Virtualization Technology News and Information
National Insider Threat Awareness Month 2023 Expert Roundup - Bystander Engagement


National Insider Threat Awareness Month (NITAM) is an annual, month-long campaign that takes place in September to educate government and industry about the risks posed by insider threats and the role of insider threat programs. This year's theme is "Bystander Engagement," which emphasizes the importance of all employees being aware of and reporting suspicious activity.

Insider threats are one of the most significant security risks facing organizations today. They can come from a variety of sources, including disgruntled employees, malicious insiders, and careless insiders. Insider threats can cause significant damage to an organization, including data breaches, financial losses, and reputational harm.

NITAM is a critical opportunity for organizations to raise awareness of insider threats and to implement effective insider threat programs. By educating employees about the risks and by encouraging them to report suspicious activity, organizations can help to protect themselves from insider threats.

Expert Commentary

In this round up article, we will be sharing commentary from a number of industry experts on the importance of insider threat awareness. We hope that this article will help to raise awareness of insider threats and that it will encourage organizations to take the necessary steps needed to protect themselves.


Zane Bond, Head of Product, Keeper Security

"Insider threats are one of the most challenging threats to protect against as an IT professional, because you have to be able to trust and empower your employees to do their jobs, and some roles are more sensitive in nature. Standard zero-trust approaches can be used to protect most information. This includes giving access to only what employees need to do their jobs, not granting access indefinitely, periodically checking who has access and monitoring activity.

However, a senior architect working on your platform has a business need to access many critical systems. One of the best ways to implement protection for an employee with this level of access is to utilize security controls and tools that increase productivity when used, which allows them to be easily monitored and controlled. For example, the use of a password vault with automatic rotation allows employees to put passwords at the back of their mind. Even if a password is written down, it’s rotated regularly. Further, the organization can easily monitor and control who has access to what resources and systems, limiting the risk for insider security incidents."


Darren James, Senior Product Manager, Specops, an Outpost24 Company

"As more organizations adapt to the post-pandemic digital world many find themselves having to deal with Insider Threats that they haven’t had to address in the past.

Employees are hybrid working more than ever before, working from public spaces, over unsecured networks, and on multiple devices that might be out of scope with regards to management.

IT savvy teams and departments may setup their own shadow IT, public facing test systems, e-commerce platforms and web applications without the knowledge or consent of the CISO or IT department which can leave an organization vulnerable to attack.

Threat actors are also changing their tactics to exploit these scenarios, so being aware of your "unknown unknowns", verifying your users who contact the service desk and making sure that no one is using a breached password are more important than ever before."


Tony Liau, VP of Product at Object First

"In today's digital landscape, organizations are becoming increasingly aware of the myriad external cyber threats. Yet, a growing and often underestimated concern is the threat from within: insider threats. These can manifest as employees, whether unintentionally or with malice, compromising security protocols or even becoming conduits for ransomware attacks. Ransomware doesn't just come from shadowy figures in distant locations—sometimes, the trigger is from someone within the corporate firewall. Such attacks can encrypt an organization's data, making it inaccessible until a ransom is paid. This internal risk amplifies the threat, as insiders have intimate knowledge of the organization's infrastructure and vulnerabilities.

Given this, the 3-2-1-1-0 backup strategy becomes an indispensable tool in an organization's cybersecurity arsenal as a safeguard not just against external threats but also potential internal compromises. By maintaining three copies of data, stored on two different media, with one offsite, one immutable or air-gapped, and zero errors upon recovery verification, organizations can ensure that even in the face of a breach, internal or external, data integrity is uncompromised.

In essence, as the lines blur between external threats and internal vulnerabilities, the foundation of a company's cyber resilience lies in anticipating both and fortifying its defenses accordingly. A strong backup strategy is not just about disaster recovery—it's about maintaining operational integrity against a backdrop of evolving and multifaceted threats."


Danny Allan, CTO, Veeam Software

"In today’s threat landscape, it’s not if or even when your organization will be attacked, it’s how often. And the larger the enterprise, the more likely it is for the risk, or bad actors, to come from within. Whether malicious or not, the misuse of access to critical systems or sensitive information can do serious damage to your enterprise. It could easily be an employee unknowingly opening a phishing link, without the proper safeguards, that causes your enterprise’s data to be exploited.  
While you can’t make your organization immune to ransomware or cyber-attacks, you can make it resilient and minimize damage or disruption. To combat threats, organizations must focus on getting the basics right: resiliency, strong security, and rapid recovery. This back-to-basics approach includes testing both original data and backups to ensure resilience against ransomware – once a week is a best practice to follow – as well as managing access internally and using multi-person authentication to ensure backups cannot be deleted by one individual.  
Defense in depth also dictates that backups are stored in an immutable format, and that data access is always audited and governed through multi-factor authentication.  Be sure you are investing in the foundational capabilities needed to stay resilient in the face of an insider threat, cyber security attack or just an accidental deletion – all without burning through your storage and compute budgets."


Kevin Cole, Director of Technical Marketing and Training at Zerto, a Hewlett Packard Enterprise company

"The risks presented by insider threats are far more substantial than you may assume. According to data gathered by Verizon, the number of records reportedly compromised by external threats is around 200 million; however, in cases involving an organizational insider, this number rises to a staggering 1 billion.  
What makes these vulnerabilities so common is the fact that an insider threat could originate with anyone tied to an organization — whether that be a current or former employee, contractor, or even a partner. In some cases, such as the recent breach disclosed by Tesla, there is malicious intent: stealing information for personal use or sabotaging data or systems before leaving the organization. However, more often than not, insider threats expose their organization accidentally by falling prey to phishing attacks, failing to update credentials, or improperly disposing of sensitive documents. Whatever the intent, their position inside an organization makes them dangerous, and the continual rise of digital transformation, hybrid working and, more recently, ‘Shadow AI’ usage has only made it more difficult to manage and mitigate these potential threats.  
In addition to the essential commitment to training and the use of MFA, insider threat or not, organizations also need to come to terms with the fact that it is a case of ‘when’ they will be attacked, rather than ‘if.’ This is why investment in effective recovery technology is vital for organizations to protect themselves against the fallout of an insider threat-driven data breach or ransomware attack, which can lead to costly disruptions if operations are not restored swiftly. Building upon traditional zero-trust frameworks for data access, organizations should look to integrate these systems into their backup solutions by leveraging decentralized zero-trust methods. By keeping data isolated and replicated continuously, businesses can recover fully, and rapidly, should an insider threat leave them exposed to attack."


Rick McElroy, Principle Cybersecurity Strategist, VMware Carbon Black

"Generative AI, deepfakes and other emerging technologies are making it easier for cybercriminals to infiltrate organizations and deploy phishing campaigns. These campaigns target employees who tend to be unaware of the telltale signs of a cybersecurity threat, creating even more stress for security teams when they are already being stretched thin.

To help limit some of these unintentional insider threats, it is essential for all employees to have a basic understanding of good security practices and for security teams to have a full view of talent management. What’s more, CISOs need to have visibility into their own network to track insider threat indicators, such as data transfers and accessing unusual resources. Identity Management and Visibility into SaaS applications user activity will help them close the gap on insiders. By doing so, CISOs won't have as many blind spots when it comes to their defensive strategies and can quickly respond when a threat emerges."


Neil Jones, Director of Cybersecurity Evangelism, Egnyte

"In the past few years, organizations have dramatically improved their cyber-preparedness by investing in cybersecurity training, intrusion detection systems, encryption technologies, and more. However, the industry’s focus on external cyber-attacks has overshadowed the risk from one of the most prevalent data breach vectors – insider threats.

Most companies don’t realize that their regular employees, privileged users, administrators, and third parties can represent a much more significant – and knowledgeable – risk than external cyber-attackers.

Unbelievably, a substantial 56% of insider incidents result from employee or contractor negligence, making it the most common cause of security breaches. These oversights can include sending sensitive information to the wrong recipient, misconfiguring settings, or adopting unsafe practices. Organizations must implement a strategy that focuses on prevention through ongoing security awareness training and strict access control while leveraging advanced analytics tools for the early and informed detection of unusual activities.

Insider Threat Awareness Month highlights the need for organizations like yours to be continually vigilant and proactive in combating internal risk. You can start by safeguarding your assets, limiting file access based on users’ ‘Business Need to Know,’ conducting comprehensive awareness training, and adopting a proactive stance toward detection that’s updated on a regular basis."


Kevin Bocek, VP, Ecosystem and Community, Venafi

"As we head into National Insider Threat Awareness Month, we’re reminded of the significance of this year’s theme of Bystander Engagement. The rapid adoption of cloud native technologies increases risk and need for engagement by CISO and security teams. There are now far more machines from datacenter to clouds that can be misused. Edward Snowden’s NSA breach shows how one individual in complex environments can exploit machine identities to go undetected and deal significant damage to an organization. Attacks like those against Capital One in the cloud demonstrate the risk that insider attacks are now most likely to happen in the cloud. Bystander Engagement means the developers and platform teams are part of the solution as CISO and Security teams make sure that observability and guardrails keep business safe."


Eve Maler, CTO, ForgeRock

"Stolen identities continue to cause massive security breaches – and insider threats are a major part of the story. Without strong identity governance and a least-privileged access model, malicious insiders can move laterally across an organization’s systems to exploit valuable data. Such threats are a particularly pernicious type of unauthorized access; this overall method resulted in 91% of all records breached in the U.S. in 2022. In light of National Insider Threat Awareness Month, organizations must work to embrace faster and more scalable security methods, such as using decisioning AI, which can automate cumbersome workforce identity governance tasks to evaluate users quickly and the resources they can access. Such an approach can accelerate an organization’s Zero Trust maturity by enabling finer-grained, more dynamic, and contextually sensitive access decisions. In this way, security teams can better manage the looming security of insider threats - not just this month, but year-round."


Dr. Torsten Staab, Chief Innovation Officer and Principal Technical Fellow, Raytheon, an RTX Business

"Insider threats can occur at any time and place. Organizations must shift to a comprehensive, multi-level Zero Trust security approach in preparation for such threats. Zero Trust does not discriminate among end-users, regardless of the scenario. Technologies deployed under Zero Trust, such as Multi-Factor Authentication (MFA) and Identity, Access, & Credential Management (ICAM), are intended to tighten security for everyone across all zero trust pillars (users, devices, networks, workloads, and data). By implementing Zero Trust policies and enforcement points at multiple levels throughout an enterprise, advanced insider threats can be better addressed. That said, a common mistake organizations often make is focusing too much on a specific zero trust pillar or a tool to combat insider threats. As a result, they miss other important attack vectors, thus severely constraining their insider threat response capabilities."


 Dylan Owen, Chief Engineer, Raytheon, an RTX Business

"When addressing insider threats, there are several things that organizations often fail to take into account, including placing more focus on malicious insiders than inadvertent insiders. To address the latter, organizations must create a culture of security in which employees understand how to better recognize security risks and feel empowered to report suspicious behavior. Another critical step is to ensure the proper infrastructure is in place to prevent these threats in the first place. The best way to achieve this is through a Zero Trust approach, which requires continuous verification and authorization for all users and devices, ensuring that only authorized users have access to systems and data regardless of their location or device. By implementing a Zero Trust model, organizations are able to identify suspicious activity that may be indicative of insider activities, allowing them to prevent threats. In the case that insider threats do in fact infiltrate an organization’s systems, it is critical to respond quickly in order to minimize impact, which Zero Trust can also achieve."


Anudeep Parhar, Chief Operating Officer, Entrust

"One out of every five breaches is an insider attack, according to Verizon’s 2023 Data Breach report. Insider threats originate from within the organization and can pose a risk to privileged or confidential information available to internal sources. With this in mind, it is crucial for enterprises to augment employee training and education programs with implement Zero Trust strategies, which ensure employees only have the necessary permissions required to fulfill their role or function, employing the concept of least privileged access.
With the rise of multi-cloud environments, perimeter security and firewalls alone are no longer effective enough to protect against threats internally. Security leaders need to shift their perspective and view cybersecurity in a new way – focus on building a cyber resilient organization. A cyber resilient mindset matures existing tools, talent, technologies and training programs by explicitly building operational capabilities to deliver business outcomes despite cyber-attacks. Even if a bad actor is in the system, a Zero Trust approach of always verify will prevent them from gaining critical, sensitive data, allowing enterprises to ensure data is protected with encryption and only verified and authorized users have access to the areas and resources they need."


Mike Scott, CISO, Immuta

"Generative Artificial Intelligence (GenAI) is one of the fastest emerging insider threats we have faced for a long time. GenAI applications like the wildly popular ChatGPT platform have put the power of GenAI into the hands of everyday users, creating a low point of entry in leveraging this technology. In today's workforce, where many are trying to do more with less, the promise of work-saving technologies like GenAI may incentivize employees to try or regularly use the tool, potentially exposing confidential or sensitive information. It is critical that organizations have policies in place to regulate the use of GenAI and train employees on the dangers these technologies and tools present."


Lea Kissner, CISO, Lacework

"Insider threat is a major concern for CISOs and top executives, but acknowledging that concern internally is challenging because it can feel like you’re saying you don’t fully trust your colleagues, which can be isolating and cause internal strife. CISOs should be a partner in security, not the “security police.” There’s always going to be potential for some people to purposefully be bad actors, but CISOs can instill preventative measures against insider threat in ways that still show respect to their coworkers and don’t assume malicious intent.

I’m not often worried about what my coworker is doing, but I am worried about what their account is doing. While it might be my coworker (and yes, we do a lot to make sure that it is, like using two-factor authentication and keeping malware off devices), it might instead be a sneaky hacker who somehow managed to get onto their laptop and is misusing their access. So when we construct our security with that understanding and talk about it in that way, we are genuinely working with our coworkers to protect our customers and our systems.

Another thing I worry about is someone pressuring my coworker. I’ve had coworkers at previous jobs pressured to turn over the personal information of dissidents to the precise governments who are unhappy about them. When those coworkers can truthfully say that this information is protected, it protects them. Even in cases where my coworkers might be tempted to make bad choices, I’m there to try to keep them from taking actions which, yes, could hurt our customers, but also actions which they might regret.

It’s really, really important to explain why we’re doing what we’re doing both clearly and with respect – security is a team sport. Considering the motivations behind the potential attacks lets us more effectively ameliorate inside threat without alienating the people we work with."


Carl D'Halluin, CTO, Datadobi

"Insider threats lurk within the very heart of organizations, disguised as trusted employees, partners, or collaborators. These individuals, armed with access privileges, possess the potential to wreak havoc that is often unseen until it's too late. Their actions can shatter the security foundation of a company, leading to catastrophic data breaches, financial ruin through fraud, and irreparable damage to reputation.

First held in 2019, National Insider Threat Awareness Month (NITAM) is an annual campaign spanning the month of September that reminds us that mitigating insider threats demands a comprehensive strategy encompassing diverse countermeasures. This can entail the enforcement of stringent access controls, leveraging user behavior analytics, and the implementation of data loss prevention solutions, as well as vigilant user activity monitoring, and the fostering of anonymous whistleblower reporting mechanisms. However, to truly take insider threat mitigation to the next level, a solution that empowers organizations to assess, organize, and take action on their data is pivotal.

By proactively assessing data, it allows for the identification of anomalies and vulnerabilities before they escalate into significant risks. The continuous monitoring and analysis of data enable the rapid detection of unusual patterns or behaviors, facilitating timely intervention and mitigation. Moreover, the organized structuring of data enhances visibility, making it easier to pinpoint sensitive information and recognize unauthorized access or movement. When potential threats are identified, the solution enables organizations to take swift and precise actions, such as restricting access, initiating investigations and/or moving data to another location, minimizing the potential damage. Beyond immediate responses, the solution's adaptability ensures that countermeasures remain effective in the face of evolving insider tactics. This approach not only reduces the impact of insider threats but also contributes to operational continuity and regulatory compliance. Ultimately, the ability to harness data-driven insights enhances an organization's proactive stance, equipping it to navigate the intricate landscape of insider threats with vigilance and resilience."


Steve Santamaria, CEO, Folio Photonics

"In a world where data fuels progress, the importance of National Insider Threat Awareness Month (NITAM) cannot be overstated. The campaign, which takes place each year in September, highlights the stark reality that employees, strategic partners, and other insiders with authorized access can inadvertently or intentionally inflict significant damage. This threat transcends industries, affecting both government entities and private businesses, as trust and access intersect in today's interconnected digital landscape.

However, NITAM extends beyond simply shedding light on the issue-it drives us to seek effective mitigations, such as an active archive, which is an advanced technology designed to provide efficient and secure data storage while enabling quick access and retrieval of information. Unlike traditional archival systems that store data in a passive, offline state, an active archive maintains data in a more accessible and readily available form, making it easier to search, retrieve, and analyze. However, within the context of insider threats, an immutable active archive serves as a robust defense due to its unique qualities. By ensuring data immutability, it maintains the integrity of stored information and creates a traceable record of interactions. This traceability acts as a deterrent against malicious insider actions and aids forensic analysis during security breaches. Moreover, its alignment with regulatory compliance standards ensures adherence to legal requirements. Last but not least, real-time monitoring capabilities can further enhance its effectiveness by promptly identifying unauthorized activities. 

In closing, NITAM stands as an annual rallying cry-a time to renew our commitment to cybersecurity and acknowledge that, while trust is invaluable, preparedness is non-negotiable."


Seth Blank, CTO, Valimail

"In today's fast-evolving and intricate digital communication framework, DMARC (Domain-based Message Authentication, Reporting, and Conformance) acts as a pivotal element. It serves as a critical component that prevents external actors from exploiting a trusted name to deceive and mislead. Think of DMARC as the equivalent of a bouncer checking IDs at an exclusive nightclub. Its primary role is to ensure that only authorized individuals-essentially those on the guest list-can gain entry. DMARC's primary function is to make certain that unauthorized entities are both easily detectable and unable to impersonate your employees or executives, which if left unaddressed can turn an external threat into an internal one.

However, the role of DMARC extends beyond mere prevention. With DMARC enforcement, organizations gain the clarity that their communications are secured from impostors. Yet, this clarity also brings to light another dimension of security - the risks that potentially lurk within the organization itself. While it's imperative to fortify against external threats, an equally significant aspect of security is the continuous oversight of internal activities and behaviors.

Understanding the intricate interplay between trust, security, and the myriad channels of communication means recognizing the phased nature of protection strategies. Tools like DMARC offer the first line of defense against external hackers and other attackers. However, once these external defenses are robustly established, it becomes critical for organizations to pivot and channel resources and focus toward addressing the subtleties and complexities of internal threats. This sequential layered approach ensures a holistic defense strategy - begin by fortifying against external threats and then work meticulously to foster and maintain a trustworthy internal environment."


Theresa Lanowitz, Head of Evangelism, AT&T Cybersecurity

"In today’s evolving and increasingly complex digital landscape, protecting your business against insider threats is critical. Concerns for insider risk exist across industry verticals. One of the most prominent being within the US State and Local Government, and Higher Education (SLED). Recent research shows that  SLED employees perceive the top three most likely attacks to occur as personal information exfiltration, insider threat, and ransomware. These types of attacks combined together can be catastrophic for an organization and erode customer trust, tarnish the brand, and cost a significant amount of money to remediate.
Insider threats involve a company’s greatest asset — its employees — it is critical that business leaders stay aware of the types of threat actors they may encounter from within their own organization. Frequently, the insider threat is a result of a seemingly innocuous behavior by an employee. There is no malicious or purposeful intent to harm the organization. An employee unaware of potential danger may click on something that is infected and cause a ripple effect throughout the organization. This is why cyber hygiene is so crucial. Employees need to be aware of what is safe and unsafe in the digital world.
Then there is the lone wolf. This is an insider who has strategically planned a way to steal digital assets with the intent to do harm to the company. Using technologies such as micro-segmentation means that employees only have access to what they need for their jobs.
In order to prevent these threats, organizations need to understand their infrastructure, implement robust access controls, and monitor for misuse. And, because of the inherent sensitivities surrounding insider threats, it’s equally important that business leaders create a security-focused culture. Employees should feel empowered to identify suspicious activity, and comfortable enough to say something as soon as they notice it."


Nabil Hannan, Field CISO, NetSPI

"This National Insider Threat Awareness Month, it’s important to raise awareness around some of the most commonly exploited vulnerabilities within an organization’s internal network. According to NetSPI’s 2023 Offensive Security Vision Report – which is based on more than 300,000 pentesting engagements – we found that excessive internal permissions continue to plague organizations. We witnessed network shares or SQL servers that unintentionally allowed access to all domain users, which often contain sensitive information, credentials to other services, or customer data (such as credit card numbers or PII). Unexpected excessive privileges leads to a large number of internal users having access to unintended sensitive data. All it takes is one rogue employee to cause major damage.

Additionally, weak or default passwords continue to be used within organizations, especially when accessing internal networks that contain highly sensitive information. Unlike interfaces exposed
externally, interfaces on the internal network typically don’t require multi-factor authentication, making the likelihood of compromise much greater. Basic security hygiene, as well as an understanding of internal sharing protocols, can provide a solid foundation in bolstering protection against insider threats."


Janer Gorohhov, CPO & co-founder, Veriff

"Many companies’ security leaders focus their efforts on external threats – and rightfully so, as the explosive growth and accessibility of powerful technologies like AI has allowed dangerous fraudsters to bolster their attack capabilities to new levels. But it’s equally important for business leaders to remember that locking down external threats does nothing to protect against the ones that have already made it through their defenses.

AI-powered tools, like image and voice deepfakes, enable fraud actors to impersonate whoever they choose with terrifying accuracy, leading to skyrocketing rates of business email compromise and other forms of fraud carried out from the inside. When employees’ voices and images are untrustworthy, it’s more important than ever to make absolutely sure that the people behind them are, in fact, who they say they are. Companies that fail to implement rigorous identity verification in their onboarding processes, such as biometric authentication tools, put themselves at serious risk of falling victim to fraud from criminals masquerading as their own executives."


Jeremy Ventura, Director, Security Strategy, Field CISO at API security company, ThreatX
"IT and security teams have long focused on external threats from hackers and cybercriminals. These teams primarily allocated their budgets for tools and technologies that defend their organizations from these external forces, but what often gets missed is the lack of protection from “insider threats”. From negligent users, disgruntled employees and espionage threats, security teams need to be prepared to mitigate and respond to incidents. And the best way to do this is by ensuring there is a balance between both human and technological measures. This includes starting with security awareness and training employees on how to identify insider threats, e.g., suspicious emails from internal employees. As a second step, teams need to leverage technology that incorporates tools to identify and remediate insider and lateral threats such as data loss prevention (DLP), endpoint detection and response (EDR) and application monitoring solutions. These strategies should be top of mind for security teams throughout the entire year, but especially during Insider Threat Awareness month. It’s critical that organizations take the time invest in internal threat strategies just as they do for external threats."


Arturo Perez-Reyes, SVP of Cyber and Technology at Newfront

"To paraphrase Anna Karenina, unthreatening employees are all alike, but every threatening employee is dangerous in his or her own way. Thus, the damage that insiders inflict depends on their status and access. Although IT perils come first to mind, such as the logic bombs or cryptojacking, the threat is as old as turncoats like Benedict Arnold or acts of financial embezzlement and fraud.
Nevertheless, the threat continues to take new and expensive forms. The theft of trades secrets has led to billon-dollar losses. The publication of government secrets has cost lives and alliances. Insider trading on IT issues has led to large shareholder suits and jail time for D&Os. Next will be insider impersonation using generative AI. Insurers have had to pay such claims since 2019. It will get worse, because new tools can impersonate a voice with as little as 3 seconds of audio.
Thus, it is worth noting that not all insiders are the same when it comes to financial risk transfer. Although cyber-insurance policies anticipate insider threats by providing severability of insureds, so innocents are spared, there is a class of insider that can strip coverage for all other insureds: executives. Better policies limit the list of executives, but many do not. This limitation must be for more than actions. The problem recurs regarding knowledge: knowledge of claims and knowledge on the application."


Martin Zugec, Technical Solutions Director at Bitdefender
"Implementing a meaningful security strategy for insider threats starts with first understanding the motivation behind these attacks. A recent industry report revealed that nearly 90% of insider attacks in the past year were financially motivated. To counter this type of insider threat, it is imperative to begin by understanding which data or systems within the organization hold potential monetary value. Conduct a thorough assessment of sensitive assets, identifying those that could be monetized if compromised. It’s critical to think beyond your own four walls to include remote employees, partners, supply chain and cloud environments.
Additionally, it’s important to remember insider threats also include user errors and unintentional actions.  Subsequently, implement robust monitoring systems that pinpoint anomalous user behaviors, unauthorized access attempts and misconfigurations especially when tied to high-value assets. Implementing detection and response solutions (such as XDR or MDR)  tailored to identify and flag incidents within the network offers the advantage of safeguarding against not only external threats like APTs or ransomware groups but also malicious and non-malicious insiders."


Robin Tatam, CISM CPFA CTMA CPSP PCI-P, Sr. Director of Product Marketing at Perforce Software

"Perimeter protection is a necessity, no matter whether you’re guarding money, a country, or the servers within a datacenter. Even those who are unfamiliar with cybersecurity best practices understand that access should be limited to those with a justified reason for access. However, this often overlooks an individual who satisfies the criteria to be admitted inside, fueled by the illusion that admittance only be granted to those individuals who are incapable of harm.  
Discussion of insider threats rarely escapes mention of the tale of the Trojan Horse from ancient Greek mythology. In the myth, the Greeks ingeniously concealed soldiers within a massive wooden horse, presenting it as a gift to the city of Troy. Unbeknownst to the Trojans, this seemingly innocuous offering harbored a hidden danger. Similarly, in today's digital landscape, insider threats manifest when individuals within an organization, who may appear trustworthy on the surface, pose a concealed risk to the security of sensitive data and systems.
Vigilance against insider threats is as critical in the digital realm as it was within the walls of ancient Troy. Protection measures must be extended to include managing access to the individual assets contained within the perimeter. Zero Trust models assume that threats exist on both sides of the perimeter wall and play a crucial role in mitigating insider threats and bolstering cybersecurity. Zero Trust starts with the foundational principle of “never trust; always verify” which means that no entity is inherently trusted, whether they are inside or outside of the organization. This prevents assumption of trustworthiness that can lead to vulnerabilities. Other important elements of Zero Trust include strict access controls, continuous evaluation and mitigation of desired configuration state, and monitoring of user events to detect anomalous behaviors. However, Zero Trust isn’t only about technology. Education programs must ensure that users are fully trained in the legitimate actions associated with their roles and responsibilities, as well as educated on common security risks and best practices. Harm is too often associated with an action where the user didn’t comprehend or fully consider the consequences.
Insiders, whether through malicious intent or inadvertent actions, can compromise an organization's cybersecurity defenses from the inside, much like the Trojans' unsuspecting acceptance of the wooden horse ultimately led to the fall of their city. The lesson is clear: as we have become more reliant on technology, the age-old warning of "Beware of Greeks bearing gifts" has found a modern counterpart in 'Beware of insiders wielding digital access.'"


Jason Keenaghan, Director of Product Management, IAM, Thales

"When most people hear the term “insider threat” they likely picture a rogue employee who is out for revenge or trying to cash in on some high value information. However, insider threats can stem from both unintentional human errors, such as inadvertently installing malware or being duped by phishing emails, as well as malicious behaviors, such as the deliberate release of sensitive information. More often than not, insider threats are the result of human error. An innocent lack of understanding of an organization’s culture, policies, and procedures can be riskier to a business’ security than any technical vulnerability. While correctly training employees is an essential measure of defense in reducing human error, it can’t always account for mistakes and outside motivators.
When you consider that every digital interaction begins with identity – you need to approach your proactive security controls accordingly. By focusing on identity, and leveraging modern access management tools, you can build adaptive policies that protect your most critical digital assets from attackers as well as unintentional human errors. Adaptive, risk-based policies can adjust the level of identity assurance and authentication that is required based on signals that are currently being observed. Is this the normal location or time of day that the user accesses the system? Is this the normal amount of data that he/she typically downloads? Is this a known and registered device? By using these types of approaches, you can avoid undue friction for the 99% of your employees that are doing the right thing; while at the same time, you can protect yourself from anomalous behavior that may just be a sign of an insider attack."

Michael Smith, Field CTO at Vercara

"When it comes to malware infecting a desktop or mobile device, the insider threat is also an external threat. Ransomware gangs, in particular, are increasingly engaging in data exfiltration through insider compromise to carry out secondary and tertiary ransoms. They may threaten to publicly release the data or use it to attack the company's customers. Identifying common markers of insider threats will help with detecting this activity —look for frequent file browsing, data exfiltration, and occasional attempts to gain more access.  It’s really the hunt for users that suddenly start to become hyperactive with how they access files.
Some of this activity can be easily detected using DNS query data from your recursive servers, which every organization should log and use for threat hunting and attack prevention. For example, a user might visit a software tools website to download an application for writing data to a CD, or they might access file sharing sites. All of these activities can be detected through DNS analysis."


Wade Barisoff, Director of Product – Data Protection at cybersecurity company Fortra
"In today's rapidly evolving digital landscape, insider threats have emerged as a critical concern for organizations. It is imperative to recognize that these threats encompass a broad spectrum, from unintentional actions to malicious intent, and they can have profound repercussions for a company's security and reputation.
Insider threats are not solely driven by ill intentions; they can also stem from inadvertent mistakes or external influences. To prepare for these threats effectively, organizations need a multi-faceted approach. This should include:

  • Awareness and Training: Ensuring that all employees are educated about the risks associated with insider threats is paramount. Regular training on cybersecurity best practices, recognizing phishing attempts, and understanding data protection is essential.
  • Access Control: Implementing a robust access control system, following the principle of least privilege, is crucial. Limiting user access to only what is necessary for their roles minimizes potential vulnerabilities.
  • Behavior Analysis: Paying attention to changes in employee behavior, performance, or sudden financial distress can be indicative of an insider threat. Encourage a culture of open communication to address concerns promptly.
  • Response Plans: Having a well-defined incident response plan is crucial. It should outline steps to take in the event of an insider threat to minimize damage and recover swiftly.
  • Ongoing Vigilance: Recognize that insider threats are an ongoing challenge. Regularly review and update security protocols and technologies to stay ahead of evolving threats.
  • Data Protection: Employing data loss prevention (DLP) solutions can help prevent unauthorized data transfers and ensure sensitive information remains within the organization.

Insider threats require proactive measures that encompass not only technical solutions but also a comprehensive approach that involves education, monitoring, and adaptability. By addressing these aspects, organizations can significantly reduce the risk posed by insider threats and protect their valuable assets."


Mike Pedrick, VP of Cybersecurity Consulting, Nuspire

"For many organizations, especially SMBs, protecting critical information and systems is a matter of aiming (or wishing) for the level of security you’d find within the walls of the Pentagon or Moscow’s Kremlin. The problem is, these SMBs have technology, capital and personnel resources that are more in line with defending a rural Midwest tree fort. Such meager resources, however, necessitate a strategy that focuses on external threats; insiders are, by default, afforded the sort of implicit trust given to friends and family. Smaller organizations are also more likely to have a flat networking and access control model – all team members being granted access to all resources.  
Unlike the aforementioned center of the Russian government, red flags are easy to miss when it comes to trusted team members, but the risk is so much higher. Whether intentional or otherwise, employees can forever change their organization's destiny in the blink of an eye. A core aspect of the Zero Trust model is to treat folks whom we know, trust and respect on a personal level as no different from an external or nation-state bad actor when it comes to critical or sensitive information. SMBs should ensure that their strategy and resource allocation include due attention to the insider threat."


Jon Siegler, Chief Product Officer, LogicGate

"Insider threats should be top of mind for any organization. Unlike threats that originate outside of your organization, the individuals that pose insider risks already have legitimate access to your system and know what to look for, and where to find it quickly, which means that it can be difficult to detect and mitigate their activities before damage is done.

It takes a multi-pronged approach to stop these sorts of attacks: Organizations need to establish robust access controls, educate their workforce on how to identify and report suspicious activity, and invest in new technologies that can proactively detect these threats. Insider threats will only become more of a problem as new technologies like AI offer more sophisticated means to access systems and avoid detection. Organizations will need to remain vigilant and adapt just as quickly as these bad actors do to keep their assets secure."


Tom Ricoy, Chief Revenue Officer, Cigent

"Insider Threat Awareness month always makes me think of the classic thriller When a Stranger Calls. The iconic scene is when the police inform the young heroine ‘We’ve traced the call, it’s coming from inside the house!’ Although this movie was from 1979, it still depicts a common approach to cyber security today. The young babysitter is locking the house doors and windows for protection, not realizing the killer is already inside until it is too late.  
Account takeover (ATO) and Initial Access Broker (IAB) services have spiked in 2023, often resulting in authenticated access to assets by criminals. Whether it is really the organization’s insider (employee), or a criminal that has taken over the insider’s account, organizations must emphasize adequate controls are in place to protect valuable assets – in our movie example, it is the sleeping children. Detection and prevention can be implemented by focusing on risk-based access controls (UBA and zero trust principles) with adequate vetting. So, when John accesses a data set that he has never accessed before, he is presented with step-up authentication. These security measures can help to keep the organization’s assets safe from threats, even those that are already ‘in the house.’"


Subhalakshmi Ganapathy, IT security evangelist at ManageEngine
"Though comprising only 6% of the total incidents reported, attacks initiated by malicious insiders have proven to be the most expensive this past year, costing companies an average of $4.9 million. This is 9.6% higher than the average global cost of $4.45 million per data breach. Breaches initiated by malicious insiders also take the longest to resolve. Both of these parameters indicate the complexity of detecting, resolving and mitigating an insider attack. Apart from this, in 74% of all breaches, the human factor has played a role, whether through errors, privilege misuse, the use of stolen credentials or social engineering.
Cyber complacency practices such as connecting work devices to public Wi-Fi, connecting personal accounts to company hardware, and reusing passwords are all highly common ways individuals put both personal and professional information at risk.
A recent ManageEngine consumer survey found that, despite being considered a highly tech-savvy generation, millennials are actually some of the worst offenders when it comes to following cybersecurity best practices. The report found that 81% of millennials use the same password across multiple online accounts, with Gen Z close behind at 77%. Unsurprisingly, then, millennials are also the most-impacted generation when it comes to data breaches (60%).
As younger generations join the workforce, they will need a thorough understanding of the potential implications their habits can have on their organizations. IT teams must remain vigilant by implementing safeguards and educating employees on cyber hygiene and best practices to reduce insider threats due to negligence or errors.
They should also parallelly focus on stepping up their defenses against malicious insider threats. The contribution of malicious insiders as threat actors is increasing in some of the common and popular tactics―privilege misuse and system intrusions. Adopting Zero Trust and AI-based behavior profiling technologies can help contain malicious insider attacks.
Ultimately, cybersecurity is everyone’s responsibility. Employees and their organizations need to work together to ensure company data remains safe."


Stephan Jou, Security Analytics Chief Technology Officer, OpenText Cybersecurity

"The insider threat conversation was boosted by the pandemic which gave employees unprecedented network access to work effectively from home. In doing so, an important barrier for malicious actors was removed, making it easier to steal.

ChatGPT then brought AI into the spotlight, showing the world the power of this amazing technology. While often used by adversaries to do harm, AI is quickly becoming an important and powerful tool in our human-machine partnership to detect and defeat cyber attackers. The collision of these two forces, insider threats and AI, is an exciting step forward for the good guys.

Insider threats fall into three categories, the bad guys on the outside, the bad guys on the inside, and the clueless guy on the inside. AI, combined with behavior analytics which are built off machine learning (ML) models, is making it easier to proactively monitor for suspicious or odd behaviors by looking for subtle clues, patterns and anomalies – something that has been nearly impossible for large organizations to do at scale previously.

While a focus on people, processes and technology remains the best practice against insider threats, with AI integrated into technology, we are finally starting to turn the tables on threat actors."


Roman Arutyunov, Co-Founder and SVP of Products at Xage Security

"Safeguarding our critical infrastructure – energy, manufacturing, transportation, communication, and more – against insider threats isn't just a matter of national security; it's a commitment to upholding the stability, resilience, and safety of our society. The essential services that power our lives need to be protected, and Insider Threat Awareness Month underscores a pivotal truth: securing our critical infrastructure rests on adopting a zero trust strategy.

The vulnerabilities confronting businesses don't solely emerge from external sources; they can also originate from within. Last year, over half of organizations experienced an insider threat incident. Companies can't assume trust and provide broad access to any user inside the network. Instead, user access should be meticulously managed through explicit authentication and authorization protocols, ensuring that access privileges are strictly aligned with personnel’s respective roles and responsibilities. If companies uphold continuous identity verification for employees and partners before granting access to services and information, insider threat incidents can be reduced drastically, better protecting not only our critical data and systems but our people and society."


John Martinez, Dynamic Access Management Evangelist, StrongDM

"An insider threat uses one main weapon to attack a company: access. Having the credentials to access and move around internal infrastructure with near impunity is the core element of an insider threat, as well as nearly every other major security challenge. Shadow IT has been around for a long time, Shadow AI for sure is new since ChatGPT, and it has IP and confidential data leakage implications. These terms reference the use of undocumented, or unauthorized, IT tools or AI software.  

As we continue to see innovations in AI, the challenge will be ensuring employees have access to the tools they need under company oversight to avoid backdoors and cheats that can cause security risks. The same security risks that can enable an insider threat.  

I would like to remind company leaders that having infrastructure access is like having the keys to your home’s front door, and investing in the proper access management tools that can monitor and adjust credentials as necessary is critical.  

Regardless of whether an insider threat is intentional or malicious, CISOs and IT leaders must lead the charge into centralized access. By doing this, security leaders can manage critical access permissions across databases, servers and cloud service providers to ensure their infrastructure is kept secure against threats both inside and out without compromising productivity."

Arti Raman, CEO and founder, Titaniam
"Business leaders wanting to stay ahead when it comes to security, compliance and policy need to be paying attention this Insider Threat Awareness Month. The boom in Artificial Intelligence (AI) that we’re seeing today, while powerful and certainly worth exploring, exposes a whole new world of vulnerabilities that need to be addressed. Recent surveys have shown that 54 percent of organizations will be adopting AI over the next 12 months - a rapid adoption rate that leaves little room for guardrails and safety nets. Where do company policies fit? How will AI impact security regulation compliance? What guardrails are in place to safely allow AI’s use?  
These are important questions that everyone should be asking, especially business leaders and decision-makers across boards and C-suite teams, such as CISOs. The reality, however, is that only 36 percent of organizations are implementing any form of policy that restricts or bans AI use at work. As we continue to see AI sweep across the enterprise and become increasingly integrated into everyday use, both at home and in the office, Shadow AI becomes a credible threat to business intellectual properties (IP) and sensitive information.  
Shadow AI, the unsanctioned and unmonitored use of AI tools, presents a new avenue for insider threats. While 33 percent of companies don’t prioritize insider threats as cybersecurity concerns, I urge business leaders to recognize that these threats can stem from both malicious and accidental incidents. All it takes is one employee using an AI tool meant to increase productivity and accidentally opening a new roadmap to sensitive data stores that cybercriminals will undoubtedly exploit. While AI’s use in the enterprise is critical to development and innovation, business leaders must consider investing in and implementing guardrails.  
Tools that provide in-depth and real-time visibility into AI use across internal networks will be critical in suppressing a looming spike in insider threat-related data breaches. Decision-makers across boards and executives need to implement real education and training in the use of AI that allows the use of these tools without sacrificing their security."

Patrick Beggs, CISO at ConnectWise

"While the focus is often on protecting against external threats, malicious, negligent, and compromised insiders are a serious cybersecurity risk, with 67% of companies experiencing more than 21 insider-related incidents per year. To combat this, organizations require a comprehensive security program that combines cybersecurity awareness training, technical solutions, and strict security protocols. Insider threats rely on the negligence and actions of a company’s end users, such as an administrator failing to apply a security patch or an employee accidentally clicking on a phishing link. Once a user has been compromised, their accounts can be used as a ‘home base’ for attackers, from which they can share private files, escalate privileges, or infect other systems.

To enhance their ability to detect and prevent insider threats, organizations can leverage artificial intelligence for context-aware monitoring, anomaly detection and behavioral analytics. By consuming billions of data artifacts, AI quickly learns about emerging risks, identifying malicious files and suspicious activity much faster and more accurately than a human ever could. It then applies its findings to predict activities, identifying them as they occur and assigning them a severity level for remediation.

Threat intelligence platforms gather and analyze data in real time from multiple sources to identify and predict threats. Incorporating their findings or connecting them to AI cybersecurity tools can help the solution proactively take a defensive posture. To supplement this, task automation technology can handle routine tasks such as informing users that their credentials may have been compromised, resetting passwords, and patching vulnerabilities in systems and software. The combination of these AI-powered solutions, human expertise and well-defined security policies can help organizations build a robust defense against insider threats."


Gal Helemski, CTO and co-founder, PlainID

"Since many enterprises are working remotely, now more than ever, confirming identities has become the cornerstone of organisational security. As most data is stored on cloud-based services, it only takes one misuse of a pre-existing or stolen credential for a company’s entire digital landscape to be left open and exposed.

The pathway to cyber security comes from trusting no one – not even regular employees on trusted devices. This might sound extreme, but unless there’s real-time monitoring and authorisation, you cannot be 100% sure that this user has the right to be accessing this data.

A Zero Trust approach is no longer a ‘nice to have’ for cyber security leaders. In fact, 50% of business leaders said that authorisation is an integral part of their zero-trust programme. This ensures that trusted users have authorised access to the digital assets they need, and no further. Users attempting to access the network by force or suspicious requests become much more visible, and countermeasures can be put in place."


David Etue, CEO at Nisos

"Beyond traditional cybersecurity threats, security teams do battle with threats like fraud, executive protection, and cyber-crime.  These types of threats have a couple things in common.  First - they are often overshadowed in discussions about threats by cybersecurity.  Second - unlike most SOC use cases, knowing the “who” is important to mitigating these threats.  
Armed with information about the individual or network of threat actors and organizations, companies are well-placed to act against the threat.  This could involve cutting ties with an employee, client, or platform user, pursuing legal action, or working with law enforcement.
The challenge for security teams is that it takes extensive tradecraft, expertise, and experience to take the raw data or information (organized data) from your threat feeds or portals and transform that into intelligence that is immediately useful in mitigating threats.  And most security teams struggle to find and retain their security talent, let alone this type of specialist capability.    
This is where the emerging trend of managed threat intelligence comes into play.  Analysts operating as an extension of a security team provide finished intelligence across threat assessments, monitoring, and investigations.  Managed intelligence services can help teams operationalize their threat intelligence and help security teams get to the real answers they need including unmasking threat actors and their operations."


Tim Hankins, SVP of Growth at Judy Security
"In the wake of the recent MGM Resorts ransomware attack, it has become clearer than ever that small to medium-sized businesses (SMBs) must prioritize awareness of insider threats due to the unique risks they face. Although MGM Resorts is a larger corporation with extensive cybersecurity resources, they still fell vulnerable to a vishing attack (where you gain access to systems through a convincing phone call rather than phishing, which is done through an email).

Whether it is a ransomware attack using vishing or phishing, businesses often lack the financial means and personnel to combat insider vulnerabilities and threats effectively. Insider threats, which can originate from employees, partners, or third-party vendors, account for a significant portion of data breaches, posing a substantial danger to businesses with the consequences extending beyond financial losses and can include damage to brand reputation, loss of customer trust, and legal implications.

SMBs can combat insider threats by implementing strong policies, conducting regular performance assessments, enforcing the principle of least privilege, and implementing an “all in one” cybersecurity solution that includes a comprehensive suite of security features that protects customer endpoints and environments across the board. Additionally, regular security awareness training programs are essential to educate employees about cybersecurity best practices and reporting suspicious activities.

In today's digital landscape, SMBs must proactively protect their assets from insider threats to safeguard their business, customers, and reputation."


Doug Kersten, CISO, Appfire

"When most people think of the bystander effect, they don’t think of cybersecurity. However, in the same way people expect someone else at the scene of an accident to call 911, most employees figure another member of their team will report risky behavior or suspicious digital activity. And, more times than not, this mindset leads to a security incident or data leak that could have been prevented.
Defending against insider threats means getting everyone involved. Every employee at an organization, whether they’ve been with the company for 15 years or 15 days, is someone who could unintentionally expose sensitive data. Breaking even the most seasoned employees out of their regular patterns to create a more communicative and security-focused culture at your organization is the only surefire protection against insider threats. This means creating a culture that encourages open lines of communication between the security team and the rest of the organization. Employees need to view the security team as an ally and as a team of people they can go to for help, not punishment, after mistakenly sharing sensitive information. Awareness training also plays a big role in combating insider threats, particularly with the rise of generative AI. If your employees are well-trained, feel comfortable communicating honestly with their security teams, and have an anonymous way to report their concerns without fear of repercussion, the odds of preventing a threat before sensitive information is exposed increase exponentially."


Published Tuesday, September 12, 2023 7:54 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2023>