Addressing Rising Insider Threats With Zero Trust

Share this post:

Insiders such as employees, partners, and contractors are routinely at the center of costly data breaches.

Did you know that insider threats account for 60% of cyberattacks on enterprises?

Insider threats on a rise

You probably would be startled to know that the number of incidents emanating from insiders, especially around theft credentials, have tripled since 2016 – from an average of 1 to 3.2 per enterprise¹.

Some recent examples of insider threats:

• In 2020, two employees from a large industrial conglomerate first downloaded thousands of files with trade secrets, and then sent them to private email addresses. These malicious insiders then traded this information for business advantage.

• In 2018, a disgruntled employee of an electric car company exfiltrated data owing to privileged access given to employees.

During the pandemic, when – almost overnight – enterprises were forced to implement solutions that could allow employees to shift to work remotely, it created extensive opportunities for insider threats. What fuelled the fire was the fact that more and more enterprises today are reliant on cloud.

As a result, the number of insider threats has increased 47%³, between 2018 and 2020.

But why are insider threats dangerous?

1. Most cases go unnoticed for months

Insider threats are difficult to detect, and it could take more than 2 months to contain an insider incident. As per ‘The Cost of Insider Threats 2020’ study, it took an average of 77 days to contain an insider incident – 87% of incidents could be contained only after more than 30 days.

2. Insider threats are more expensive than external threats

The fact that it takes time to detect and contain an insider threat has severe implications on the cost of an insider threat incident. It is widely believed that the impact of insider threat is expensive than external threats. As per ‘The Cost of Insider Threats 2020’ study, the average cost of an insider threat incident rose to $644K in 2020⁴.

The common insider threat scenarios

• Compromised Credentials

A privileged user’s credentials are stolen by a contractor who uses them to gain access.

• Mobile Phishing

A remote worker gets phished on a BYO device through a malicious link received via text.

• Data Exfiltration

Someone leaving the company copies confidential documents and sends to a personal email or cloud storage account.

• Privileged Account Misuse

A privileged account is misused to gain access and steal crown jewels (data).

So, what does all this mean for enterprises?

To tackle the threat posed by the common insider threat scenarios highlighted above, you and your security team needs the ability to quickly and accurately detect, investigate and respond to these potentially damaging attacks.

To do so, you need to:

• Know your users, which is enabled with answers to questions:
  • Who has access to sensitive data?
  • Who should have access?
  • What are end-users doing with data?
  • What are administrators doing with data?

Types of users (insiders)

User Type	Awareness	Intent
Careless Users	Negligent/Ignorant	Non-malicious
Criminal Users	Attentive/Alert	Malicious
Compromised Users	Negligent/Ignorant	Non-malicious

Did you know that the negligent insiders – and not criminal insiders – were the root cause of most incidents (63 percent)?

Imagine the damage that could be inflicted if the negligent insider had privileged access. As per 2021 IBM Security X-Force Insider Threat Report, 40% of insider threat incidents involved an employee with privileged access to company assets.

• Know your data, which is enabled with answers to questions:
  • What data is sensitive?
  • Is sensitive information being exposed?
  • What risk is associated with sensitive data?
  • Can admins control privileged user access to sensitive data?

Zero trust to modernize security to address rising insider threats

A zero-trust approach continuously verifies users and also reduces data exposure if there is a breach. To address the insider threats, businesses in India should consider adopting a ‘Zero-trust’ approach.

Zero Trust approach for addressing Insider Threats

You might ask why zero trust, and why zero trust now?

The current security posture of most enterprises is manual and reactive. As the scope and scale of insider threats continues to increase, static protection policies become less effective over time. There is, hence, a need to be proactively manage these cybersecurity risks. A zero-trust based approach helps by:

• Enforcing least privilege access: One of the best methods for preventing access-level-related insider incidents is the zero-trust principle of implementing least privilege, ensuring that users have the lowest level of access needed to carry out their duties for the organization and lowering the chances that an insider will gain unintended access to data or assets. This can come in the form of a privileged access management (PAM) solution. Surprisingly, PAM is the second-most underutilized tool and activity used to reduce insider threats, with only 39% of organizations interviewed deploying the tool.

• Discovering risky user behavior: One of the key challenges with current model is limited visibility into user behavior patterns across devices, systems, and data. It is important to Understand what is normal in your environment. You need to monitor user activity across assets to identify anomalous behavior and enable an automated response based on anomalous behavior across assets. By adopting a user-focused view, zero-trust approach can help your security teams can quickly detect user behavior anomalies and manage user risk from a centralized location.

• Embedding threat intelligence: Insider threat detection is not about “known bad” but existing threat intelligence is primarily limited to known bad actors.

Zero trust is a marathon, not a sprint

It’s important to remember that zero-trust approach aims to wrap security around every user, every device, every connection — every time, and hence it takes time to build and is continuously adaptive.

To get started with zero trust, CISOs need to ask – and answer – some pertinent questions:

• How to map out business goals and define a zero-trust strategy tailored to specific needs?
• How to understand the landscape and capabilities offered by the current security and IT investments and identify gaps?
• How to clarify and prioritize zero trust projects and initiatives to ensure demonstrable success?

If you want to know where to start or how to merge existing solutions into a zero-trust security strategy, IBM Garage experts can work with you to co-create a modern, open approach to zero trust security. To get started you may consider the IBM Zero Trust Framing & Discovery Workshop. Click here.

To summarize, insider threats can be costly and disruptive to the business. With the rise of remote work and more workloads migrating to the cloud faster, insider threats are exploding.

Many organizations are turning to a zero-trust approach to modernize security and help meet these threats. A zero-trust framework helps by never assuming a user should gain access. It isolates threats and insulates your most valuable resources.

Zero trust provides organizations with adaptive and continuous protection for users, data, and assets, giving them the ability to manage insider threats proactively, limiting disruption to critical operations and strengthening resiliency.

My next blog in this series will focus on zero trust for remote workforce.

Connect with Tushar Haralkar LinkedIn

Schedule a consultation with IBM Expert

Read more here:

The Cost of Insider Threats 2020

2021 IBM Security X-Force Insider Threat Report

Blueprint: Reduce the Risk of Insider Threats with Zero Trust