The Impact of Internal Threats to an Organization

“If you could just secure the network, that’d be terrific.”

If the 1999 movie Office Space was remade today, there’s no doubt a character in upper management would reiterate this line time and time again to the chagrin of anyone in IT or security. Unfortunately, securing modern organizations IT environments has become even more complicated since Peter Gibbons and friends infiltrated Initech’s defenses from the inside.

There’s no denying that a lot has changed in the last three years. Organizations have also increased potential attack surfaces with the work environment shifting drastically to adopt a more dispersed model. The risk of an insider threat certainly isn’t new, but the opportunity for these cyberattacks has become more frequent. Unfortunately, we can’t just lock the office door and hope for the best. Without enhanced visibility, secure tool management, and comprehensive turnover policies, organizations will continue to face external and internal cyber threats, intentional and unintentional. Understanding the impact of internal threats to an organization is the first step toward protecting against these threats.

The Increasing Risk of Internal Threats

With a rise in cloud adoption and Software-as-a-Service (SaaS) applications, it has never been easier to exfiltrate, duplicate, or share data. This tactic, of course, has benefits for an organization that prioritizes collaboration and efficiency but could have serious repercussions if left unchecked. Many organizations use file-sharing tools such as Slack, Teams, OneDrive, and DropBox, to ensure employees can access the information they need to do their jobs from anywhere. But, once that data is accessed, it can be difficult, if not impossible, for an organization to see where that data goes, let alone keep it safe and secure.

The increase in remote work and Shadow IT has come hand in hand, as employees may be leveraging both work and personal devices and tools to get their job done from anywhere. Remote or hybrid work decreases IT’s oversight of employees, data, and technology, leaving the IT team with little to no control over network hardening. Even implementing new steps or technologies to verify identity (also known as access management) doesn’t guarantee each employee is practicing good security hygiene and may leave the organization open to risk.

Shadow IT is when employees connect a device or cloud application without notifying their company or IT team. With many organizations allowing Bring Your Own Device (BYOD) to make employees’ jobs easier in a dispersed workforce, IT can lose visibility over devices and applications. Users eager to adopt the latest cloud applications to support remote work bypass their IT administrators, thereby unknowingly opening themselves and their organization up to increased cyber risk. From increased risk of data breaches to violations of regulations and compliance standards, shadow IT risks make it difficult for organizations to secure their systems – after all, if you don’t know a device exists, how can you take steps to protect it?

The modern workforce is not just dispersed but ever-changing. Last year, 47.8 million workers quit their jobs, and we continue to see record turnover across roles and industries. Not only do new employees need to be trained on security policies and best practices, but – whether intentionally or not – many departing employees may take data with them upon exiting a company. This data could include sales documents, trade secrets, intellectual property (IP), customer records, and more. If employee provisioning/de-provisioning transitions are not handled properly, there’s a greater risk of an insider threat carrying out a cyberattack.

Why Aren’t We Talking About Internal Threats to an Organization?

In Office Space, the employees were clearly able to get away with their scheme due to a lack of attention from upper management. In fact, instead of raising red flags, Peter’s disassociation from his job led to a promotion. While recent societal changes have caused an uptick in cyberattacks from insider threats, leadership still rarely discusses the issue because it is uncomfortable and can be challenging to detect. Not to mention, it can be complicated and expensive to identify and deploy a solution.

Especially as more organizations move towards a workplace culture of trust and collaboration, leadership and employees don’t want to “rat on each other” or make an accusation that may turn out to be false. Take Milton, for example, an employee who was supposedly let go five years prior, but a glitch in accounting meant he was still receiving a paycheck. Who could have guessed that it wouldn’t be the paychecks ceasing but a stapler that made him snap and set the whole office ablaze?

Combating Internal Threats

Addressing the increasing risk of insider threats requires a multi-faceted approach that includes building cultural awareness, hardening networks, solidifying policies and enforcement, and streamlining onboarding and offboarding.

• Build a Cyber-Smart Culture: By focusing on security culture and education, organizations can cultivate a culture of trust and inform employees on what an insider threat looks like and best practices to secure the organization’s data. Educate employees on the realities of insider threats and encourage them to speak up if they recognize one. Maintain an ongoing training program to keep awareness high, and the team engaged.
• Harden Network Infrastructure: Organizations can reduce the attack surface by removing unnecessary privileges. This is called the least privilege principle, which gives employees access only to the files necessary for their job. In addition to implementing user behavioral analytics (UBA), asset inventories, and managed detection and response (MDR), this approach strengthens an organization’s defenses against internal threats.
• Maintain Policies and Enforcement: Help set and enforce rules with a Technology and Data Use policy detailing how data is stored and shared. Create policies and clear reporting pathways to keep open communication throughout the organization that is easy, confidential, and anonymous. These policies should also apply to all employees, from the CEO to the newest intern to third-party contractors.
• Streamline On/Offboarding: As we continue to experience higher than average turnover across roles and industries, organizations should consider recommending background checks for all new employees and contractors. When employees leave, cross-department collaboration should promptly follow documented offboarding procedures to remove access.

By following these best practices, organizations can strengthen their defenses against insider threats, whether intentional or unintentional, and mitigate the repercussions of successful cyberattacks.

More Resources:

Blog: Cybersecurity Threats and Attacks: The Insider Edition
Blog: Time to Spring Clean Your Data Security Policy and Procedures
Blog: Get Buy-in for Your New Data Security Policy and Procedures