The perfect cyber storm: pandemic psychology driving insider threats

By Crispin Kerr, area vice-president, ANZ, at Proofpoint

Organisations around the world are at a greater risk of insider threats than ever before, with reported incidents up 47% year on year. And they are as damaging as they are prevalent.

The global cost of insider attacks rose to $11.45M last year, up from $8.75M in 2018. For the individual organisations behind those statistics, the financial implications are no less eye-watering, ranging from $307,111 for a negligent incident to $871,686 for credential theft, for a single incident.

With a large proportion of the global workforce now operating outside the office for the foreseeable future, these figures are only set to increase.

Mass migration to remote working and increased reliance on cloud systems, coupled with potential financial pressure, job insecurity, unfamiliar circumstances, and the general anxiety of a global pandemic have created a perfect cyber storm -- with over a third of organisations reporting an increase in insider threats since March (34%).

Adapting to a new landscape

Any strong cyber defence must be adaptive, and nothing calls for greater adaptability than a global pandemic. But while upping defences to cope with an increased attack surface may be familiar ground, accounting for a mass change in behaviour and mindset is anything but.

Your employees are working outside of the norms and formalities of the office environment – and many are not used to this yet. They may be unsettled, distracted by chores and home life, and more prone to making basic mistakes.

The more relaxed home environment may also lend itself to potential bending and breaking of the security best practices expected in the office. This could mean using personal machines for convenience, using corporate machines for personal activity, writing down passwords, or failing to properly log in and out of corporate systems.

Then there is the ever-present danger of phishing. With personal and corporate worlds overlapping, users may be more inclined to click a suspicious link at home than in the more formal setting of the office. Cybercriminals are well aware of this fact.

Since the start of the pandemic, we’ve seen hundreds of COVID-19 related phishing attacks, imploring victims to click links, download attachments and share credentials. It only takes one absent-minded employee to jeopardise the security of your entire organisation.

On top of policing potentially high-risk behaviour, defence teams must also account for new behaviours that may once have raised an eyebrow, such as employees logging in at unusual hours to work around childcare. Almost overnight, the regular telemetry of your logs has completely changed. Adjusting to this change requires a keen eye and robust strategy capable of defending from the inside out.

The sinister side of pandemic psychology

Unfortunately, the increased potential for mistakes is not the only weak link on display to the opportunistic cybercriminal. The psychological pressure of life under lockdown can give way to a more sinister threat – the malicious insider.

While malicious insiders are less common, they can be more damaging. Many use inside knowledge to evade internal defences, and actively take steps to cover their tracks, making them far more difficult to detect and contain. On average, a malicious incident costs $755,760, more than double that of a negligent threat.

The risk of malicious insiders is nothing new. But with increasing numbers of employees furloughed, facing redundancy, and potentially under financial pressure, organisations must be on high alert.

Even the least tech-savvy of users is likely aware of the rewards on offer for leaking data and sensitive information. Decision making can easily become clouded.

The same is true of employees with a grievance against your organisation. With regular stories of data breaches hitting the headlines, the devastating consequences for those involved are common knowledge – punishment from regulators, reputational damage, and significant financial losses. Suddenly, a disgruntled employee could see themselves presented with a seemingly simple and effective method of revenge.

Building an inside-out defence

Spotting the potential for insider threats is never easy. Spotting them outside the office environment where there is less scrutiny or pressure to meet security standards is harder still. The only effective defence is a flexible, robust, multi-layered strategy that combines people, process, and technology.

Insider threats are unique because they already have legitimate, trusted access to your organisation’s systems and data in order to do their job – this unique attack vector requires a unique defence. Though it is not possible to block access to those who need to work within your networks, you can ensure that access is strictly controlled, and only afforded on a need to know basis.

Start by implementing a comprehensive privileged access management (PAM) solution to monitor network activity, limit access to sensitive data, and prohibit the transfer of this data outside of company systems.

There should be zero trust between your technology and your people. There may be a good reason for an access request or out of hours log in, but this cannot be assumed. Controls must be watertight, flagging and analysing every log for signs of negligence or foul play.

Supplement this with clear and comprehensive processes governing system and network access, user privileges, unauthorised applications, external storage, data protection, and more.

Finally, defending against insider threats is not solely a technical discipline. As the biggest risk factor for insider incidents is your people, they must be at the heart of your defence strategy.

You must aim to create a security culture through ongoing insider threat awareness training. Everyone in your organisation must know how to spot and contain a potential threat, and, whether intentional or not, how their behaviour can put your organisation at risk.

This training must be thorough and adaptive to the current climate. While today’s working environment may feel more relaxed, security best practice still applies – perhaps now more than ever.

Proofpoint is a Gold Sponsor for AISA's 2020 Risk and Cyber Week virtual conference from November 9-13.


Crispin Kerr: Organisations must be on high alert.