Internal Cyber Security Threats

Over the last few years, as a result of a global pandemic, the world has changed in huge and unexpected ways. For millions of employees, an office is no longer a physical place or a specific place in a downtown building. For many, it is in a converted bedroom or study at home, whilst for others, it is a café, a co-working space, or even a beach. Due to the inherent benefits relating to flexibility, remote work – or at least a hybrid environment of some days in the office and some days at home – is now here to stay. In fact, according to a 2022 McKinsey report, more than half of employed Americans have an opportunity to work from home, whilst all those surveyed want more occasions to work remotely.[1]

Yet for all its undeniable benefits and positive intentions, remote work has resulted in not just an increase in external cybercrime,[2] but a significant increase in insider threats. A 2022 global study on the cost of insider threats defines them as ‘a careless or negligent employee or contractor; a criminal or malicious insider; or a credential thief’.[3] Whilst these categories are broad and not always consistent across the globe in terms of their remit, they are nonetheless a good indicator of the types of threats that have become all the more pervasive since the prevalence of remote work, which coincided with the start of the pandemic. However they are defined, one study found that ‘over half of organizations experienced an insider threat in 2022’, and that ‘68% of security pros are concerned or very concerned about insider risk, considering a post-Covid return to the office or a permeant hybrid work model’.[4] 

To some extent, ever since computers became mainstays in offices, insider threats of an IT kind have always been a risk to businesses. There have always been disgruntled employees, mistakes made by employees, or in high-profile or highly secure organizations, employees who have been willing to sell secret data to the highest bidder. As a concept, it is nothing new. But the rate of growth since 2020 has been astronomical. 

A report by the respected Ponemon Institute in 2022 stated that ‘insider threats have increased in both frequency and cost over the past two years. Credential thefts, for example, have almost doubled in number since 2020’.[5] An article commenting on the report says that the overall number of incidents went up by 44% in just two years, whilst the cost to impacted organizations went up from US$11.45 million in 2020 to an average of US$15.4 million in 2022, which is a 34% increase. Moreover, the average number of days it took to contain an incident in 2022 was 85 days, which is up from 77 days in 2020.[6]

This sobering news shows that like cyberattacks that come from external sources, insider threats are now inevitable and largely unstoppable. But there are certain things that can be done to mitigate the risk and minimize the threats. Microsoft proposes four practical steps:[7]

1. Prioritise employee trust and privacy – ‘Trust is the key to any functioning relationship. The best insider risk programs emphasize the balance between employee privacy and company security.’
2. Collaborate across functions – ‘Insider risk is a business problem that involves the entire company… This broad involvement helps ensure wider buy-in and provides additional perspectives and resources.’
3. Recognize that employees are the first and last line of defence – ‘Train people on how to handle the organization’s data properly, and repeat that message regularly so it’s always fresh. It also helps to make it personal, [and] complemented by detection tools.’
4. Use machine learning tools to do more with less – ‘A new breed of insider risk management tools is emerging with adaptive security capabilities that can detect risky activities and mitigate any potential impact while staying out of the way and keeping user information private.’

All in all, these or any other mitigation steps should be part of an overall ‘data protection strategy with a holistic approach that includes the right people, processes, and training, in addition to the appropriate tools’.[8] That is the only way to lessen the threat and ensure that the remote work setup that is so prevalent these days, does not lead to companies imploding from the inside.