Remote work and the rise of insider threats
The COVID-19 pandemic has underpinned arguably the biggest transformation in how and where we work ever seen, with millions forced to operate from home during the lockdown restrictions. But the worrying rise of insider threats makes companies rightly concerned.
Indeed, recent data outlined that around 5 million Americans currently define themselves as digital nomads or gig workers, and numerous surveys have shown that employees are keen to maintain their flexible working patterns after the pandemic. While there are numerous benefits for employees and employers alike from this transition, the shift also presents various cybersecurity challenges.
"While most industries made the shift to remote work due to the pandemic, it created new attack surfaces for cybercriminals to take advantage of, such as home devices being used for business purposes," Microsoft explained in their recent Digital Defense Report.
A recent report from Workforce Security Software provider DTEX Systems highlights the rise of insider threats as a result of the work from anywhere trend. The report highlights how the transition towards remote working has accelerated the end of corporate perimeter-centric security and required security teams to be able to protect thousands of remote offices at once. Couple this with a worsening employee attrition rate, and it has created what the authors refer to as a perfect storm for insider threats.
“If your organization didn’t observe a proportional increase in attempted or actual data loss, then you were likely not looking," they explain.
In the report, which is the 5th annual report looking at insider threats, the researchers wanted to examine the relationship between human behaviors and cybersecurity technologies in the working from anywhere landscape.
"What we found both proved and disproved long-standing technological approaches to data loss prevention and user behavior analysis, further defined the difference between insider ‘risks’ versus ‘threats,’ and brought to the surface evidence of a new threat – The Super Malicious Insider," the authors say.
A growing risk
The report reveals a 72% growth in actionable insider threat incidents, with theft of either data or intellectual property being the most common leak. Data loss was roughly twice as common as accidental or unauthorized disclosure, with sabotage then someway further behind in third place.
The technology sector was the most threatened, with 38% of all IP theft incidents targeting the sector. This was followed by the pharma and life sciences sector, which accounted for 21% of all IP theft incidents.
While criminal prosecutions remain few and far between, the report reveals that 75% of those cases that did make it to court occurred at home. This was driven by what the authors refer to as the "super malicious insider", with these individuals using sophisticated insider techniques, including burner email accounts and various other techniques to avoid detection and conceal their identity.
Risks vs threats
The authors highlight that while all remote workers represent a risk of insider attacks, the reality is that just 1% of users are actually intentionally bad actors. This distinction between the perceived risk and the actual threat is important to make, especially when insiders are armed with strong technical knowledge.
"Super malicious threat is a malicious insider threat with superior technical skills and in-depth knowledge of common insider threat detection techniques," the authors explain.
The situation is often compounded by the poor rates of reporting, which almost certainly means that the true nature of the threat is much graver than even the data suggests. Indeed, the authors argue that actual insider incidents could be twice as common as reported data suggests, which given that the estimated average cost of insider-led incidents is around $15 million, this represents a considerable cost for organizations to bare.
Plugging the hole
The report concludes with a number of recommendations to help organizations secure their data and systems, even with a remote workforce. These start with the demand that insider risk be made an organizational priority. They then urge organizations to gain a better understanding of the true scale of the problem.
Once this is established, organizations should build up their insider risk function outside of the cybersecurity team, as the traditional security team is designed to detect external threats, not internal threats.
"Risk is different and requires an understanding and appreciation for human behavior, psycho-social factors and trends, and an eye for (and sense of) the abnormal," the authors explain. "Insider Risk is also a function that requires significant inter-organizational collaboration with human resources, legal, finance, technology and, yes, cyber security teams."
The new team should avoid the temptation to assume technology will solve all of their problems, as people and processes are likely to be more impactful. These will be key to detecting insider threats before data is actually removed from the network, as by this point, it is almost impossible to retrieve.
With remote working, every home office and mobile device become the new perimeter, which means that things such as communication and transparency are key tools to utilize.
With remote working becoming "the new normal," organizations will need to flip the old security mindset on its head and use employees as a sensor on the front line of surveillance. By setting standards and acknowledging good behavior, organizations can ensure that the threat posed by remote workers is minimized. The only way for security to be upheld is through a partnership with employees, so it's vital that the relationship is a constructive one.
"The prolonged disruption and oscillating uncertainty disproved long-standing assumptions," the authors conclude. "While increased risk has forced a reconsideration of approaches, it will ultimately drive the creativity and innovation required by our new 21st-century reality."