This post is going to ask you to take a seat and consider something you’ve probably suspected but didn’t want to admit: The biggest security threat to your company’s data might not come from those hoodie-wearing hackers but from the people within the company; your smiling, innocent-looking colleagues.
Yes, it’s time to talk about insider threats.
Insiders are people who have access to your IT systems. It could be a network login, VPN access, usernames and passwords to your CRM, databases and more. They could be employees, contractors, temps, or even trusted vendors.
I’m going to describe them in terms of two main flavors: The unwitting and the malicious.
The unwitting insiders are the people who don’t know the rules, or think that they don’t apply to them.
At one end of the spectrum, the unwitting are the ones who carefully write their passwords down so they don’t forget them. They click on exciting and important links in emails. They allow their children, partners, house-guests and pets to use their laptops when they’re working from home.
At the other end are people like the experienced IT pros who are careful to choose one incredibly complicated password but use it across all servers and services. They make sure that all servers are patched and up to date (except that Windows 2003 backup server because there’s still a couple of years left in it). They get around to removing old user accounts… every so often.
The unwitting insiders don’t necessarily cause the damage, but they open the doors to external hackers and, of course, the malicious employees.
The malicious people are those who use the access they are given, or obtain by theft or persuasion, to steal business secrets or damage systems.
Often, this insider is a disgruntled staff member. Perhaps they have recently been passed up for promotion, or has a poor relationship with the boss. Whatever the reason, some people in this mindset can be intent on stealing valuable information or causing a bit of chaos.
Or it might be an insider who is about to jump ship and wants to take the customer database along with them. In some rare cases, it could be a malicious infiltrator intent on stealing data or disrupting systems.
Or, they could simply be opportunists who see something valuable to use, sell, or hold to ransom.
Here’s just a couple of stats for you:
Verizon’s 2020 Data Breach Investigation Report states insider attacks make up 30% of all cyber attacks.
The 2020 Cost of Insider Threats Global Report study from Ponemon Institute showed that insider attacks increased by 47% from 2018 to 2020.
So it’s not a small threat, and it’s growing.
I hope I’m not making too obvious a statement here, but insider threats are a thing because people inside organizations have more access and less restriction on their actions than people outside. That’s kind of the point. It’s a trust thing.
But here is the gist: an uneducated staff – one that is not informed as to the policy on what is allowed and what is not – might be the biggest risk of all. If they have access but do not understand how to protect the keys to the kingdom, the organization is operating at increased risk. It is as simple as that.
So what can you do to protect yourselves while still enabling people to do their jobs? Turns out you can do a lot, and I’ll look at that next time.