Employees acting maliciously in order to steal or damage company information is not new. Moreover, the CA report states that more than 50% of organizations have experienced an attack provoked by an insider during the previous year.
These attacks are nothing different from the regular cyber-attacks in terms of their multiple faces and damage they bring to the company that experiences it. The cost of a regular cyber attack is around 70000 dollars, and, as we have established, an insider attack is nothing different.
There are three main types of insider threats:
- The one where an employee leaks or damages information by accident, or without even knowing he is doing it;
- The one where a threat actor infiltrates your system using credentials of a legitimate user and stealing/damaging/encrypting your data;
- The one where an employee is acting maliciously on purpose, stealing company information in order to seek revenge or for the sake of profit.
The main problem with insider threats is that they are more difficult to spot than attacks from the outside. But still, there are some warning signs that signal an insider-attack threat, you just need to know where to look. In this article, we will list the main of the indicators and share with you some security tips that help to decrease the probability of an insider threat occurrence.
But first, let’s take a look at the main reasons insider attacks happen in the first place!
Insider attacks: why and how they happen?
To raise your chances of spotting an insider threat, you need to have a clear understanding of who the potential perpetrators are, and why they do what they do. This will target your focus towards the potential threat and spot it before it grows into a fully-fledged attack.
The first category is called “careless employees.” This category includes all employees that could simply neglect some of their responsibilities, miss something out, which leads to a data breach. Basically, this category lets cybercriminals in the system without any intention.
For example, it could be a system admin that hasn’t been following the security guidelines of the correct data migration. They conduct such migrations between G Suite or Microsoft 365 accounts all the time, and when they do it manually, a data leak can occur. That’s why it is highly important to handle a G Suite transfer email to another user properly.
The second category is malicious employees with obvious intentions to either harm organization or to gain profit. These are usually insiders who had some conflicts with management, whos performance was poorly reviewed, who received disciplinary action, had their salary cut off, etc.
Here are the signals that you better be very attentive.
1. Employees leaving the company
“Employees leave companies all the time! Since when did it become a potential insider threat?”, you may ask. Well, the employee leave is the best opportunity for some employees to steal information. Many leaving employees are thinking of taking data with them, and the reasons may be different. Some of them think that they own data they’d been working on; others want to sell information about the clients and suppliers or use it for opening their own business.
This is why it is crucial to offboard employees properly and start this process before the employee has left. When a Microsoft 365 or G Suite employee leaves, make sure they didn’t grab something with them. Securely plan the offboarding process and disable their access to all accounts with corporate information.
2. Noticeable changes in behavior
The change in the way your employee behaves is usually the first call. And no, we don’t mean that any change is count as a call for an insider threat. There are some particular changes, for example, complaining about the job, colleagues, or management, starting work on a different schedule or different hours without having a known reason for that. You can also include here complaints about money problems or the information that an employee is job-hunting.
Sometimes all that can be simple stress or rush to finish a project before the deadline or personal problems. Anyway, it is the responsibility of HR to notice those signs and observe a person for a while or try to talk.
3. Unapproved attempts to access information
In case employees request access to files or folders that are unrelated to their job duties, that are unusual for them to access or use, it is a big sign that something is not alright. Whether it is an employee who just wandering around where they shouldn’t out of pure curiosity or an employee with the malicious intent or an outsider who has stolen credentials of a legitimate user, in case you see unusual request to access data, be very careful and attentive.
4. Accessing and downloading high data volumes
You see, now employees don’t need to physically move and steal tons of paper – they can just visit your G Suite and download all they have access to. Given that many organizations don’t bother with restricting access to the file or folder, often, employees from one department can access, read, and download data from the other departments. And even if you use encryption and follow all protocols by restricting access, most of the company data is not meant to be downloaded. So when it happens, it is most often a screaming sign that you are experiencing an insider attack.
Key practices for insider attacks protection
Insider threats seem impossible to spot, but this is not exactly true. As with any silent cyber threat, insider attacks can be detected and mitigated, if you use:
- Data monitoring software
- Data loss prevention practices
- Conduct behavioral analytics
- Access management systems
Using these in combination with attentiveness to the behavioral and personal signals, you will raise your chances of preventing insider threats of any level.