider's presence signals to outsiders that these may be questions worth asking, showing the bidirectional relationship between insider-driven cyber-risks and corporate reputation.

If malicious insiders can access sensitive data, hackers could find it, too: For most companies, it's impossible to fully restrict employee access to sensitive data, as many require this access to perform their duties. However, how the data is accessed, transferred, shared, and deleted could indicate vulnerabilities that both potential malicious insiders and external threat actors may discover. Organizations need to maintain a robust, up-to-date cyber and physical defense against "cracks" in the infrastructure that could make information more available.

What Can We Do?

The answer isn't simple, but solutions for mitigating the impact of malicious insider activity go hand-in-hand with maintaining a strong cyber defense. Tracking security around sensitive data — such as if an employee downloads files onto an external hard drive — is not enough anymore. The cybersecurity landscape is far too unpredictable, threat actors are too sophisticated, and monitoring for all threats is too complex an undertaking to provide a bulletproof solution. 

However, in addition to taking reasonable steps to secure and monitor systems to save a company from a disgruntled employee or threat actor gaining access to your organization, there is more that could and should be done. Organizations need to expand the scope of monitoring into active, real-time, scalable analysis that includes employees and partners. This is because the gaps and vulnerabilities of not doing this in real time, across all employees or partners, and using up-to-date external data sources coupled with historical data, the chances of falling victim to an insider threat remain tremendously high. There is a common answer to the legitimate concerns about malicious insiders: Monitoring for insider threats can and must be improved, carried out in real time, and performed at scale, not reactively or for just a handful of employees or stakeholders holding privileged or sensitive positions.