When building a company and hiring talent, the last thing leaders think about is whether employees could pose a threat to business security. After all, our human instinct is to trust our employees, write Brenton Steenkamp and Abbas Kudrati.
However, despite the ubiquitous headlines about data breaches and external hackers, the insider threat (i.e., the one posed by our own people) is the number one risk to an organization’s security. And it is often a threat that goes unnoticed until it is too late.
Our modern way of working has amplified the insider threat to unprecedented levels; Remote work is flourishing, we rely heavily on third-party contractors, and we now face the complex challenge of managing data across multiple devices along with the risks associated with new and emerging technologies such as generative AI.
The reason these threats don’t make headlines is because organizations are not required to report them. There is a blind spot in our collective understanding of cybersecurity risks. However, we cannot afford to ignore one of the biggest threats facing any company or organization.
A challenge for every organization
Almost three quarters (74 percent) of all data breaches include a human element. These internal threats can be divided into four main categories: fraud, sabotage, intellectual property theft and espionage.
For example, one employee might engage in fraudulent activities, such as financial manipulation, while another might sabotage systems or networks out of resentment or personal gain. Intellectual property theft could involve the theft of sensitive data or proprietary information, while espionage involves internal collaboration with external entities for nefarious purposes.
One of the biggest recent scandals involved a former politician who sold out Australia to foreign spies. And while these types of insider threats are not typically announced to the public, Mike Burgess, Australia’s chief security officer, felt it was appropriate for the news to be made public for transparency and oversight.
This example shows that insider threat risk permeates all levels of society and all organizations and highlights the crucial need for robust security measures and constant vigilance to protect against potential malicious insider actions, cyber actions, and data breaches.
Despite the clear intent of some of these types of security breaches, not all insider threats are carried out maliciously. Employee negligence, such as inadvertently disclosing confidential information or failing to comply with security protocols, can also pose significant risks to organizations.
The challenges of generative AI
In a society facing burnout, shortcuts and efficiencies using generative AI are all too attractive. It is not surprising that more than half (53 percent) of the Australian workforce are experimenting with generative AI at work.
However, the ease of sharing data with these platforms has elevated insider threats to new levels. Employees have been found to be entering sensitive or classified data into publicly available generative AI tools, unknowingly exposing their organizations to potential data breaches and intellectual property theft.
This new dimension of insider threats means that employees may be inadvertently contributing to the creation of sophisticated cyberattacks.
Banning generative AI is not the answer; this would only make its use clandestine. Instead, employers need strict controls to mitigate the risks posed by internal misuse of technology.
Cases of unintentional data breaches, whether due to careless data handling or falling victim to social engineering tactics, underscore the importance of comprehensive employee training and awareness programs.
Counter the insider threat
Strict background checks during the hiring process can help identify potential risks early on. Background screenings should include criminal background checks, employment verification, and reference checks to ensure the integrity and trustworthiness of new employees.
In addition to personnel vetting, organizations should implement strict technological controls to limit access to sensitive information and systems, such as encryption mechanisms and strong authentication methods, such as multi-factor authentication (MFA). Employees should not have access to data to which they are not assigned, and this includes implementing role-based access controls, which grant access as needed, cover just the moment (during use), or are sufficient access (specifically for homework).
Regularly reviewing and updating access permissions based on employees’ roles and responsibilities and their status (such as those who may be working on your notice) can help prevent unauthorized access and limit the potential damage from insider threats. Additionally, enforcing strong password policies, such as requiring complex passwords and periodic password changes, can strengthen defenses against unauthorized access or credential-based attacks. Some organizations are even going without password. Backed by strong authentication technology, this is becoming the future of security.
Sophisticated technology also helps detect suspicious activity. User and entity behavior analysis systems (UEBA), For example, it can help detect anomalies and send a system alert when a person is copying data when they shouldn’t.
Employees as assets
Despite being the biggest risk, your employees are also invaluable allies in safeguarding the security of an organization. For this reason, adequate and regular training on best security practices is crucial. Essentially, this allows employees to be molded into a ‘human firewall’ that serves as the first line of defense against a cyber attack.
Incorporating this human element is an organization’s best bet against social engineering attacks, which tend to focus on human weaknesses. This can be as simple as spotting a phishing email, where simulation training in a controlled environment can help employees uncover even the most sophisticated attempts, to maintaining best practices for password hygiene and policies on using laptops on public Wi-Fi networks.
Some of the most effective solutions begin by embracing openness and encouraging employees to voice their concerns about questionable activities. Cybersecurity training programs can familiarize employees with different types of threats and prepare them to know how to react. The result is an organization with an extra layer of protection.
Companies must be prepared for all threats
Due to the level and variety of data available, internal threats are potentially capable of causing much more damage than external bad actors. Organizations should start with a proactive stance and incorporate these prevention tools into a broader cyber strategy.
The threat landscape is constantly evolving and organizations must evolve with it. It is critical to continually evaluate the risks, processes, and technology in place to ensure the enterprise is hardened to withstand even the most resilient attacks.
Brenton Steenkamp is the cyber partner at Clayton UTZ and Abbas Kudrati is the Asia SMC regional cybersecurity chief advisor at Microsoft.