So far in 2023, layoffs have resulted in tens of thousands of tech workers losing their jobs. And that’s just in tech. Across sectors, employees are feeling the ramifications of economic uncertainty. Ransomware attacks are continuing and growing more sophisticated. And it’s not only the attacks that are growing more sophisticated; so are cybercrime recruitment efforts. All the while, the cybersecurity skills gap persists for most organizations.
All of these factors have the potential to create a perfect storm in terms of insider risks. Here’s what you need to be doing to stay protected against them.
The cost of insider threats
A cyberattack precipitated by an individual who is employed by a company or has permission to access its networks or systems constitutes an insider threat. Insider threats can be malevolent or unintentional, and they might come from current or former employees, business partners, board members or consultants.
Insider threats are increasingly prevalent and more costly for organizations. According to the Ponemon Institute’s 2022 Cost of Insider Threats report, insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third, to $15.38 million.
Employees who are laid off but still have access to inside resources can pose a risk; sometimes it’s unintentional, but sometimes it’s retaliatory. Bad actors are well aware of this and are bound to start trying to recruit from these ranks.
Cybercrime recruitment efforts are rampant
As cybercrime becomes more organized and sophisticated, we’re seeing these syndicates behave much like legitimate businesses. They have organized departments, job roles and hierarchies, as well as recruitment strategies.
When the Conti ransomware group’s files were leaked in early 2022, it became clear that the organization was functioning very much like any other business. There was even a human resources lead and a recruitment director on the payroll. Also, we’ve observed evidence of bad actors actively seeking insider assistance for their goals, using phone calls, social media and email.
More recently, an international bust of the Russian-linked group behind Doppelpaymer
found that recruitment was a key part of the group’s strategy. The group was even offering paid vacation and requested references to verify past cybercrimes.
And on the Dark Web, cybercrime syndicates are ramping up their efforts, offering competitive salaries and benefits. Some jobs paid $20,000 per month, and some groups offer PTO, paid sick leave, bonuses and employee referral programs. Roles vary from full-time and part-time jobs to traineeships and partnerships.
How to stay vigilant and protected
To start addressing insider threats, ask these questions:
- Are users trying to access files that they shouldn’t?
- Are there attempts to move or copy confidential content?
- Do you notice users logging on during non-business hours?
- Can you create a baseline of regular activity carried out by suspicious users?
- Can you mark user behaviors that deviate from accepted norms as alerts?
- Are analytics tools receiving database logs?
- Are there any automated responses in place to revoke access and stop data loss if data is compromised?
There is no quick fix to solve the insider threat problem. At a time when many businesses are struggling with visibility issues brought on by digital transformation and vendor sprawl, what’s needed is planning, using and reusing technologies as well as having a comprehensive perspective across your network. Reducing the risk associated with insider threats requires a multifaceted approach.
Employees should be trained to recognize and report suspicious activities. This should be part of everyone’s ongoing cyber hygiene training and must be conducted regularly, rather than treated as a one-and-done type of thing. This should go without saying, but any employee who is receiving special access to sensitive digital resources should undergo a background check.
From a technological standpoint, organizations and their security leaders should:
- Use deception technology to quickly create a fake network that automatically deploys decoys and lures that are indistinguishable from the traffic and resources used in the real network. This is one of the most effective ways to address insider threats.
- Segment the network to confine activity to certain areas. A zero trust approach may be particularly useful for operations that require greater discretion.
- Encrypt data at all points: at rest, in use and in transit. Buy tools that can quickly and efficiently decrypt data.
- Use configuration management tools to examine and rapidly spot devices that are not configured correctly.
- Use solutions that can track user activity and behavior, including any infractions of policies, and use machine learning to spot anomalous behavior.
- Use file tracking tools and keep an eye on data access and file transfers.
- Enhance identity and access management (IAM), using multi-factor authentication (MFA), for example.
Defeating insider threats
The economic downturn and its subsequent layoffs did nothing to strengthen organizations’ security posture. On the contrary, the skills gap has only widened during a time of increasingly sophisticated cyber-attacks, both from without and from within. Defeating insider threats involves asking the right questions and finding the right solutions. Use the information outlined above to create or strengthen your defenses and keep your digital assets safe from insider attack.