BlogSecurity OperationsCybersecurity Risk & StrategySecurity Transformation
Blog • • 8 minute read

The 3 R's of Cybersecurity to Combat Insider Threats

Insider threats, now better termed "insider risks," extend beyond disgruntled employees to include careless vendors and compromised contractors. By focusing on the 3 R's of cybersecurity — risk, resilience and recovery — companies can mitigate these risks and protect their intellectual property and data from internal threats.

In this blog

  1. Using the 3 R's to tackle insider risk
  2. Historical insider risk compromises
  3. AI-powered threat detection

In the realm of cybersecurity, where hackers lurk in the shadows, one of the most insidious threats may come from an unexpected source: insiders. Yes, the very people entrusted with protecting your business can sometimes turn into its most dangerous adversaries. Insider threats can take many forms, from unintentional mistakes to deliberate acts of harm. 

Traditionally referred to as an "insider threat," it may be time for a name change to "insider risk." Why? Because the risks extend far beyond disgruntled employees and often include interns, careless third-party vendors, nation state actors or even a well-meaning but careless individual. Anyone with access can become an unwitting pawn in a cyber scheme and compromise sensitive data. Their motives range from stealing your intellectual property to causing digital mayhem. Remember that old saying: "Keep your friends close, but your enemies closer." Well, in cybersecurity, it seems the enemy might just be sitting right beside you. 

Here's the harsh reality: A compromised identity or stolen intellectual property can cripple your business. A company's true value lies in its intellectual property, products and customer data. When these get compromised, it's like losing your secret sauce —  your competitive edge goes up in smoke. 

By focusing on the 3 R's of cybersecurity — risk, resilience and recovery — you can establish an insider risk program to protect your company. 

Recent reports have shown that nation states like North Korea are targeting companies to get bad actors employed to gain access to sensitive data and sabotage systems. As the workplace shifts, bad actors often target more easily compromised remote workers to establish a foothold into the company's environment for intellectual property theft, data exfiltration, sabotage, ransomware, and financial rewards. Intellectual property theft involves employees stealing sensitive company data, such as trade secrets or customer information, for personal gain or to sell to competitors. Data exfiltration is when employees exfiltrate data to external servers or cloud storage, often unknowingly, through compromised devices or unauthorized software. Sabotage can be done by disgruntled employees who may intentionally damage or disrupt company systems, leading to financial loss and operational disruption. 

And let's not forget about re-organizations; they can create a breeding ground for insider risk. That's why it's crucial to react quickly and ensure everyone has the right access at the right time.

 Using the 3 R's to tackle insider risk

How are you using the 3 R's of cybersecurity (risk, resilience and recovery) to tackle insider risk? 

  • Risk: Do you have real-time visibility into your insider risk? Do you have controls to prevent it or reduce impact?
  • Resilience: Are your tools, systems and processes resilient enough to detect and respond to an insider threat at the speed and sophistication required?
  • Recovery: Like breaches, insider threats are inevitable. Are you able to recover from the impact of an insider threat such as data disclosure, intellectual property theft or ransomware to keep your business operational and reduce reputational damage?

 

 Historical insider risk compromises

Insider risks are accelerating and come in many forms. It's a stark reminder that even the most secure systems can be compromised from within. Understanding the history of real-world insider threats will help you establish an insider risk program. This is the first step to visibility and controls to evaluate and monitor your risk.

While insider risks often remain undisclosed, here are five high-profile examples from recent years:

  • Tesla (2023): Two former employees leaked sensitive personal data to a foreign media outlet. The leaked information included names, addresses, phone numbers, employment records and social security numbers of over 75,000 current and former employees. The insider breach also exposed customer bank details, production secrets and complaints about Tesla's full self-driving features.
  • Yahoo (2022): A research scientist at Yahoo stole proprietary information about Yahoo's AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo's intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job. 
  • Apple (2022):  Rivos hired forty ex-Apple employees, and Apple accused at least two engineers of stealing gigabytes of confidential SoC information, which could "significantly accelerate" SoC development at Rivos. 
  • Mayo Clinic (2020):  A disgruntled employee stole patient data by illegally accessing the private health information of over 1,000 patients, including sensitive images taken during clinic appointments. The Mayo Clinic fired the employee and conducted an internal analysis that found no evidence of intent to use the information for fraudulent purposes.
  • Capital One Data Breach (2019): A former Amazon Web Services employee exploited a misconfigured server to access the sensitive data of millions of Capital One customers.

Identifying and tracking insider risks with enhanced and real-time visibility could have prevented or mitigated many of these situations. While not perfect, a strong insider threat program that matures over time to reduce ever-evolving insider risk vectors is essential for all businesses. Resilience is important to make sure your systems and tools are robust enough to sustain the attacks from insider threats.

There are many ways to begin to increase your resilience around insider risks, including:

  • Know your employees: Conduct thorough background checks on new hires, and regularly review the privileges of existing employees. A little bit of detective work can go a long way in preventing insider threats. Recently, North Korea has actively targeted Western companies by getting fraudulent employees hired for intellectual property theft and ransomware of data for financially motivated attacks.
  • Train, train and train again: Educate employees about cybersecurity best practices, including the importance of strong passwords, recognizing phishing scams and reporting suspicious activity. A well-trained workforce is a more resilient one.
  • Leverage UEBA (User Entity Behavior Analytics): This technology helps you understand user behavior and identify potential threats. Keep an eye on user behavior, especially for unusual patterns or excessive data transfers. Think of it as digital surveillance but for the good guys.
  • Segment your network: Divide your network into smaller, more manageable segments to limit the potential damage of an insider attack.
  • Know your roles: The key to tackling insider threats is knowing the roles in your organization. Who needs access to what, when and why? By understanding "normal" activity and using AI to identify deviations, you can create watchlists and prevent potential breaches.
  • Watch the watchers:  Don't forget to watch the watchers. Monitor those in your company that are managing insider risk programs or have large administrative rights. Trust, but verify, they need the access they have and put controls in place to reduce insider threat risk from your most powerful end users. What about compromised admins or security personnel? LinkedIn profiles and job postings can be a treasure trove of information for attackers.
  • Organizational culture: Foster a culture of trust and transparency within the organization. This can help encourage employees to report suspicious activity and reduce the likelihood of malicious insider behavior.

Insider risk will occur, and you should have a good and practiced plan to execute rather than an incident response plan you would use for a breach. Develop a comprehensive insider threat process flow and map out a clear response plan for when an incident occurs. Timely recovery and remediation of the insider risk are essential to restore business functionality, repair reputation and reduce impact.

 AI-powered threat detection

 Don't wait until your company becomes the next headline. AI technology is becoming an essential component in the fight against insider risk. AI-powered threat detection can identify suspicious activity in real-time, including data exfiltration and the work of state-sponsored hackers who might have planted an insider within your company. 

Increasing speed and sophistication with AI on the cybersecurity defenders' side must be imperative as insider threats accelerate and morph across the world. AI can help accelerate your ability to evaluate and monitor insider risk across your enterprise. Resilience can be built across your processes, people and tools to mitigate your insider risk and, most importantly, you can build an insider risk recovery strategy to recover from an insider risk event. 

So, the next time you're feeling a little paranoid about your company's cybersecurity, remember that the biggest threat might not be lurking outside, but sitting at a desk right next to you. By focusing on the 3 R's of cybersecurity (risk, resilience and recovery) around insider risk, you can protect your company and reduce your risk by taking action against insider risks now.