Employees: First Line of Cyber Defense or Serious Security Threat?

Many organizations rely upon their employees to help prevent cybersecurity breaches. Employees are advised not to click on unknown links and attachments, share their user credentials, or use unapproved applications and services. In a recent post, we discussed how regular security awareness training gives users the tools they need to be an effective first line of defense against cyberattacks.

However, a small percentage of employees deliberately exfiltrate data, introduce malware or sabotage systems. In one recent case, a core infrastructure engineer changed administrator passwords, deleted backups and threatened to shut down servers if a $750,000 ransom wasn’t paid.

Studies show that these kinds of attacks are on the rise. According to the 2024 Insider Threat Report from Cybersecurity Insiders and Gurucul, 83 percent of organizations have suffered at least one insider attack in the past year. Almost half (48 percent) say that insider attacks are becoming more frequent. However, 52 percent don’t feel confident in their ability to detect and block these threats.

Types of Malicious Insider Attacks

Malicious insider attacks are often the work of disgruntled employees. Employees who are fired, not given an expected raise or bonus, or passed over for promotion may have a desire to exact revenge on the company. Their acts of sabotage are meant to create havoc and downtime and embarrass the company’s officers, directors and managers. Other malicious insider attacks are financially motivated. They may steal data to sell to competitors, cybercriminals or other third parties, or hold systems hostage in an effort to extort money.

Collusive insider threats involve more than one insider, often working with a cybercriminal or other external partner. Increasingly, foreign national hackers are also infiltrating companies by posing as contractors, primarily to steal sensitive information.

Credential theft begins as an external attack but becomes an insider threat when the attacker gains authorized access to systems. Experts estimate that 20 percent of insider attacks are the result of credential theft, and these are among the most expensive types of attacks to remediate.

The Risk of ‘Human Error’

Of course, not all insider attacks are purposeful attempts to steal information or harm the company. Most fall under the heading of “human error,” often involving employees who unintentionally mishandle sensitive data or bypass security policies with “workarounds” to make their jobs easier.

Odds are also high that employees will take proprietary data when they leave their jobs, even if they leave on a positive note. Many employees feel that corporate data represents their work and ideas, and they are therefore entitled to personal ownership of it.

Several factors increase the risk of insider attacks. One of the most common is privilege creep — employees are given more access to systems than they need to perform their jobs. Privileges also tend to accumulate if organizations don’t have strong identity management practices. Weak access controls can also contribute to insider attacks. Remote access and bring-your-own-device programs help boost productivity, but they provide an avenue for users to steal data or otherwise cause damage.

Tips for Reducing the Risk of Insider Threats

There are several commonsense steps organizations can take to reduce the risk of insider threats:

• Have a third-party provider such as Cerium conduct regular vulnerability assessments. A third party with expertise in cybersecurity can perform a thorough and objective review of your defenses.
• Develop and enforce policies regarding password security, remote access to IT resources, retention and destruction of data, and other security-related issues.
• Immediately revoke all access privileges and email accounts when employees leave the company.
• Enforce least privilege access policies, and implement tools and procedures to protect administrator credentials.
• Use continuous monitoring to detect unusual behavior that could point to an insider attack.
• Deploy data loss prevention, which monitors email for sensitive data and enforces policies regarding access to or sharing of that content.

Many organizations trust employees to keep data safe but this trust is sometimes abused. Rogue insiders can maliciously conduct cyberattacks, and many users take unnecessary risks. Cerium can help you implement the policies, procedures and tools you need to ensure that your employees don’t create insider threats.