Saryu Nayyar, our CEO, was contacted by a reporter to provide comments on an Insider Threat story. The reporter sent Ms. Nayyar a list of questions on insider threats. Below are her responses to some of those questions.
How large a problem are insider threats today for companies? Do you have any statistics?
Insider threats are the biggest cyber security problem for companies today because they can cause the most damage and are much harder to detect and prevent. Insiders are just that – insiders, many with keys to the kingdom. They know where the sensitive company/customer data is and who has access to it, so they know exactly where to strike if they decide to take action.
Cyber criminals use automated hacking tools continuously to attempt to breach an organization. When they do break in, they still need to surveil the network to find the data worth exfiltrating. Insiders are already inside the network and know where the proverbial gold bars are stored and who has the keys. All they need to do is find a way to access those keys or use the ones they have.
Not all malicious insiders are financially motivated. Many are angry employees who want vengeance on an organization. In this scenario, they either target individual executives (expose inappropriate emails or salaries for example), or exact whatever damage they can (like deleting customer records).
Regarding statistics, according to the 2018 Verizon Data Breach report, 28% of all data breaches involved internal actors. There were 750 incidents and 536 confirmed data disclosures reported in the Healthcare segment alone. Of those, 18.4% were Privilege Misuse. 47% of those cases were cases of fun, curiosity or “snooping” and 40% of those were for financial gain. In the same report, 13% of cyber espionage are also noted as insider threats.
The Healthcare industry is the only vertical that has a greater insider threat than external threat. This complicates definitive insider threat statistics in that 28% is an overall number based on all data breaches across all industries. As you can see, that percentage will differ based on the industry.
Further, while malicious outsiders (72%) were the leading source of data breaches, these comprised only 23% of all compromised data. On the other hand, insiders accounted for 76% of all compromised records.
Why do employees engage in these illegal activities, and which employees are most likely to engage?
Employees often engage in these activities for financial gain or vengeance.
“They either have a beef or want the whole cow.”
Some employees are just curious or wanting to snoop on neighbor, celebrity and family members. This could be for medical records, financial or other information. Imagine if you knew that the MVP’s hand was going to keep him out of the Super Bowl 3 days before anyone else, or if a famous celebrity was in the hospital.
System Administrators or employees with privileged access are the likely candidates for either motive since they have the access needed to steal data or inflict the most damage. However, anyone can be courted by competitors or hackers to surveil internally for cold hard cash. And, individuals with something to hide are susceptible to blackmail.
How does analytical behavior monitoring technology work to help identify disgruntled employees or potential data/IP theft incidents?
Behavior and risk based security analytics identifies risky out-of-norm behaviors, provides risk prioritized alerts and helps organizations identify high-risk profiles in real-time. This enables models-driven security to automate front line security controls.
Our Gurucul Risk Analytics platform helps security teams by creating a contextual linked view and behavior baseline from disparate systems including HR records, accounts, activity, events, access repositories, and security alerts. A baseline is created for the user and dynamic peer groups. As new activities are consumed, they are compared to the baseline behaviors. If the behavior deviates from the baseline, the behavior is deemed as an outlier. To summarize, using behavior analytics and risk scoring algorithms, our machine learning engine enables companies to easily detect and predict abnormal user behavior associated with potential sabotage, data theft or misuse.