Yet despite pervasive headlines about data breaches and external hackers, the insider threat - that is, the one posed by our own people - is the number one risk to an organisations’ security. And often, it’s a threat that goes undetected until it's too late.
Our modern way of working has amplified the insider threat to unprecedented levels; remote work is flourishing, we are heavily reliant on third-party contractors, and we now face the complex challenge of managing data across multiple devices alongside risks associated with new and emerging technologies such as Generative AI.
The reason these threats aren’t splashed across the headlines is that organisations aren’t required to report it. There is a blind spot in our collective understanding of cybersecurity risks. But we cannot afford to overlook one of the greatest threats facing any business or organisation.
A challenge for every organisation
Almost three-quarters (74%) of all data breaches include a human element. These insider threats can be split into four primary categories: fraud, sabotage, IP theft and espionage.
For instance, an employee might engage in fraudulent activities such as financial manipulation, while another might sabotage systems or networks out of resentment or personal gain. Intellectual property theft could involve stealing sensitive data or proprietary information, while espionage entails insider collaboration with external entities for nefarious purposes.
One of the biggest recent scandals involved a former politician who sold-out Australia to foreign spies. And while these types of insider threats usually go unannounced to the public, Mike Burgess, the Director-General of Security of Australia, deemed it appropriate for the news to be put out into the public domain for transparency and vigilance.
This example shows that the risk of the insider threat permeates every level of society and every organisation, and highlights the crucial need for robust security measures and constant vigilance to safeguard against potential malicious actions internally, cyber and data breaches.
Despite the clear intent with some of these types of security breaches, not all insider threats are conducted with malice. Employee negligence, such as inadvertent disclosure of sensitive information or failure to follow security protocols, can also pose significant risks to organisations.
The challenges of Generative AI
In a society facing burnout, shortcuts and efficiencies using generative AI is all too alluring. It’s no wonder more than half (53%) of the Australian workforce are experimenting with generative AI at work.
But the ease of sharing data with these platforms has escalated insider threats to new heights. Employees have been found to be inputting sensitive or classified data into publicly available generative AI tools, unwittingly exposing their organisations to potential data breaches and intellectual property theft.
This new dimension of insider threat means employees may inadvertently be contributing to the creation of sophisticated cyberattacks.
Banning generative AI isn’t the answer; this would only drive its usage underground. Instead, employers need stringent controls to mitigate risks posed by insider misuse of the technology.
Instances of unintentional data breaches, whether through careless handling of data or falling victim to social engineering tactics, underscore the importance of comprehensive employee training and awareness programs.
Countering the insider threat
Stringent background checks during the hiring process can help identify potential risks early on. Background screenings should include criminal history checks, employment verification, and reference checks to ensure the integrity and trustworthiness of new hires.
In addition to personnel vetting, organisations should enforce strict technology controls to limit access to sensitive information and systems, like encryption mechanisms, and robust authentication methods such as multi-factor authentication (MFA). Employees should not have access to data they are not assigned to, and this includes implementing role-based access controls, that grant access on a need-to-know basis, cover just-in-time (for the duration of use) or are just-enough-access (specifically for the task).
Regularly reviewing and updating access permissions based on employees' roles and responsibilities and their status - such as those who may be working their notice - can help prevent unauthorised access and limit the potential damage of insider threats. Furthermore, enforcing strong password policies, such as requiring complex passwords and regular password changes, can strengthen defences against unauthorised access or credential-based attacks. Some organisations are even going passwordless. Supported by robust authentication technology, this is becoming the future of security.
Sophisticated technology also helps to detect suspicious activity. User and Entity Behaviour Analytics (UEBA) systems, for example, can help detect anomalies and send a system alert when an individual is copying data when they shouldn’t.
Employees as assets
And despite being the greatest risk, your employees are also invaluable allies in safeguarding an organisation's security. This is why proper, regular training on security best-practice is crucial. This essentially enables the moulding of employees into a ‘human firewall’ to serve as the first line of defence against a cyber-attack.
Bringing in this human element is an organisation's best bet against social engineering attacks, which tend to focus on human weaknesses. This can be as simple as being able to spot a phishing email – where simulation training in a controlled environment can help employees to uncover even the most sophisticated attempts – to upholding the best-practice for password hygiene and policies around laptop use on public Wi-Fi.
Some of the most effective solutions begin by embracing openness and encouraging employees to raise concerns about questionable activities. Cybersecurity training programs can familiarise employees with the various types of threats, but also prepare them for how to react. The outcome is an organisation with an extra layer of protection.