Insider Risk, Insider Threats, and Security Awareness Training

nsider-Risk-Insider-Threats-and-Security-Awareness-Training-2800-x-1600
nsider-Risk-Insider-Threats-and-Security-Awareness-Training-2800-x-1600

Defending against insider threats can be difficult, especially in a work from anywhere world. These are legitimate users seeking to steal data and trade secrets like product plans and customer lists, sabotage systems, or conduct fraud. They are working with their own credentials (or those of a coworker) and often have legitimate access to the data they want.

But what about defending against insider risk?

What are Insider Threats and Insider Risk?

An insider threat is an employee or partner with malicious intent. These actors take actions to deliberately steal or expose data. Their motivation may be financial (espionage for a competitor), personal (taking customer lists to a new employer), or they may simply seek revenge for a perceived slight.

In contrast, anyone in an organization who can access systems or data can present risk. We are all human and prone to making mistakes. These mistakes could include “accidents” like leaving your laptop or removable storage drive in a taxi or restaurant, accidentally sending an email to the wrong recipient, or clicking on a malicious link in an email. It can also include negligent acts or policy violations like submitting confidential information to a generative AI engine or moving sensitive data to a personal cloud drive or email so the user can work remotely.

Poor Cyber Hygiene Hurts Security

While it makes sense for organizations to be diligent in addressing malicious insiders, threats caused by careless or negligent employees are the most prevalent. According to a recent Ponemon Institute Report, non-malicious insiders who are careless or negligent account for 56% of insider threats in companies, costing on average $484,931 per incident. Negligent acts by insiders can be just as damaging as malicious attacks:

  • Microsoft AI researchers inadvertently exposed 38 terabytes of sensitive internal data when publishing open-source training materials on GitHub. The exposed information included passwords, secret keys, and over 30,000 internal Microsoft Teams messages from hundreds of employees
  • A City of Dallas IT employee unintentionally erased over 20 terabytes of city data, including more than 13 terabytes of police records, while attempting to transfer them from online storage. A report found the technician was inadequately trained on the software.
  • A 2024 report from Menlo Security found that 55% of generative AI inputs contained sensitive and personally identifiable information. This threat had earlier led Samsung and Amazon to ban the use of ChatGPT.

Phishing, Smishing, and Business Email Compromise Attacks

Accidents and negligence also help malicious hackers. Social engineering attacks like phishing, vishing, smishing, and Business Email Compromise (BEC) exploit human weaknesses to trick employees into revealing their credentials, install malware, or pay fraudulent invoices.

Phishing is the most well-known of these tactics. It relies heavily on employees’ inattention to detail or lack of awareness. When a user is receiving hundreds of emails each week, scrutinizing each one can be difficult. A moment of distraction can lead to clicking on a malicious link, downloading an infected attachment, or launching a ransomware attack, potentially compromising an entire organization’s security.

Business email compromise is a sophisticated cyberattack that exploits trust within and between organizations to defraud companies of money or sensitive information. Attackers carefully research their targets and impersonate executives or trusted partners, often using spoofed or compromised email accounts. They then manipulate employees into transferring funds to fraudulent accounts or divulging confidential data.

BEC is an expensive problem. In 2023, the FBI Internet Crime Complaint Center (IC3) identified nearly $51 billion in exposed losses due to business email compromise

How Security Awareness Training Helps

Social engineering attacks are one of the most difficult security threats to prevent because they target human behavior rather than technical vulnerabilities. However, a good security awareness training program can provide significant benefits. The 2024 IBM Cost of a Data Breach Report found that employee training was the top factor in mitigating the costs of a breach. Organizations with low levels of employee training had breach costs that were 25% higher than organizations with high training levels.

How to Run an Effective Security Awareness Training Program

High levels of training requires more than a once per year refresher session. These annual events are compliance driven and do not promote knowledge retention. Instead, organizations should focus on providing their users with engaging material, regular reinforcement, and real-life scenarios.

It is well understood that students begin to forget material almost immediately after a lesson. A study in the 1880’s by psychologist Hermann Ebbinghaus discovered found that without any reinforcement or connections to prior knowledge, information is quickly forgotten—roughly 56 percent in one hour, 66 percent after a day, and 75 percent after six days. The learning loss can be slowed by frequent review of material.

For security awareness training, this review can include visual reminders around the office or in communications to users. Awareness videos and graphics keep security hygiene top of mind in a light and digestible way.

Phishing simulations are an effective strategy for combating insider risk to social engineering attacks. These run automatically and use relevant and targeted phishing techniques such as requests and invitations from real peers and messages from familiar organizations and brands. Remember to include the executive team in all training. A successful initiative requires visible senior manager support.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity®.

Explore layered
security

Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.