Cyber incidents caused by “human factors” are usually attributed to occasional employee errors, but one more important element is often overlooked: insider threats from deliberate malicious behavior by staff. Corroborating this fact, a new Kaspersky study found that in the past two years, 77% of companies around the world have faced cyber incidents, 1/5 of which were caused by insider threats due to deliberate malicious behavior by employees.
A variety of elements can be found when examining the “human factor” that can negatively affect the running of a business, ranging from ordinary employee mistakes to the misallocation of budget by decision-makers. But one of the most important factors that is often overlooked is malicious actions by staff. This crucial finding was revealed in a recent Kaspersky study showing that, in the last two years, 20% of companies worldwide suffered cyber incidents due to malicious behavior for personal gain exhibited by employees.
A recent case occurring at the Tesla company illustrates the dangers insider threats pose to business. Two of Tesla’s ex-employees leaked the names, addresses, phone numbers and email addresses of 75,735 current and former employees to a German newspaper. Maine regulators were informed of the incident in a data breach notification on August 18, after the company learned of the breach on May 10 from German news outlet Handelsblatt, and conducted an internal investigation.
Insider threats: what you need to know
What are insider threats?
There are two main types of insider threats: unintentional and intentional. Unintentional, or accidental threats are employees’ mistakes such as falling for phishing and other social engineering methods or sending sensitive and confidential information to the wrong person, etc.
In contrast, intentional threats are perpetrated by malicious insiders who deliberately hack into their employer’s systems. They usually do so for financial gain from the sale of sensitive data or as an act of revenge. Malicious insiders aim to disrupt or stop an organization’s regular business operations, expose IT weaknesses, and obtain confidential information.
Insiders with malicious intentions are the most dangerous of all employees who can provoke cyber incidents. Threats posed by their actions are complicated by several factors:
- Insiders have specific knowledge of an organization’s infrastructure and processes, including an understanding of the information security tools used.
- They are already inside the company’s network and do not need to penetrate the perimeter from outside via phishing, firewall attacks, etc.
- They have colleagues and friends within the organization, so it’s much easier for them to use social engineering.
- Insiders with malicious intentions are highly motivated to harm their organization.
What are the reasons for insider malicious actions?
One of the main reasons for employees to commit malicious actions against an employer is financial gain. Often it means stealing sensitive information with the intention of selling it to a third party: or competitors, or even auctioning it on the dark web where cybercriminals buy data to attack businesses.
When employees have been fired, malicious behavior might take place out of revenge. This can be conducted even through connections with current staff, but the worst-case scenario occurs if they still can log into their work account remotely because the organization hasn’t removed their ability to access its systems as soon as the employee leaves the company.
Employees can also act maliciously when they are unhappy with their job or “to get even” with an employer who didn’t give them an expected raise or a promotion, for instance.
Another interesting type of malicious action occurs when one or more insiders collaborate with an external actor to compromise an organization. These incidents frequently involve cybercriminals recruiting one or more insiders to carry out different kinds of attacks. There may also be cases in which third parties, such as competitors or other interested parties, collaborate with staff to obtain the company’s sensitive data.
“Malicious actors can be discovered anywhere – in huge enterprises or small businesses, you never know. That’s why businesses should build an up-to-date, resilient, transparent IT security system, uniting effective security solutions, smart security protocols, and training programs for both IT and non-IT staff to safeguard against this threat. Additionally, it’s crucial to implement products and solutions that will protect the organization’s infrastructure. For example, our Kaspersky Endpoint Detection and Response Optimum contains Advanced Anomaly Control which helps detect and prevent suspicious and potentially dangerous activities, both by an insider working in a company or an actor outside the organization”, comments Alexey Vovk, Head of Information Security at Kaspersky.
To combat malicious insider threats, Kaspersky recommends:
- Implementing cybersecurity training to raise awareness among employees and to prevent intentional information security policy violations. To boost security awareness among general employees, educate them with the Kaspersky Automated Security Awareness Platform training program, which teaches safe internet behavior.
- Investing in relevant training programs for IT security specialists. Kaspersky Cybersecurity for IT Online training helps build up simple yet effective IT security-related best practices and simple incident response scenarios for generalist IT admins, while Kaspersky Expert Training equips your security team with the latest knowledge and skills in threat management and mitigation.
- The Advanced Anomaly Control feature within Kaspersky Endpoint Security for Business Advanced, Kaspersky Total Security for Business and Kaspersky Endpoint Detection and Response Optimum helps prevent potentially dangerous activities by the employee or in case an attacker has seized control of the system.
- Controlling and limiting the use of personal devices and third-party applications and services. Kaspersky Endpoint Security for Business and Kaspersky Endpoint Security Cloud offer Application, Web and Device controls which limit the use of unsolicited apps, websites and peripherals, significantly reducing infection risks even in cases where employees use devices, applications or services that are not sanctioned by the company to transfer data.
- Implementing products that allow an administrator’s rights to be limited only to those options that are really needed for work. Kaspersky Endpoint Security for Business offers role-based access to Kaspersky Security Center management console items, so not all administrators require full control over security functions.
- Kaspersky Security for Internet Gateway also possesses content filtering, to prevent unsolicited data transmission regardless of its type, platform protection status, or user behavior at the endpoints inside the network.