Humans are often regarded as the weakest link in the security chain but it would appear attempts to mitigate the threat seem to be having little effect. In fact, the insider threat is now twice as likely to be the cause of a data breach than a phishing attack. Recent research of over 200 IT security decision makers by Apricorn found insider threats were the biggest threat with 40% citing these (comprised of 22% unintentional/accidental and 20% intentional/malicious) as the main cause of a data breach within their organisation.
The insider statistics are much higher than other root causes, with almost a quarter (24%) of breaches resulting from ransomware attacks, a fifth phishing emails (21%) and lost/stolen devices (18%). These figures follow those reported under the Information Commissioner’s Office (ICO) Data Security Incident Trends for 2023, which found there were 667 incidents caused by ransomware, 395 phishing attacks and 88 attributed to lost or stolen devices. User error was responsible for more than double the number of cyber incidents (3,666 compared to 1,677) over the course of the year.
Phishing has long been identified as the main threat as it is a common attack vector used to deploy malware and carry out ransomware attacks, so these findings are concerning.However, the malicious insider is now the main conduit for such attacks, by providing access credentials for example. In fact, the Apricorn survey revealed that 70% of corporate breaches can be tracked back to employees.
Cause and effect
But why the increase? An educated guess would attribute the rise in the insider threat to a number of factors. Firstly, there’s the increase in remote working. The same survey also revealed that 48% of mobile workers knowingly put corporate data at risk of a breach in 2023and 51% of organisations expect them to expose their business to the risk of a breach.
Secondly, there are organisations that rolled out remote support in haste and are still do not provide a secure remote working environment. The survey found only 14% control the systems and data that remote workers access. Close to a quarter require employees to receive approval to use their own devices, but then do not apply any controls, while 17% don’t require approval or apply any controls. Worryingly, 22% of security leaders admitted they had no control over where company data goes.
Finally, there’s also the cost of living crisis to consider. Under pressure economically, many personnel are more tempted by the prospect of earning additional money by providing attackers with access, potentially perceiving it to be a victimless crime. There’s already evidence that points to an increased criminal activity in the recruiting of insiders.
For instance, the ISC2’s Cyber Workforce Study 2023 found that 52% had experienced an increase in the insider threat over the past year with 71% attributing this to economic uncertainty. Moreover, 39% said they or someone they knew had also been approached by a malicious recruiter, indicating that we can expect intentional breaches to ramp up.
Recruiting insiders
Since 2022, organised criminal gangs have been making concerted efforts to recruit individuals, with reports attesting to them conducting advertising campaigns over platforms such as Telegram. The Lapsus$ ransomware group, for example, put out a post looking for employees working for telecoms, software and gaming companies, call centre and server hosting providers to provide VPN or virtual desktop infrastructure (VDI) logins.
Recruitment drives now seem to be going direct, however, with a survey by Hitachi ID in December 2023 revealing a significant increase in the number of insiders being approached, up 17% from two years ago to 65% today. Almost 60% of employees were approached via email, while 27% were phoned and 21% contacted via social media. And the efforts of the cyber criminals appear to be paying off, with almost half of those companies where an employee was approached then suffering a ransomware attack.
Given the evidence that insider attacks are becoming more prevalent, the question then becomes what can organisations do to address the threat? Firstly, its clear that security awareness training needs to be clearer in terms of repercussions (data exposure is far from being a victimless crime) and the threat posed. Mechanisms should be put in place to facilitate the reporting of any approach as well as a reminder of the terms of the Computer Misuse Act (CMA), as those caught passing credentials to attackers in exchange for payment are highly likely to be regarded as complicit.
Enforcing policy through controls
Yet, as Apricorn’s survey demonstrated with respect to the implementation of controls for remote working, perhaps the biggest area where the business can make improvements is to enforce security policy through technology. Specifying how individuals should access corporate systems is all well and good but if they become frustrated they will seek work arounds. Having technical controls in place can remove that temptation and takes the onus off the employee.
Controls might include locking down laptop USB ports to only accept approved devices, or implementing software that controls access to vital systems and apps. Mandating the use of corporately approved equipment can also dramatically reduce the potential for attack. Enforcing the automatic encryption of all data across the organisation as standard will also prevent it being compromised, rendering it unreadable in the event it is lost or stolen.
Such measures are widely regarded as best practice, yet a surprisingly high number of organisations do not implement them. In addition to failing to apply controls for remote workers, the Apricorn survey revealed that encryption is on the decline, with only 12% encrypting data on laptops, compared with 68% in 2022, while 17% encrypt data on desktop computers, down from 65% in 2022. It’s a similar story for mobile phones, with 13% encrypting all, versus 55% in 2022, USB sticks with 17% encrypting these today, down from 54%, and portable hard drives which fell to just 4% from 57%.
This reveals that whilst the insider threat is increasing, organisations are becoming more laxover their technical controls. This inverse effect presents the opportunity for organised criminal gangs to recruit insiders whilst also making the problem of unintentional data breaches such an issue. In fact, we need to stop thinking of this solely as an employee issue because they need the tools, controls and education to help them mitigate risk which needs tocome from the top of the organisation and to be enforced by the IT and security departments.