The frequency and financial impact of insider threats have increased dramatically in the last two years.
In a recent report by the Ponemon Institute, the overall average cost of insider threats per incident increased by 31%, from US $ 8.76 million in 2018 to US $ 11.45 million in 2020. In addition, the number of incidents has increased by an astonishing 47% in just two years, from 3,200 in 2018 to 4,716 in 2020.
The breach promoted through internal attacks brings to light a little-discussed security challenge: developers who write vulnerable or malicious code that can be exploited at a later date. This is a real problem, and one that must be prioritized in 2021.
We've listed six steps companies can take to avoid insider threats.
1. change your mindset about your threat landscape
Most companies focus exclusively on external threats and consider their own staff to be trustworthy. As a result, insider threats are often poorly addressed cybersecurity threats within organizations.
Nowadays, it is clear that organizations need to change this mentality. CISOs (chief information security officers) must take on leadership roles in their companies to prevent external and internal threats to cyber security.
2. Employ threat modeling
Adopt threat modeling on a larger scale to determine your organization's risk landscape. It is essential to identify who wants to attack your systems and where the assets are in order to understand the potential attack vectors and enable the appropriate security controls.
Threat modeling must study the potential risks of vulnerabilities and malicious code, as the damage from either could cost your organization millions. Conducting one type of threat modeling without the other can set your organization up with a false sense of security.
3. Map potential exposure to insider threats
Detecting a threat is very different from traditional testing, code review or other vulnerability detection techniques. To identify possible similar problems, CISOs need to look at software in a different way.
CISOs should also conduct an analysis of their organization's internal staff and map each individual's exposure to the areas that can succumb to malicious code activity.
Dealing with an identified insider threat problem is not as simple as going back to the developers and asking them for a fix, because those same employees or suppliers could be the adversaries.
4. Implement a proactive and continuous insider threat detection governance program
To implement a proactive and continuous threat detection governance program, you first have to get buy-in from your leadership team. Make sure you consistently inform executives about the scope of your malicious code review commitments.
After all, reviewing malicious code means that you theoretically see those within your operations - who have privileged access - as threats. Although it is difficult to find malicious code and the likelihood is small, the risk of insider threat is increasing.
In fact, Forrester Research has predicted that 33% of data breaches will be caused by internal incidents in 2021.
It is important to emphasize that all malicious code review efforts should be done in secrecy and only involve small teams of people you trust completely.
It has to be a covert operation, where you don't notify or make known the stakeholders in the software supply chain. They should never be aware that you are implementing a process to examine your work with the intention of identifying code that looks suspicious and possibly malicious.
5. Define risk scenarios and escalation steps
Once your malicious code review regime is underway and suspicious activity is detected, consider the following escalation steps to reduce risk.
● Suspicious, but not malicious
If you find something that looks suspicious or malicious, but cannot be exploited - it may even have been left by mistake - you can choose to do nothing.
● Circle of trust invitation
If you find something that looks suspicious, but you can't confirm whether it's malicious, you may need to call in reinforcements to verify or deny your suspicion. At this escalation stage, the CISO would form a relationship with an internal or external developer and bring that person into the circle of trust.
Passive monitoring
Choosing a monitoring posture can be another escalation step when you find something suspicious. This posture allows for additional logging in production or additional data layer protection that alerts you when someone tries to exploit a suspicious line of code.
Active suppression
The next level of escalation is when you find suspicious or malicious code and work to suppress it. During this stage, you actively write a rule in the firewall. You then build a compensation function or do some kind of injection or dependency matching to actively prevent the execution of the suspicious code.
● Start of an executive event
When you find malicious code and identify its origin - be it a single insider, team, department, line of business or even country - your escalation stage has nothing to do with software development.
Instead, it's all about protecting your organization, involving your leadership and executing a serious executive-level event. This can include terminations of employees or contractors involved. It could even involve law enforcement.
6. Promote holistic solutions for long-term protection
The security industry does not yet have a complete solution for holistically examining supply chain attacks. In the long term, we need to examine how to approach risk assessment and acceptance of third-party services.
This can come in the form of changes in compliance requirements around least privilege, auditing and integrity checks.
However, with the continuous increase in insider threats and the growing toll they are taking in terms of financial and reputational loss - as well as possible threats to people's safety - it is essential that organizations take immediate action.
It is essential that CISOs take a leading role in this battle.
Get in touch with Conversys experts now and find out about our security, network management and connectivity solutions. We're on hand to help you meet the new challenges of security and data protection.
About Conversys
Conversys IT Solutions is a provider of Information and Communication Technology services and solutions operating throughout Brazil.
With a highly qualified technical and commercial team and a network of partners that includes the main global technology manufacturers, Conversys IT Solutions is able to deliver customized IT and Telecom Infrastructure solutions to clients.
We invest in our employees and partners and strive for a long-lasting relationship with our clients, because we believe that this is how we gain the skills and knowledge we need to innovate and generate value for the businesses in which we operate.
