Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyberattacks.
Research by security think tank the Ponemon Institute and cybersecurity company DTEX Systems suggests that over half of companies find it impossible or very difficult to prevent insider attacks.
These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Insider threats can come in a number of forms, ranging from employees who plan to take confidential data when they leave for another job, to those who are actively working with cyber criminals, potentially even to lay the foundations for a ransomware attack.
In many cases, an insider preparing to carry out an attack will follow a set pattern of activities including reconnaissance, circumvention, aggregation, obfuscation and exfiltration, all of which could suggest something is amiss.
But businesses are struggling to detect the indicators of insider threat in each of these stages because of a lack of effective monitoring controls and practices.
“The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
Many security professionals are already familiar with Lockheed Martin’s Cyber Kill Chain and the MITRE ATT&CK Framework, both of which describe the various stages of an attack and the tactics utilized by an external adversary, he said. But since human behavior is more nuanced than machine behavior, insider attacks follow a slightly different path and, therefore, require modern approaches to combat.
Just a third of of businesses believe they’re effective at preventing data from being leaked from the organisation.
According to the research, one of the key reasons insider threats aren’t being detected is because of confusion around who is responsible for controlling and mitigating risks. While 15% of those surveyed suggested that the CIO, CISO or head of the business is responsible, 15% suggested that nobody has ultimate responsibility in this space – meaning that managing and detecting the risks and threats can fall between the cracks.
There are several factors that make detecting cybersecurity risks – including insider threats – difficult. Over half of businesses cite lack of in-house expertise in dealing with threats, while just under half say there’s a lack of budget, and the shift to remote working has also made it harder to mitigate cybersecurity risks.
SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack
According to Ponemon and DTEX, the best way for companies to improve their ability to detect insider threats is to improve the security posture of the business, as well as designating a clear authority for controlling and mitigating this risk – one that can investigate activities that could suggest a potential insider attack.
“Our findings indicate that in order to fully understand any insider incident, visibility into the nuance and sequence of human behavior is pivotal,” said Rajan Koo, chief customer officer at DTEX Systems.
“Organisations need to take a human approach to understanding and detecting insider threats, as human elements are at the heart of these risks,” he added.