September marks National Insider Threat Awareness Month, a critical
time for organizations to reflect on one of the most pressing yet often
overlooked aspects of cybersecurity: insider threats.
Whether intentional or accidental, insider threats pose a significant
risk to businesses of all sizes, from small startups to global
enterprises. With cyberattacks becoming more sophisticated and data
breaches more frequent, the potential damage caused by insiders-whether
malicious employees, careless contractors, or compromised partners-can
be devastating.
This expert commentary roundup brings together leading voices in the
cybersecurity industry to shed light on the importance of insider threat
awareness, explore the evolving landscape of these threats, and provide
actionable strategies for mitigating the risks from within.
++
Anthony Cusimano, Technical Director, Object First
My
biggest takeaway since last National Insider Threat Awareness Month is
that every organization must always assume breach, no matter how secure.
Time and time again, we saw businesses that claimed to be secure, with
"good backup best practices" in place, fall victim to attack because
they weren't operating with an "assume breached" mentality. Over the
last year, Object First has focused on educating anyone who would listen
about incorporating Zero Trust into IT teams' operating practices and
reevaluating backup ecosystems with a Zero Trust Data Resilience (ZTDR)
mindset. With ZTDR, admins can truly harden their data protection
architectures by segmenting backup software and backup storage, creating
resilience zones using 3-2-1 methodologies, and utilizing immutability
as part of backup storage to ensure recovery is always a possibility.
ZTDR is not something you can go out and buy; instead, it is a mind
shift that all backup admins must go through to ensure their companies
remain resilient even when the worst-case scenario occurs.
++
Kevin Cole, director, technical marketing and
training, Zerto,
a Hewlett Packard Enterprise company
Recent research from Zerto highlights how human error is responsible for nearly half (46%) of all the
reasons for data becoming unrecoverable, making it the largest threat for data
loss. With Insider Threat Awareness Month upon us, it's a critical time for
organizations to re-evaluate their data protection strategies to protect their
customers and preserve their reputation against any breaches.
Whether it is an employee who sells data for personal gain,
sabotages systems before leaving, falls victim to a phishing attack, or just
makes an innocent mistake, insider threats can blindside an organization and
cause severe damage to its reputation, operations, and finances. Therefore, I
urge organizations to take the proactive step of investing in data protection
solutions that both prevent unauthorized access and ensure quick, reliable
recovery after a breach or ransomware attack.
++
DARREN GUCCIONE, CEO AND CO-FOUNDER, KEEPER SECURITY
Insider Awareness Month is the perfect opportunity to prioritize the principle of ‘never trust, always verify.’ This approach ensures that every user, device and connection is continuously validated – a necessity given the ongoing challenge of insider threats. According to Keeper’s recent report, The Future of Defense, 40% of respondents reported experiencing a cyber attack that originated from an employee. Whether these threats are malicious or accidental, the consequences can be severe.
To effectively prevent and mitigate these threats, a multi-faceted approach is essential. Key best practices include:
- Implement strict access controls: Ensure employees have only the access necessary to perform their duties.
- Regularly review and update permissions: Align access rights with current job functions and organizational changes.
- Utilize Privileged Access Management (PAM): Secure and monitor access to sensitive systems and data.
- Adopt a zero-trust security model: Continuously verify the identity and authorization of every user, regardless of their location or device.
To further protect against data exfiltration, organizations should prioritize Data Loss Prevention (DLP) strategies. This includes establishing robust offboarding processes to ensure that departing employees no longer have access to critical resources.
By integrating strict access controls, PAM, zero-trust principles and DLP strategies, organizations can substantially reduce the risk of insider threats and protect their valuable assets. Insider Threat Awareness Month is a timely reminder of the importance of proactive measures to safeguard against threats from within. By prioritizing these strategies and fostering a culture of security awareness, organizations can strengthen their resilience and mitigate the potential damage caused by insider threats.
++
Brett Williams, Senior Manager, Solution Engineering, SentinelOne
Insiders
have something outside threat actors never will: trust. And in the
blink of an eye, an insider can become a disgruntled employee or be
recruited by criminals, a competitor, or even nation-state intelligence
services. Motivations for both malicious and trusted insiders are
complex and often mixed, ranging from money and ideology to compromise
and ego. And their activities run the gamut from fraud, corruption and
criminal gain to unintentional disclosure, espionage and terrorism.
To
effectively manage the risks that insiders pose requires a dedicated
effort. First, it's vital to conduct pre-employment security and
background checks, including but not limited to identity checks,
criminal history checks and employment background checks. Second, it's
imperative to create and drive a strong security culture through
awareness training, acceptable user behavior guidelines and legal
frameworks. And third, it's critical to proactively monitor social media
activity for red-flag behaviors and potential memberships to
underground communities that promote and facilitate insider criminal
activities.
The ability to turn an employee into an insider is
more within reach than ever. But in taking these actions, security teams
can stop bad actors in their tracks and keep their people and assets
safe.
++
Martin Zugec, Technical Solutions Director, Bitdefender
While
malicious insiders can pose a significant threat to an organization's
security, they are often the exception rather than the rule. More
commonly, security incidents occur due to unintentional actions by
employees who may be unaware of security protocols, make mistakes, or
fall victim to social engineering attacks. It's crucial to recognize
that even well-intentioned employees can inadvertently compromise
sensitive information.
From a malicious standpoint, advanced
language models (LLMs) and deepfake technologies have significantly
heightened the risk of insider threats through sophisticated
impersonation attacks. LLMs, in particular, have enabled non-native
English speakers to achieve near perfect language proficiency, which has
revolutionized cybercrime by enabling highly effective targeted attacks
on a global scale. The ability to convincingly impersonate a CEO or
other high-level employee has made it far easier for threat actors to
exploit human trust. Organizations must adopt a multilayered security
strategy that integrates technological safeguards like MDR,
comprehensive training programs, and vigilant monitoring to mitigate the
risks posed by both unintentional and malicious insiders.
++
Larry O'Connor, CEO and Founder, Other World Computing (OWC)
One
of the most significant insider threats facing organizations today is
the challenge of properly managing employee exits and access revocation.
Even weeks or months after departure, it is all too common for exiting
employees to still have lingering access to company systems and data.
From there, malicious insiders can then steal sensitive data or sabotage
critical systems rather easily by exploiting these oversights. And, as
organizations have become more reliant on cloud services and remote
work, unfortunately this risk has only grown.
Luckily, today we
have robust identity and access management controls to mitigate these
insider risks. This includes automating the process of disabling
accounts across all apps and services when an employee leaves the
company. Leveraging technologies like two-factor authentication and
certificate-based authentication can also help prevent unauthorized
access -- even if login credentials are compromised. Additionally,
maintaining comprehensive, air-gapped backups of critical data is
essential - this provides a secure fallback in case malicious insiders
do manage to delete or encrypt production data.
During National
Insider Threat Awareness Month, the key message for organizations is to
take a hard look at their security practices around employee offboarding
and data protection. It's not a matter of if, but when, an insider
threat incident will occur. Companies can significantly reduce the risk
and impact of these threats by proactively implementing the right
people, processes, and of course technologies. Bottom line -- protecting
against malicious insiders should be a top cybersecurity priority all
year round.
++
Carl D'Halluin, CTO, Datadobi
National
Insider Threat Awareness Month is a crucial reminder not to
underestimate the significance of risks from within -- regardless of
whether they are malicious or a result of negligence. For a clearer
picture of just how significant, the 2023 Cost of Insider Risks Global
Report by the Ponemon Institute revealed that in 2023, the average
annual cost of an insider risk rose to $16.2 million per organization,
while the average time to contain an incident extended to 86 days,
compared to $15.4 million and 85 days in 2022.
Some might be
surprised to learn that it is, in fact, unstructured data that is the
most vulnerable due to it being the predominant data type (80% of data).
It is the most difficult to manage, secure, and protect, and it often
contains valuable and sensitive information making it rather attractive
to those that wish to exploit it for personal gain or corporate
sabotage.
So during National Insider Threat Awareness Month -
and all year long - take decisive action to safeguard your unstructured
data against insider threats. Invest in your people - train and provide
them with the solutions they require to gain visibility and control of
your unstructured data scattered across every environment -- local,
remote, and in the cloud. Next, foster a culture of accountability and
vigilance; because some insider threats are simply a result of human
error. Your organization's survival and success are on the line - so,
isn't an ounce of prevention worth a pound of cure?"
++
DeeDee Kato, Vice President of Corporate Marketing, Foxit
This
year during National Insider Threats Awareness Month I think it's time
to shine a light on the importance of robust document security measures -
especially, when it comes to the often-overlooked PDF.
Whether
you are a government agency, a business, a healthcare provider, a
financial institution - it is a safe bet that highly sensitive
information is contained within your PDF docs. However, it is important
to know that not all PDFs are created equal - especially when it comes
to providing protection against internal threats, or external for that
matter. But, if data protection and security are a concern (and these
days, who isn't concerned) then you need to know what to look for when
choosing your PDF software. I think many of you know that you should
start off by choosing a solution that doesn't skimp when it comes to
robust protection features - like encryption, digital signatures, and
redaction tools. This provides the peace of mind that that only
authorized users can access sensitive content and that confidential
information is permanently removed, if necessary. Next on the checklist
should be advanced permission settings to control actions such as
printing and editing. And let's not forget that it should integrate with
Microsoft OneDrive, SharePoint, etc. to protect your documents, data,
and personal information, as well as include watermarking to deter
unauthorized distribution. Audit trails and tracking capabilities are
two more features that will take your data protection and security to
the next level - enabling you to monitor access and modifications, and
comply with those all-important data protection regulations.
During
this National Insider Threats Awareness Month and all the months to
come... remain relentless in your pursuit to prevent insider threats -
leave no stone unturned, and scrutinize every potential risk, even those
that may appear benign, like the seemingly harmless PDF.
++
Antonio Sanchez,
Principal Cybersecurity Evangelist, Fortra
Security teams
focus heavily on keeping external threats out of the network, but it's just as
important not to overlook risks from within. Insider threats pose a serious
challenge, whether from employees making accidental mistakes or acting with
malicious intent. It's often hard to tell the difference, so security leaders
must take steps to protect against both. Here are some key moments to consider:
- Employee
Separation - Employees leaving, whether voluntarily or involuntarily, may
try to take sensitive data with them, such as client lists, install base
data, contracts, or roadmaps. They often believe this information will
benefit them in future roles. HR teams should ensure that the separation
process includes reviewing the employee's activity from the past 60-90
days to identify any unusual behavior that could pose a risk to the
organization.
- Post-Separation
- Organizations often keep the credentials of a recently separated
employee active. However, it's important to have a policy for when to
remove their Active Directory profile. Some organizations may delay this
for various reasons, so they might choose to lock the employee's
credentials for a set period before fully removing the profile.
- Employee
Hiring and Onboarding - New employees must be trained on data handling
policies and granted access only to the resources necessary for their job.
- Employee
Promotions or Job Changes - When an employee goes to a new department,
they typically keep whatever access they had before and are granted access
to new things. It's important to periodically review access
requirements for their role and ensure they have access to only the things
they need.
- Employee
Evaluations - Employees are trusted until they're not. While it's hard to
predict when trust might be broken, it's important to pay close attention
during evaluations-especially if an employee receives a poor review, is
placed on a performance improvement plan, is passed over for a promotion,
or doesn't get a raise they expected. Any of these situations could
trigger negative behavioral changes, requiring increased vigilance.
++
Jamie Moles, senior technical manager at ExtraHop
In
our threat landscape today, there's been a large uptick in ransomware
being distributed through social engineering tactics that exploit
people's behaviors to gain unauthorized access to systems. With bad
actors working hard around the clock, organizations are challenged with
filling their human error gaps - but a 51% of IT leaders in a recent report
revealed that more than half of cyber incidents are related to poor
cyber hygiene. Unfortunately, insider threat schemes are becoming
extremely sophisticated and harder to spot, with more convincing emails,
voice replication and artwork efforts that many companies often fall
victim to.
To continue combatting these threats, having
knowledge and history of these specific attacks is key for organizations
to better identify social engineering tactics. For example, we're
seeing more organizations leaning into AI to analyze vast amounts of
data to detect unusual patterns or anomalies that might indicate an
insider security threat.
It's also important to understand that
while AI-powered ransomware attacks will continue to get easier to
deploy and more complex to detect, organizations can use AI in turn to
support their defense tactics. Not only will the technology help with
social engineering attacks but also looking for other points of entry
for ransomware, including defects in open-source software and finding
potential problems faster than a human scrubbing through lines of code.
By
remaining vigilant and leveraging AI as an asset, organizations can
significantly reduce ransomware posed by insider threats and protect
themselves from long-term damage before it's too late.
++
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint
Every
company has at least one employee who will click on anything. National
Insider Threat Awareness Month is critical for this reason - many
organizations and cyber professionals still overlook the danger that
insider threats can pose, and building awareness is key to driving data
protection. Many insider threats result from not giving employees the
proper education around securing critical workplace data - as well as
lax access control policies that can lead to unauthorized users having
access to sensitive information. Organizations must prioritize securing
their digital collaboration, and harden their data governance,
management and access policies.
Especially as bring your own
device (BYOD) policies are now the norm - identity is the new perimeter.
You must remove assumptions and remember that employees and the people
we know may be our weakest links, even if unintentionally. In today's
threat environment, security is EVERYONE's job - when it comes to
managing threat, it is better to say something about nothing, than to
say nothing about something. Employees should be encouraged to always
say something if they see something.
++
Jason Lohrey, Founder & CEO, Arcitecta
Individuals
within an organization who exploit their access for malicious purposes
or unwittingly cause security breaches due to human error are a
significant security challenge. Many organizations use multifactor
authentication (MFA) to prevent insider threats, but MFA alone is not
sufficient. What's needed is a second mechanism, or authorization,
beyond authentication to provide a stronger line of defense. Multifactor
authentication and authorization (MFA&A) confirms individual
identity during authentication (when seeking initial access) and grants
authorization or approval when attempting to perform sensitive data
operations to prevent unauthorized access, modification, and deletion.
In
combination, multifactor authentication and authorization create a
critical measure that provides much stronger security, increases control
over system access, and reduces the risk of data breaches. It also
ensures compliance with industry regulations and is a cost-effective
solution for data security. By implementing MFA&A, organizations can
protect their sensitive data and ensure the integrity of their file
systems.
++
Phil Swain, CISO, Extreme Networks
Beyond
ensuring that all network infrastructure and connected technology is up
to date, as many in the cybersecurity industry have said, you can't
protect what you can't see. Management solutions that leverage AI to
create a baseline of normal network activity can flag potential
anomalies to the IT team, dramatically increasing even a small IT team's
ability to identify and respond to a potential threat long before it
would have been discovered manually. Another rising solution is Zero
Trust Network Access (ZTNA), which allows IT teams to limit network
access based on identity and context, providing an additional layer of
security beyond a typical firewall or NAC solution. The best ZTNA
solutions are those that can integrate network, application, and device
access security based on the principle of least privilege for the user.
The user should only be able to access the data and systems they need to
access; at the time they need to access them. This all needs to be
controlled, ideally within a single solution, providing unified
visibility, greater operational efficiency, and better support for IoT
devices.
No matter how strong your infrastructure is, there is
always a potential risk when it comes to humans using your technology
and accessing the network. Social engineering remains one of the most
effective ways for attackers to gain access to sensitive information or
systems. Phishing attacks, where attackers send fraudulent emails or
messages that appear to be from legitimate sources, are a common social
engineering technique - and another reason employee education and
awareness are so important. When people are taught what to look for and
how to avoid phishing campaigns, they can become an asset to the
organization's security posture instead of a liability.
++
Sean S. Costigan, PhD, Managing Director of Resilience Strategy at Red Sift
The
last five years have seen an unrelenting rise in the numbers of insider
threats, growing not just in number but also complexity. While many of
the motivations remain the same, several nation states in particular are
actively seeking disgruntled insiders at a greater pace than before.
One well referenced study notes that in 2023 74% of organizations said
insider attacks have become more frequent; more than half of
organizations have experienced an insider threat in the last year, and
8% have experienced more than 20 such challenges.
In addition to
conventional espionage, insider threats are exploited by non-state and
para-state actors and NGOs including: Corporate rivals and competitors,
saboteurs and anti-business organizations, ideologically motivated
activists and NGOs, and media and quasi-media organizations (including
social media entities). Note that some of these entities enjoy a degree
of deniability. Thanks in large part to the reach and prevalence of
social media, any individual can be influenced by ideological messaging
and potentially take action that would be deemed detrimental to their
organization.
Antisocial behavior, especially towards
co-workers, is a classic hallmark of the insider threat, often seen in
hindsight as patterns of inappropriate professional conduct. Moles and
insider betrayers are often narcissists, just as often with fragile
egos, who are prone to making these kinds of statements around others:
"Nobody appreciates the work I do around here" or "I'm smarter than
everybody in this office!"
Looking to disrupt insider threats
before they materialize fully formed is an area of active research and
there is much promise in cognitive approaches. Given the concerns,
election security and insider threats are a particularly hot topic, with
the FBI and IC3 putting out a well-documented advisory in 2024 on the
potential problem and what to do. Critically, the FBI notes the need to
have an insider threat mitigation program which is less about technology
and more about governance and the means to address the issues.
Non-partisan, two person teams, operating transparently with understood
rules and auditable election systems and processes will help detect
outliers and reduce the risks of insider threats.
++
Clyde Williamson, Product Management, Innovations, Protegrity
National Insider Threat Awareness Month brings to light a
major security problem that most organizations fail to address adequately.
Insider threats can be intentional with malicious purpose through the abuse of
authorized employee credentials, or they can be unintentional threats with
access to sensitive data that, in threat actor hands, can cause harm. In both
scenarios, an employee had access to clear data considered valuable to cyber
attackers.
Creating a ‘Fort Knox' level of data security isn't
achievable for most organizations, despite advanced security systems and
strategies that encircle data protectively. However, oftentimes these systems
are strategies that are just a ‘protective' moat around the data, still
vulnerable to human error or influence internally. To better address insider
threat concerns, organizations need to implement new strategies that truly
secure their data. For example, encryption and tokenization strategies that
allow enforcement of strict data access controls or leave data unreadable to
all but those who absolutely need the data in the clear. While human error and
malicious attacks are unavoidable, organizations can put effective guardrails
in place that limit the impact of such insider threat events.
++
Kiran Chinnagangannagari, Co-Founder, Chief Product
& Technology Officer, Securin
Time after time, humans continue to be the most neglected
and overlooked threat in what should be an airtight cybersecurity strategy.
Employees, contractors, and business partners have an insider look at an
organization's operations and hold the keys to highly sensitive information and
network access. Whether unintentional or malicious, these individuals can put
proprietary company information at risk. Aside from the breach of data and
costly consequences, there's a more insidious loss of trust and damaged
reputation that can persist long after an incident is "remediated."
In today's AI world, language models are becoming more
sophisticated, and we're starting to see a rise in hyper-personalized phishing
attempts and a growing threat of AI-powered social engineering attacks that can
mimic human communication patterns with frightening accuracy. This isn't just
about better spam filters anymore - cybersecurity professionals must
fundamentally rethink how we approach user education and authentication in a
world where machines can convincingly impersonate trusted contacts.
To safeguard confidential data and access to networks from
threats both internal and external, businesses need to find solutions that can
analyze network behavior, application interactions, and user patterns to
identify anomalies and potential security breaches before they escalate.
Cybersecurity teams should implement passkeys and multi-factor authentication
(MFA) where possible as well as update access controls to mitigate an insider
threat becoming a serious liability. By also implementing clear security
policies and a culture of accountability, organizations can minimize these
threats as well as their impact.
++
Katie Paxton-Fear, API Researcher, Traceable AI
When imagining cybersecurity threats, chances are, you're
probably not imagining yourself. But surprisingly you are one of the biggest
risks to an organization. Unlike other cyberthreats, insider threats have a
significant human element, and this is best managed through people and
processes, such as:
- Establishing a
comprehensive offboarding procedure that thoroughly revokes employee
access, regularly audit employee permissions and ensures that individuals
only have access to the systems and files necessary for their
roles.
- Providing employee
assistance programs for those facing financial difficulties or mental
health challenges can reduce the likelihood that insiders feel compelled
to act.
- Implementing an employee
review process that identifies performance issues early on and offers
opportunities for improvement before considering termination can help
prevent insider threats from emerging.
Ultimately all three of these factors are built on fostering
a secure and supportive work environment. With this type of culture, businesses
can reduce the risk of an employee turning into an insider and ensure that
potential issues are identified and addressed before they escalate into a full
attack.
++
Theresa
Lanowitz, Chief Evangelist at LevelBlue
As
businesses continue to evolve in today's challenging digital landscape,
protecting against insider threats is pivotal. According to recent data, 51% of business leaders report insider threat as an
attack that is most likely to occur within their organization. Insider threats
involve a company's most valuable asset-its employees. Therefore, it's crucial
for business leaders to remain vigilant about the different types of threat
actors that may emerge from within their own organization. One way to help
diminish insider threats for businesses is to strive for cyber resiliency.
Achieving
cyber resilience is paramount for businesses to safeguard their operations
against the relentless onslaught of cyber threats, both within and outside the
organization. By aligning cyber investments with business objectives, building
a support ecosystem and transforming a company's cybersecurity strategy,
businesses are on the path to success in building a holistic cyber resilience
plan. For example, improved alignment within the C-Suite can provide clearer
guidance on cybersecurity priorities by fostering a unified approach to risk
management and operational resilience. When CIOs, CTOs, and CISOs collaborate
closely, they can prioritize investments in cybersecurity technologies that
mitigate risks effectively while supporting business objectives. This alignment
reduces ambiguity and ensures that resources are allocated strategically,
alleviating some of the pressure on CISOs to make unilateral decisions.
As
we look to the future, the top priority of every organization should be to
protect its intellectual property and digital assets. That's why cyber
resilience remains essential for organizations seeking to thrive in an
increasingly interconnected world - no matter where the threat may come from.
++
Dale "Dr. Z" Zabriskie, CISSP CCSK, Cohesity
The
growing threat of ransomware and insider attacks has made data resilience more
critical than ever. According to Cohesity's Global Cyber
Resilience Report, over 3100 IT and Security decision-makers globally were
polled and confirmed the threat of cyberattacks - especially ransomware -
continues to rise, with the majority of respondents falling victim to a
ransomware attack in the last six months, and most having paid a ransom in the
past year. A full 80% of those surveyed said they had responded to what they
believe to be AI-based attacks or threats within the last 12 months.
Organizations must have a multi-layered defense strategy to combat these threats.
Implementing solutions such as immutable snapshots, encryption, and strict
access controls is essential to ensuring critical data is secure. Isolating
backup data and employing advanced protections like time-based locks can make
the difference between a minor incident and a major disaster. In today's threat
landscape, being prepared with these layers of defense is crucial for cyber
resilience in the effort against both ransomware and insider threats.
++
Roman Arutyunov, Co-Founder
and SVP of Product at Xage Security
The
traditional security model of "keeping the bad guys out" doesn't work to combat
insider threat risk. Instead, organizations should shift toward incorporating
zero trust architecture in their cybersecurity strategy when working to prevent
insider threats. Unlike traditional security models that assume users within
the network are inherently trustworthy, zero trust operates under the principle
of "never trust, always verify." This means no user, whether an
employee, contractor, or partner, can be trusted by default, even inside the
network.
Specifically,
safeguarding our critical infrastructure - energy, manufacturing,
transportation, communication, and more - against insider threats isn't just a
national security imperative; it's a commitment to ensuring our society's
stability, resilience, and safety. The essential services that power our lives
must be protected. Insider Threat Awareness Month helps address the fact that
our safety rests on the adoption of zero trust security.
++
Doug
Kersten, CISO, Appfire
Insider
threat incidents, whether intentional or not, are among the most damaging,
often carried out by trusted individuals with deep knowledge of an
organization's vulnerabilities. To address this, fostering a culture of
security awareness is crucial-employees should feel comfortable reporting
suspicious behaviors, such as unusual working hours or secretive actions,
regardless of a colleague's seniority. Anonymous reporting and non-retaliation
policies can help encourage this.
Effective
insider threat detection also requires continuous monitoring for unusual
activity, such as access from unfamiliar locations or large file downloads.
Implementing multi-factor authentication (MFA) and single sign-on (SSO)
strengthens SaaS security, while vendor risk assessments ensure third-party
providers meet high security standards. Furthermore, mitigation should balance
cooperative responses to unintentional threats with decisive actions against
malicious actors, creating a collaborative security posture that reduces
insider threats and enhances overall security preparedness.
By embedding security into everyday operations and
inviting teams to engage in regular dialogue about potential external and
internal risks, organizations reduce the potential of insider threat activity
and are better equipped to respond to incidents when they occur.
++
Dan Ortega, Security Strategist at Anomali
As we observe National
Insider Threat Awareness Month, it's crucial to recognize that insider threats
remain one of the most challenging and potentially damaging security risks
organizations face today. We've seen a significant uptick in sophisticated insider
attacks that blend into normal business operations, making them increasingly
difficult to detect through traditional means.
The key to combating this
evolving threat lies in leveraging advanced global threat intelligence data,
combined with the latest innovations in AI. By correlating vast amounts of data
from both internal and external sources, we can identify subtle patterns and
anomalies that human analysts might miss. This approach not only helps in early
detection but also in predicting potential insider risks before they
materialize.
However, technology is only part of the
solution. A holistic approach that combines cutting-edge tools with robust
security policies, regular employee training, and a culture of security
awareness is essential. As we move forward, organizations must prioritize
insider threat programs that are proactive, adaptive, and integrated into their
overall cybersecurity strategy.
++
Subhalakshmi Ganapathy, chief IT security evangelist at ManageEngine
As we observe National Insider Threat Awareness Month in 2024, the landscape of insider threats is more complex than ever, fueled by economic pressures, the upcoming election, and the ongoing mental health crisis. Financial stress can push employees to act out of desperation, while heightened political tensions and personal crises put them in a vulnerable state. The 2023 Insider Threat Report by Cybersecurity Insiders found that 74% of organizations are at least moderately vulnerable to insider threats. To mitigate risk, companies must implement robust insider threat programs that incorporate continuous monitoring, behavior analytics, adaptive authentication, and zero trust architecture to verify every user and device, identifying threats early. Fostering a culture of cybersecurity awareness through employee education is equally essential to mitigating both intentional and accidental risks.
Looking ahead, the emergence of AI presents new methods for managing insider threats. Gartner predicts that by 2026, generative AI could reduce employee-driven cybersecurity incidents by 40% through more tailored, behavior-specific training. Although AI enhances threat detection, it also introduces new risks that can be exploited. For a comprehensive defense, organizations should integrate insider risk management with identity and access management (IAM). AI, equipped with contextual telemetry ingestion and behavior analytics, can significantly alleviate the burden on understaffed security operations. With advanced behavioral analytics automating responses to insider threats, AI empowers security teams to focus on strategic initiatives and complex investigations, enhancing overall organizational resilience.
++
Victor Monga, Cybersecurity Technologist &
Architect, Menlo Security
Insider threats are a growing concern for many
organizations, and they don't always come from malicious intent. Often, it's
just people making mistakes. Whether it's accidental or intentional, here's
what businesses should focus on to stay ahead of these risks:
- Remote Work Increases
Exposure: With remote work here to stay, employees are using a mix of
personal devices and unsecured networks. This opens the door for mistakes or
security gaps. Make sure your security policies extend beyond the office to
cover remote access and unmanaged devices.
- Human Error Is a Big
Risk: Most insider incidents happen because of simple mistakes,
like sending sensitive info to the wrong person or using unapproved cloud apps.
Regular employee training on security practices is essential. It doesn't need
to be over-complicated-just clear, consistent reminders of how to handle
sensitive data. Be sure to implement technical controls to avoid human error as
much as possible.
- Watch for Data
Exfiltration: Data leaks, whether intentional or accidental, are a major
issue. Keep an eye on unusual activity, like employees uploading files to
personal storage or sharing sensitive data through unauthorized channels. Tools
that provide real-time alerts for this kind of behavior can help.
- Contractors Can Be a
Blind Spot: Contractors and third-party vendors often have more access
than they need, which can lead to problems. Limit their access to only what's
necessary, and use automated tools to audit and adjust permissions as needed.
- Phishing as a Gateway: Phishing is still a key way attackers get in, often turning
employees into accidental insiders. Solutions that isolate risky web activity
can help keep users safe even if they click on a bad link, preventing them from
unknowingly introducing threats into the network.
- You Need a Dedicated
Insider Threat Program: Many companies still don't have a focused plan for insider
threats. Setting up a program that includes monitoring user behavior,
controlling access to sensitive apps, and auditing data activity isn't just a
good idea-it's essential in today's environment. Implement solutions that offer
deep forensics for threat hunting and incident response.
Practical Takeaway: Start small if necessary. Build up
security practices that cover remote access, train employees on basic data
handling, and monitor critical activities, especially around sensitive data and
external contractors. Insider threats are often preventable with the right
processes in place.
++
Stephen Kowski, Field CTO, SlashNext
National Insider Threat Awareness Month highlights the
critical need for organizations to protect against risks from within. Effective
insider threat mitigation requires a multi-layered approach, combining employee
education, robust security policies, and advanced technologies that can detect
anomalous behavior patterns. Real-time monitoring of user activities across
various digital channels, including email, chat, and file-sharing platforms,
can provide early warning signs of potential insider threats. By leveraging
AI-powered analytics to identify suspicious actions, automating response
protocols, implementing rigorous log review governance, and establishing HR
policies to identify vulnerable or impressionable individuals, companies can
significantly enhance their ability to safeguard sensitive data and maintain
operational integrity.
++
Eric Schwake, Director of Cybersecurity Strategy, Salt Security
Insider Threat Awareness Month is a crucial reminder that
cybersecurity risks often come from within an organization. While external
threats are always a concern, the potential for employees, contractors, or
partners to cause harm cannot be overlooked.
In terms of API security, insider threats are a significant
challenge. APIs handle sensitive data and provide access to critical business
functions. An insider with malicious intent or lack of security awareness can
exploit API vulnerabilities, leading to data theft, operational disruption, or
financial damage. For example, during development, an insider could introduce
vulnerabilities or misconfigurations into an API, making it vulnerable to
future attacks.
Security teams must address
insider threats related to APIs throughout their lifecycle by:
- Robust Access Controls:
Implement strict access controls and the principle of least privilege to
ensure individuals have access only to necessary APIs and data.
- Continuous Monitoring:
Use real-time monitoring and anomaly detection to identify all APIs and
potentially suspicious activity, such as excessive data downloads or
unusual access patterns.
- Apply Posture Governance
to APIs: Adopt a proactive approach by constantly evaluating API security
posture from design through deployment, defining consistent security
policies, conducting regular risk assessments, and implementing continuous
monitoring to ensure APIs meet compliance/regulatory standards.
Posture Governance can also allow security teams to quickly detect and
mitigate API misconfigurations.
- Behavioral Threat
Analytics: Utilize behavioral analytics to establish normal API usage and
detect deviations indicating malicious activity.
- Security Awareness
Training: Educate employees about the importance of API security,
associated risks, and potential consequences of their actions.
By proactively addressing insider threats and incorporating
API security best practices, organizations can strengthen their security
posture and protect their valuable data and assets.
++
Heath Renfrow, Co-Founder of Fenix24
When it comes to cyber threats, most organizations are
focused on protecting themselves from external forces, often overlooking a huge
risk to the company - insider threats. This month serves as a critical reminder
to organizational leaders that insider threats, whether malicious or
unintentional, can lead to data breaches and cyber incidents that could be
detrimental to an organization.
Unlike external cyberattacks, insiders, such as employees
and third-party vendors, already have access to a company's network and data,
which makes detecting and preventing insider threats particularly difficult.
Organizations should consider the following steps if they experience an insider
cyber threat:
- Contain the threat by
disabling the insider's access to the company's accounts and networks, and
quarantine any compromised systems to mitigate further access and damage.
- Engage with incident
response and restoration teams to ensure the attack is properly
investigated and that systems can resume safely and effectively to avoid
further business disruption.
- If malicious intent is
suspected, involve legal and compliance teams to not only ensure the
attack is properly reported, but to take legal action against the threat
actor.
- Ensure employees and
company stakeholders are properly informed on the breach, its impact and
how the security team plans to fix the vulnerabilities and increase
employee training to prevent future insider attacks.
++
Jason Fruge, Resident CISO at XM Cyber
Insider threats represent a significant and often overlooked
risk to any organization. Employees, contractors, and partners have access to
sensitive data and systems, and their malicious or unintentional actions can
lead to devastating consequences. Monitoring for insider threats is about
protecting the company, its employees, and its customers. It's a proactive
measure that enables us to detect and respond to potential risks early on,
safeguarding our critical assets and minimizing business disruption due to
cyber events.
++
Callie Guenther, Cyber Threat Research Senior Manager
at Critical Start
Insider threats pose a significant risk to organizations,
particularly in sensitive sectors like government, critical infrastructure, and
industries handling proprietary or classified data. National Insider Threat
Awareness Month (NITAM) plays a critical role in educating organizations about
these risks, highlighting both intentional malicious insiders and unintentional
negligence as potential dangers. With the rise in sophisticated cyber-attacks
and espionage, insider threat awareness has become essential in preventing
attacks from within. Insiders often have legitimate access to systems and data,
allowing them to bypass external defenses and potentially cause severe damage
if left unchecked.
To monitor these threats, intelligence teams leverage
advanced tools and techniques such as behavioral analytics, user and entity
behavior analytics (UEBA), and machine learning to detect anomalies in employee
activities. These methods allow organizations to establish baselines for normal
user behavior and identify any suspicious deviations that could signal a
potential insider threat. Human intelligence (HUMINT) techniques, including
employee feedback and monitoring workplace morale, are also becoming a critical
part of threat detection strategies, blending technical monitoring with human
factors.
Recent examples, such as Edward Snowden's leak of NSA data
or the attempted ransomware attack on Tesla involving an insider, demonstrate
the potentially devastating impact of insider threats. These cases underscore
the importance of employee vigilance and reporting suspicious activity.
Moreover, the shift to hybrid work environments has expanded the attack surface
for insider threats, requiring even more stringent monitoring and trust
verification frameworks.
Organizations are now increasingly focusing on continuous
education, psychological factors, and cross-departmental collaboration to
combat insider threats. With evolving insider threat programs and heightened
awareness fostered by initiatives like NITAM, companies can better protect
themselves from both malicious and unintentional insider risks, ensuring a more
resilient defense posture against the unique challenges these threats present.
++
Rom Carmel, Co-Founder and CEO, Apono
Insider threats pose significant risks due to the elevated
permissions employees, contractors, and business partners often hold, allowing
them to access and manage critical resources. These threats can lead to severe
consequences, including data breaches, financial losses, and reputational
damage. It's important to note that insider threats aren't always malicious;
they can also result from negligence or human error. For instance, an employee
might unintentionally expose sensitive information by falling for a phishing
scam or misconfiguring a system.
Addressing these risks requires a multi-layered approach
that combines robust technological solutions with human-centric strategies.
Continuous monitoring and advanced analytics can help detect unusual patterns
that may indicate insider threats. Implementing stringent access controls, such
as a Just-in-Time, Just-Enough access approach, ensures that individuals only
have access to the resources essential for their duties, minimizing potential
damage.
Fostering a culture of security awareness is also crucial.
Regular training programs can help employees understand the importance of
secure practices and recognize the signs of potential insider threats.
Encouraging transparency and open communication can also enable early
detection, as employees are more likely to report suspicious activities when
they feel responsible for the collective security of the organization.
Additionally, establishing comprehensive policies and
protocols is vital in managing access effectively. This includes clear
guidelines on the acceptable use of privileged accounts, regular audits to
ensure compliance, and swift disciplinary measures for violations. By
integrating these strategies, organizations can effectively mitigate insider
threats and protect their critical assets from potential internal risks.
++
Danny Brickman, CEO and Co-Founder, Oasis Security
As we observe National Insider Threat Awareness Month in
September, it's important to highlight a critical security weakness that is
consistently exploited by malicious cyber attackers: unmanaged Non-Human
Identities (NHIs).
NHIs such as service accounts, tokens, access keys, and API
keys outnumber human identities by a factor of 10x-50x, and the industry lacks
solutions to properly secure this massive attack surface. Traditional PAM and
IAM solutions cannot address the scale, ephemerality, and distributed nature of
NHIs. Adding to this risk? NHIs are often privileged service accounts, used to
access sensitive data and cannot be protected with Multi-Factor Authentication.
In fact, on average, we find that there are five times more highly privileged
non-human identities than there are humans. Against this backdrop, insider
threats are a huge concern. Whether malicious or unintentional, insider threats
can have devastating consequences because the blast radius of an NHI breach can
be exponentially larger.
What can organizations do to mitigate risks and threats?
Organizations need to incorporate comprehensive NHI management in their
security and identity programs. Key best practices for managing NHIs include
maintaining a comprehensive and up to date inventory of all NHIs within the
organization; understanding the business context and owners of each NHI;
applying the principle of least privilege; continuously monitoring the
environment to detect and respond to suspicious activities involving NHIs;
defining governance policies and implementing them via automation.
A key NHI governance process to focus on is secret rotation.
All too often, NHIs leverage secrets that are infrequently rotated. Rotating
secrets reduces the risk of credential compromise by minimizing the window of
opportunity for attackers and mitigating exposure to insider threats. Rotating
secrets should become an integral part of organizations' mover / leaver
processes to safely offboard employees.
National Insider Threat Awareness Month is a timely reminder
to prioritize NHI security and management, to avoid falling victim to insider
threats and other cybersecurity risks.
++
Ratan Tipirneni, President and CEO of Tigera
National Insider Threat Awareness Month is a reminder to shore up cyber defenses and prioritize best practices to avoid falling victim to a cyber attack stemming from an insider threat–whether from an unknowing employee or a bad actor. Kubernetes and containerized environments have become the backbone of modern application development; containerized applications and Kubernetes environments bring immense benefits in terms of scalability, efficiency, and flexibility. Despite their benefits, there are also challenges: these environments are subject to various security risks, including vulnerabilities, misconfigurations, network exposures, and both known and zero-day malware threats. The distributed nature of microservices, the dynamic scaling of workloads, and the ephemeral nature of containers introduce unique security challenges.
Traditional approaches to risk assessment, where vulnerabilities, misconfigurations, and threats are identified and prioritized in isolation, fall short in such environments. This National Insider Threat Awareness Month, prioritize protecting your Kubernetes environment by adopting an interconnected security approach that considers how risks interact. This helps enable more accurate risk assessment, prioritization, and mitigation.
++
Ryan Rowcliffe, field CTO of HYPR
Insider Threat Awareness Month is a time to champion the innovative technologies that allow organizations to safeguard their digital ecosystems and stay ahead of emerging risks among a rapidly evolving threat landscape.
The increasing sophistication of insider threats has organizations looking for advanced technologies to stay head of potential risks. We know early detection can prevent significant security breaches.
AI-driven solutions and continuous identity verification are important considerations when mitigating exposure. The transformative power of AI-driven solutions in user identity verification is revolutionizing cybersecurity. By meticulously analyzing behavioral patterns and anomalies, organizations can preemptively identify and neutralize potential insider threats.
As remote or hybrid work environments continue and are more common, continuous identity verification is important to preventing unauthorized access and insider threats and maintaining security within an organization. By ensuring that only authorized individuals always have access to sensitive information, organizations can significantly mitigate insider threats.
As threats continue to evolve in sophistication, adopting advanced, continuous verification solutions is not just an option—it’s a critical necessity for any organization serious about security.
++
Jeremy Ventura, Field CISO at Myriad360
Insider threats are a major concern for security organizations around the world. These types of threats can come in many different forms - from negligent users, disgruntled employees and espionage threats - it's critical for security teams to be prepared to respond to incidents. Organizations can start with security awareness and training employees on how to identify insider threats, e.g., suspicious emails from internal employees. In addition, leveraging technology that incorporates tools to identify and remediate insider and lateral threats such as data loss prevention (DLP), endpoint detection and response (EDR) and application monitoring solutions. These strategies should be top of mind for security teams throughout the entire year, but especially during Insider Threat Awareness month. It’s critical that organizations take the time to invest in internal threat strategies just as they do for external threats.
++
Jason Keenaghan, Director of Product Management, IAM at Thales
Insider Threat Awareness Month serves as a necessary reminder that in today’s threat landscape, some of the biggest risks to enterprise security comes from within. Insider threats sound like intentional actions being taken by a malicious or rogue employee, but instead the majority of insider threats come from human error like negligence or stolen credentials.
Human error is one of the most challenging aspects of security, and implementing regular training is the first line of defense. Training should be focused on helping employees to better understand the potential risks and the signs that indicate something’s unusual. It should also clearly outline processes and policies that an organization’s users need to abide by while they’re on company-owned devices and networks.
Training is not enough though, organizations should place a strong focus on identity and access management (IAM) measures, like passwordless authentication. Passwords have become an increasing pain point for end users – especially with the amount of passwords today’s employees are required to use, as well as the various rules in place around their complexity. Many end users end up defaulting to passwords that are easier to remember or even reusing the same passwords across multiple services, putting their organizations at risk. To address this, organizations’ IT and security teams should place investments behind a system that enables passwordless authentication across all applications via a single system, including secure access to work devices, legacy and modern web resources. This makes employees more likely to abide by their organizations’ policies by removing the need to use traditional passwords – and all the user frustrations they create. From an IT security perspective, the passwordless approach most importantly eliminates the associated insider risks that come with poor password hygiene like theft and phishing.
++
Terry Ray, Data Security CTO and Fellow, Imperva
While the term “insider threat” makes it sound as though there’s a malicious employee waiting to wreak havoc on their organization, the reality is that more often than not, insider threats usually result from human error. This has become especially true in our cloud-driven world with human error or misconfiguration being ranked as the top root cause of cloud data breaches. Regardless of where they originate, insider threats present a common challenge: they’re often more difficult to identify and prevent since they’re already within an enterprises’ perimeter.
To address this, enterprises must rethink how they approach data security for a more holistic approach. There is potential for departments across an organization to introduce new vulnerabilities and expose critical business and customer data via the development of new web applications, unsecured APIs and more. It’s imperative that these areas are not overlooked – and that they’re always implemented with a security-first mindset – to avoid misconfigurations, excessive privileges, and other common sources of poor cyber hygiene. Organizations need to ensure they have a comprehensive data protection strategy in place that focuses not just on securing the data itself, but also all paths connected to it.
++
Jordan Avnaim, CISO, Entrust
When it comes to insider threats, intention doesn't matter. Shadow IT, misconfigured systems/applications, and overly permissive user accounts can all lead to significant data breaches that can be very impactful to a companies reputation and bottom line. These kinds of incidents are costly, with 68% of breaches involving a non-malicious human element, like a person falling victim to a social engineering attack or making an error (according to Verizon's 2024 Data Breach Investigations Report). Businesses must equip themselves with the right people, processes, and technologies to protect themselves.
To mitigate the impact of these threats, technology and security teams must strike a balance between adapting and responding to risks while not inhibiting day-to-day operations of the organization. Through an identity-based security framework that leverages Zero Trust principles and solutions such as multi-factor authentication, businesses can leverage effective authentication and dramatically reduce the privilege abuse, unauthorized logins and data exfiltration that are all hallmarks of insider threats. While these types of risks won't be going away anytime soon, when businesses strengthen their identity ecosystem to add context and greater security, they greatly reduce the risk and help ensure their data is protected.
##