What are insider threats and how can they impact your organization
The theft of data by both insiders and external entities will likely go down in history as a “sign of the times”. Data has a very wide scope. It includes everything from customer records to employee personal information to the very source code that our applications depend on.
When we lose data, whether, by malicious or accidental activity, it hurts our organization deeply. The theft of source code can be devastating. And it is a problem that clearly has a track record. There are multiple examples of Intellectual Property (IP) theft via source code. The case of the former software developer of Geometric Software Solutions Company in Mumbai, Shekhar Verma, is one example. Verma attempted to sell the source code of a U.S. based client but was intercepted by the FBI. A more recent example is an ex-IBM developer who recently received a 5-year jail term for stealing source code from the company.
Insider threats are here to stay. Human behavior dictates that there will be a mix of accidents and malicious activity no matter what industry you work in. Insider threats that affect source code are as dangerous as any other threat to data and IP. Here we will take a look at what insider threats are and how they affect organizations of all sizes, across all sectors.
The Inside View of Insider Threats
Much work has been done in identifying the impact of insider threats. Whether the incident is deliberate sabotage or accidental misuse of data, an action which causes data loss will have a detrimental impact across many areas of a business. To get a view on how big an issue insider threats are, let’s take a look at some analysis in the area.
A recent report into the issues caused by insider cybersecurity issues was done by an international software company, Computer Associates (CA). The general results of the survey which was carried out across a community of 400,000 IT professionals, was worrying:
- 90% of organizations feel they are vulnerable to insider threats
- CA identified the areas of privileged access user and increasingly complex IT, as being weak points that insiders take advantage of
- 53% of organizations said they had been affected by an insider threat in the previous 12 months
The costs of cybersecurity incidents are something that hit home hard. Work carried out by the Ponemon Institute into the financial impact of insider threats, “2018, Cost of Insider Threats”, gathered together data on the cost of an insider initiated incident. The figures are concerning. Here are the financial costs, on average, per incident:
- Negligence by employee or contractor: Average cost of $283,281
- Malicious insider: Average cost of $607,745
- Hacker (credential thief): $648,845
Ponemon found that the vast majority of insider incidents were caused by non-malicious events, i.e., mainly from sheer negligence on the part of an employee or contractor.
Costs also varied depending on the size of the organization, the average spend in the last 12-months to rectify insider incidents being:
- Greater than 75,000 employees: $20 million
- Less than 500 employees: $1.8 million
It took, on average, 73 days to sort out an insider-based cybersecurity incident.
What Does an Insider Look Like?
Insider threats do not have to be deliberate acts of sabotage. When we think of data breaches, hacking, and other cybercrimes, we often think of a masked hacker. An insider threat can be caused by simple negligent action such as sharing source code on a developer forum. It can also be caused by a deliberate act, involving theft and the sale of code, potentially to competitors.
Insider threats, by whatever means, are every bit as impactful as any external hacker can cause. Our break down below shows the types of insiders we can typically expect to encounter:
The Malicious insider
Deliberate data theft is a concern for almost half of organizations according to the CA insider threat report. A study by Gartner showed that 62% of insider threats are often from persistent offenders, malicious in intent, and doing so to create a second income. Gartner terms these insiders as “Second Streamers” looking to sell on the stolen data. The examples that we discussed at the start of this article were examples of second streamers selling on source code for financial gain.
The Accidental insider
Critical systems are often opened up to consultants and transient employees. These employees may not have built up a trusted relationship with the organization. They may not be aware of security policies around data hygiene. Accidental source code exposure can easily occur under these circumstances. The CA report found that 42% of organizations believe that contractors/service providers and temporary workers pose an insider threat.
Accidental exposure of source code can also occur if the company does not have strict rules around information and IP disclosure. Developers use forums and portals to trade ideas and solve code-related problems. It is easy to share snippets of code on these forums without realizing they may be exposing sensitive information.
When an employee or contractor has a fall out with a manager or is unhappy with conditions, they can end up disgruntled. This can translate into an insider threat. Analysts McKinsey have found that disgruntled employees pose a significant threat to an organization in terms of data exposure. Anger and underperformance are the main drivers of insider threat in this category.
The leaver/joiner insider
People on leaving or even joining a company are a major category of insider threat. The Hague Delta has found that leavers (and joiners) in a company posed the greatest threat of insider-related data exposure. The report also highlights that 89% of leavers continue to have access to proprietary corporate data even after leaving an organization.
Collusion and the insider
This is identified by IBM as being a rarer form of insider threat. Nonetheless, the collusion between inside personnel and external malicious forces is still a potential source of exposure of IP. This form of insider threat relies on an external person recruiting an employee for the sole purpose of stealing data.
The Insider and Source Code
The theft of source code is associated with all categories of insider threat. The intrinsic value of source code makes it an attractive form of data/IP for those wishing to sell it on for profit. But the inherent collaborative nature of software development also means that it can be at risk from accidental, negligent, exposure. Source code, perhaps more so than many other forms of data, has to be protected against all forms of insider threat.
How to Keep Your Insider Threats Inside
Insider threat is one of the most difficult types of cyber-threat to contain. The very nature of it being perpetrated by an employee or business associate makes it difficult to detect and stop. How do you tell a genuine logon and data transfer, from a malicious or even accidental one? Fortunately, there are methods available to prevent insider threats becoming incidents:
Privileged access control and IAM
Employees with privileged access rights have a higher risk of being an accidental (or even malicious) insider. Use privileged access sparingly on a need to know basis.
Security awareness training
Accidents happen but being aware can decrease the likelihood of them. Security awareness training packages teach employees about security good practice. They can also include phishing simulation exercises which train employees on how to spot the signs of phishing. This can help to prevent the theft of access credentials used to steal source code and other data.
Data loss prevention (DLP)
DLP solutions are used to monitor source code files and applications used by developers. They are a vital tool as insider threats are very difficult to identify. Unusual activity and unexpected data transfer can be prevented using DLP tools.
Good security policy around security hygiene
Having a good security policy with robust authentication policies and security hygiene is a must. Security policies can be used alongside security awareness training to build a companywide culture of security to help prevent accidental and negligent insider threats.
Other technologies such as encryption, behavioral analytics, and deception technologies
Other security technologies are useful in a holistic approach to preventing insider threats. Insider threats, as we have seen, have many faces. Both a human-centered and technology-based approach is needed to manage such intrinsic and insidious threats.
A balance between trusting your employees and monitoring them creates an environment where everyone feels safe. Tools like source code theft prevention solutions offer a way to ensure that source code is ring-fenced and monitored. Coupled with security awareness training and good security hygiene, this mix of measures creates a mutually trusted relationship between you and your developers. Importantly, a ‘Trust but Verify’ approach can be an effective first line of defense to prevent your source code being stolen.
An Insider Perspective
Source code is our intellectual property. It is of high value and the risk of exposure comes at a great cost to an organization. The threat to our source code and other sensitive data comes from inside our organization as well as the outside. We have to recognize that insider threats are a real risk. They may not be purposeful, these threats may often be born out of sheer negligence, whatever the reason, they are highly damaging. Lost source code, even code snippets, is lost revenue. And, it means that code can also, potentially, end up with a competitor. We must put measures in place to prevent an insider from becoming an insider threat.
Using the right holistic structures, that apply a mix of human-centric and technological measures, will protect your organization. It is not easy to accept that employees can be a weak link, but by making sure they understand the risks and by using technologies like source code theft prevention solutions, this most difficult to deal with cyber-threat can be contained.