National Insider Threat Awareness Month serves as an annual observance to underscore the evolving landscape of insider threats. In an era where organizations increasingly rely on digital infrastructure, the risks posed by individuals with privileged access and inside knowledge have never been more substantial.
Insider threat security is crucial due to the risk posed by employees and privileged insiders. It safeguards against data breaches, protects intellectual property, and strengthens overall cybersecurity in an era of remote work and digital dependence. We heard from top cybersecurity experts from across the industry on how organizations can prioritize insider threat defenses. Arti Raman, CEO and founder, Titaniam
“Business leaders wanting to stay ahead when it comes to security, compliance and policy need to be paying attention this Insider Threat Awareness Month. The boom in Artificial Intelligence (AI) that we’re seeing today, while powerful and certainly worth exploring, exposes a whole new world of vulnerabilities that need to be addressed. Recent surveys have shown that 54 percent of organizations will be adopting AI over the next 12 months - a rapid adoption rate that leaves little room for guardrails and safety nets. Where do company policies fit? How will AI impact security regulation compliance? What guardrails are in place to safely allow AI’s use?
These are important questions that everyone should be asking, especially business leaders and decision-makers across boards and C-suite teams, such as CISOs. The reality, however, is that only 36 percent of organizations are implementing any form of policy that restricts or bans AI use at work. As we continue to see AI sweep across the enterprise and become increasingly integrated into everyday use, both at home and in the office, Shadow AI becomes a credible threat to business intellectual properties (IP) and sensitive information.
Shadow AI, the unsanctioned and unmonitored use of AI tools, presents a new avenue for insider threats. While 33 percent of companies don’t prioritize insider threats as cybersecurity concerns, I urge business leaders to recognize that these threats can stem from both malicious and accidental incidents. All it takes is one employee using an AI tool meant to increase productivity and accidentally opening a new roadmap to sensitive data stores that cybercriminals will undoubtedly exploit. While AI’s use in the enterprise is critical to development and innovation, business leaders must consider investing in and implementing guardrails.
Tools that provide in-depth and real-time visibility into AI use across internal networks will be critical in suppressing a looming spike in insider threat-related data breaches. Decision-makers across boards and executives need to implement real education and training in the use of AI that allows the use of these tools without sacrificing their security.” Patrick Beggs, CISO at ConnectWise
“While the focus is often on protecting against external threats, malicious, negligent, and compromised insiders are a serious cybersecurity risk, with 67% of companies experiencing more than 21 insider-related incidents per year. To combat this, organizations require a comprehensive security program that combines cybersecurity awareness training, technical solutions, and strict security protocols. Insider threats rely on the negligence and actions of a company’s end users, such as an administrator failing to apply a security patch or an employee accidentally clicking on a phishing link. Once a user has been compromised, their accounts can be used as a ‘home base’ for attackers, from which they can share private files, escalate privileges, or infect other systems.
To enhance their ability to detect and prevent insider threats, organizations can leverage artificial intelligence for context-aware monitoring, anomaly detection and behavioral analytics. By consuming billions of data artifacts, AI quickly learns about emerging risks, identifying malicious files and suspicious activity much faster and more accurately than a human ever could. It then applies its findings to predict activities, identifying them as they occur and assigning them a severity level for remediation.
Threat intelligence platforms gather and analyze data in real time from multiple sources to identify and predict threats. Incorporating their findings or connecting them to AI cybersecurity tools can help the solution proactively take a defensive posture. To supplement this, task automation technology can handle routine tasks such as informing users that their credentials may have been compromised, resetting passwords, and patching vulnerabilities in systems and software. The combination of these AI-powered solutions, human expertise and well-defined security policies can help organizations build a robust defense against insider threats.”
Carl D'Halluin, CTO, Datadobi
“Insider threats lurk within the very heart of organizations, disguised as trusted employees, partners, or collaborators. These individuals, armed with access privileges, possess the potential to wreak havoc that is often unseen until it's too late. Their actions can shatter the security foundation of a company, leading to catastrophic data breaches, financial ruin through fraud, and irreparable damage to reputation.
First held in 2019, National Insider Threat Awareness Month (NITAM) is an annual campaign spanning the month of September that reminds us that mitigating insider threats demands a comprehensive strategy encompassing diverse countermeasures. This can entail the enforcement of stringent access controls, leveraging user behavior analytics, and the implementation of data loss prevention solutions, as well as vigilant user activity monitoring, and the fostering of anonymous whistleblower reporting mechanisms. However, to truly take insider threat mitigation to the next level, a solution that empowers organizations to assess, organize, and take action on their data is pivotal.
By proactively assessing data, it allows for the identification of anomalies and vulnerabilities before they escalate into significant risks. The continuous monitoring and analysis of data enable the rapid detection of unusual patterns or behaviors, facilitating timely intervention and mitigation. Moreover, the organized structuring of data enhances visibility, making it easier to pinpoint sensitive information and recognize unauthorized access or movement. When potential threats are identified, the solution enables organizations to take swift and precise actions, such as restricting access, initiating investigations and/or moving data to another location, minimizing the potential damage. Beyond immediate responses, the solution's adaptability ensures that countermeasures remain effective in the face of evolving insider tactics. This approach not only reduces the impact of insider threats but also contributes to operational continuity and regulatory compliance. Ultimately, the ability to harness data-driven insights enhances an organization's proactive stance, equipping it to navigate the intricate landscape of insider threats with vigilance and resilience.”
Gal Helemski, CTO and co-founder, PlainID
“Since many enterprises are working remotely, now more than ever, confirming identities has become the cornerstone of organisational security. As most data is stored on cloud-based services, it only takes one misuse of a pre-existing or stolen credential for a company’s entire digital landscape to be left open and exposed.
The pathway to cyber security comes from trusting no one – not even regular employees on trusted devices. This might sound extreme, but unless there’s real-time monitoring and authorisation, you cannot be 100% sure that this user has the right to be accessing this data.
A Zero Trust approach is no longer a ‘nice to have’ for cyber security leaders. In fact, 50% of business leaders said that authorisation is an integral part of their zero-trust programme. This ensures that trusted users have authorised access to the digital assets they need, and no further. Users attempting to access the network by force or suspicious requests become much more visible, and countermeasures can be put in place.”
Stephan Jou, Security Analytics Chief Technology Officer, OpenText Cybersecurity
“The insider threat conversation was boosted by the pandemic which gave employees unprecedented network access to work effectively from home. In doing so, an important barrier for malicious actors was removed, making it easier to steal.
ChatGPT then brought AI into the spotlight, showing the world the power of this amazing technology. While often used by adversaries to do harm, AI is quickly becoming an important and powerful tool in our human-machine partnership to detect and defeat cyber attackers. The collision of these two forces, insider threats and AI, is an exciting step forward for the good guys.
Insider threats fall into three categories, the bad guys on the outside, the bad guys on the inside, and the clueless guy on the inside. AI, combined with behavior analytics which are built off machine learning (ML) models, is making it easier to proactively monitor for suspicious or odd behaviors by looking for subtle clues, patterns and anomalies – something that has been nearly impossible for large organizations to do at scale previously.
While a focus on people, processes and technology remains the best practice against insider threats, with AI integrated into technology, we are finally starting to turn the tables on threat actors.” John Martinez, Dynamic Access Management Evangelist, StrongDM
“An insider threat uses one main weapon to attack a company: access. Having the credentials to access and move around internal infrastructure with near impunity is the core element of an insider threat, as well as nearly every other major security challenge. Shadow IT has been around for a long time, Shadow AI for sure is new since ChatGPT, and it has IP and confidential data leakage implications. These terms reference the use of undocumented, or unauthorized, IT tools or AI software.
As we continue to see innovations in AI, the challenge will be ensuring employees have access to the tools they need under company oversight to avoid backdoors and cheats that can cause security risks. The same security risks that can enable an insider threat.
I would like to remind company leaders that having infrastructure access is like having the keys to your home’s front door, and investing in the proper access management tools that can monitor and adjust credentials as necessary is critical.
Regardless of whether an insider threat is intentional or malicious, CISOs and IT leaders must lead the charge into centralized access. By doing this, security leaders can manage critical access permissions across databases, servers and cloud service providers to ensure their infrastructure is kept secure against threats both inside and out without compromising productivity.” Kevin Cole, Director of Technical Marketing and Training at Zerto, a Hewlett Packard Enterprise company
“The risks presented by insider threats are far more substantial than you may assume. According to data gathered by Verizon, the number of records reportedly compromised by external threats is around 200 million; however, in cases involving an organizational insider, this number rises to a staggering 1 billion.
What makes these vulnerabilities so common is the fact that an insider threat could originate with anyone tied to an organization — whether that be a current or former employee, contractor, or even a partner. In some cases, such as the recent breach disclosed by Tesla, there is malicious intent: stealing information for personal use or sabotaging data or systems before leaving the organization. However, more often than not, insider threats expose their organization accidentally by falling prey to phishing attacks, failing to update credentials, or improperly disposing of sensitive documents. Whatever the intent, their position inside an organization makes them dangerous, and the continual rise of digital transformation, hybrid working and, more recently, ‘Shadow AI’ usage has only made it more difficult to manage and mitigate these potential threats.
In addition to the essential commitment to training and the use of MFA, insider threat or not, organizations also need to come to terms with the fact that it is a case of ‘when’ they will be attacked, rather than ‘if.’ This is why investment in effective recovery technology is vital for organizations to protect themselves against the fallout of an insider threat-driven data breach or ransomware attack, which can lead to costly disruptions if operations are not restored swiftly. Building upon traditional zero-trust frameworks for data access, organizations should look to integrate these systems into their backup solutions by leveraging decentralized zero-trust methods. By keeping data isolated and replicated continuously, businesses can recover fully, and rapidly, should an insider threat leave them exposed to attack.”