In the realm of cybersecurity, vigilance is key. Threats can come from anywhere, and sometimes, they emerge from within. In September 2023, we observe National Insider Threat Awareness Month (NITAM), a crucial initiative aimed at educating organizations and individuals about the dangers posed by insider threats and promoting strategies to mitigate them.
NITAM, established in 2019, is orchestrated by two prominent entities: the United States National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF). This collaborative effort aims to raise awareness among government agencies, private sector organizations, and the general public regarding the menace of insider threats. The campaign’s mission is to educate and encourage the development and implementation of robust Insider Threat Programs.
What exactly does NITAM entail?
Steve Santamaria, CEO, of Folio Photonics offers the following valuable insights:
“In a world where data fuels progress, the importance of National Insider Threat Awareness Month (NITAM) cannot be overstated. The campaign, which takes place each year in September, highlights the stark reality that employees, strategic partners, and other insiders with authorized access can inadvertently or intentionally inflict significant damage. This threat transcends industries, affecting both government entities and private businesses, as trust and access intersect in today’s interconnected digital landscape.
However, NITAM extends beyond simply shedding light on the issue—it drives us to seek effective mitigations, such as an active archive, which is an advanced technology designed to provide efficient and secure data storage while enabling quick access and retrieval of information. Unlike traditional archival systems that store data in a passive, offline state, an active archive maintains data in a more accessible and readily available form, making it easier to search, retrieve, and analyze. However, within the context of insider threats, an immutable active archive serves as a robust defense due to its unique qualities. By ensuring data immutability, it maintains the integrity of stored information and creates a traceable record of interactions. This traceability acts as a deterrent against malicious insider actions and aids forensic analysis during security breaches. Moreover, its alignment with regulatory compliance standards ensures adherence to legal requirements. Last but not least, real-time monitoring capabilities can further enhance its effectiveness by promptly identifying unauthorized activities.
In closing, NITAM stands as an annual rallying cry—a time to renew our commitment to cybersecurity and acknowledge that, while trust is invaluable, preparedness is non-negotiable.”
What are Insider Threats?
Insider threats are potential risks posed by individuals within an organization who have privileged access to its systems, data, or facilities. These individuals may be employees, contractors, or business partners. Insider threats encompass a spectrum of behaviors, ranging from unintentional actions driven by negligence to deliberate malicious activities.
Types of Insider Threats:
- Negligent Insiders: These individuals unintentionally cause security breaches through actions like clicking on phishing emails, mishandling data, or failing to follow security protocols.
- Malicious Insiders: Intentional insider threats involve employees or associates with harmful intent. They may steal sensitive data, commit fraud, or sabotage systems.
- Compromised Insiders: Sometimes, insiders become unwitting threats when their credentials are compromised by external actors, turning them into unwitting accomplices.
Recognizing and addressing insider threats is vital in today’s interconnected digital landscape to protect organizations from potentially devastating breaches.
The Current State of Insider Threats
To truly comprehend the gravity of insider threats, it’s essential to delve into the chilling statistics that underscore the very real and growing risks these threats pose. According to recent data from Ekran System, a leading cybersecurity provider, the landscape of insider threats is evolving at an alarming pace. These statistics shed light on the extent of the challenge:
- Rising Occurrence: Despite evolving insider risk management capabilities, 74% of organizations surveyed say there’s a rise in insider threats. Gartner also predicts that software supply chain attacks will afflict 45% of organizations by 2025, a threefold increase from the number recorded in 2021.
- Difficult to detect: According to Ekran System, 53% of cybersecurity professionals believe detecting insider attacks is harder in the cloud than in an on-premises environment.
- Costly Consequences: The Ponemon Institute conducted three studies on the cost of insider threats in 2018, 2020, and 2022. According to these studies, the total average cost of insider threats increased by 76% between 2018 and 2022.
- Time to Detection: It takes 85 days on average to detect and contain an insider threat incident, according to the 2022 Cost of Insider Threats Global Report by the Ponemon Institute. Only 12% of insider-related incidents are contained in fewer than 31 days.
- Malicious Intent: In the Ekran System’s report, malicious insiders were responsible for more than half of all incidents, up from 44% in the previous year.
These statistics underscore the urgent need for organizations to address insider threats effectively. They demonstrate that the threat is not only pervasive but also costly and often difficult to detect in a timely manner.
To mitigate these risks, organizations must not only invest in robust cybersecurity measures but also prioritize education and awareness among their employees. Insider Threat Awareness Month serves as a timely reminder of the importance of these efforts.
To fully appreciate the risks, consider some insights from the following industry experts:
Carl D’Halluin, CTO of Datadobi:
“Insider threats lurk within the very heart of organizations, disguised as trusted employees, partners, or collaborators. These individuals, armed with access privileges, possess the potential to wreak havoc that is often unseen until it’s too late. Their actions can shatter the security foundation of a company, leading to catastrophic data breaches, financial ruin through fraud, and irreparable damage to reputation.
…Mitigating insider threats demands a comprehensive strategy encompassing diverse countermeasures. This can entail the enforcement of stringent access controls, leveraging user behavior analytics, and the implementation of data loss prevention solutions, as well as vigilant user activity monitoring, and the fostering of anonymous whistleblower reporting mechanisms. However, to truly take insider threat mitigation to the next level, a solution that empowers organizations to assess, organize, and take action on their data is pivotal.
By proactively assessing data, it allows for the identification of anomalies and vulnerabilities before they escalate into significant risks. The continuous monitoring and analysis of data enable the rapid detection of unusual patterns or behaviors, facilitating timely intervention and mitigation. Moreover, the organized structuring of data enhances visibility, making it easier to pinpoint sensitive information and recognize unauthorized access or movement. When potential threats are identified, the solution enables organizations to take swift and precise actions, such as restricting access, initiating investigations, and/or moving data to another location, minimizing the potential damage. Beyond immediate responses, the solution’s adaptability ensures that countermeasures remain effective in the face of evolving insider tactics. This approach not only reduces the impact of insider threats but also contributes to operational continuity and regulatory compliance. Ultimately, the ability to harness data-driven insights enhances an organization’s proactive stance, equipping it to navigate the intricate landscape of insider threats with vigilance and resilience.”
Seth Blank, CTO, Valimail:
“In today’s fast-evolving and intricate digital communication framework, DMARC (Domain-based Message Authentication, Reporting, and Conformance) acts as a pivotal element. It serves as a critical component that prevents external actors from exploiting a trusted name to deceive and mislead. Think of DMARC as the equivalent of a bouncer checking IDs at an exclusive nightclub. Its primary role is to ensure that only authorized individuals—essentially those on the guest list—can gain entry. DMARC’s primary function is to make certain that unauthorized entities are both easily detectable and unable to impersonate your employees or executives, which if left unaddressed can turn an external threat into an internal one.
However, the role of DMARC extends beyond mere prevention. With DMARC enforcement, organizations gain the clarity that their communications are secured from impostors. Yet, this clarity also brings to light another dimension of security – the risks that potentially lurk within the organization itself. While it’s imperative to fortify against external threats, an equally significant aspect of security is the continuous oversight of internal activities and behaviors.
Understanding the intricate interplay between trust, security, and the myriad channels of communication means recognizing the phased nature of protection strategies. Tools like DMARC offer the first line of defense against external hackers and other attackers. However, once these external defenses are robustly established, it becomes critical for organizations to pivot, channel resources, and focus on addressing the subtleties and complexities of internal threats. This sequential layered approach ensures a holistic defense strategy – begin by fortifying against external threats and then work meticulously to foster and maintain a trustworthy internal environment.”
Embrace Vigilance: Strengthen Your Knowledge
National Insider Threat Awareness Month isn’t just a reminder of the dangers lurking within; it’s a call to action. We must educate ourselves and our teams to recognize the signs of insider threats. It’s about fostering a culture of cybersecurity awareness and responsibility.
Start by familiarizing yourself with your organization’s Insider Threat Program, if it exists, and best practices. Understand the protocols in place to detect and respond to insider threats. Encourage your colleagues to report any suspicious activities they observe. Learn the difference between Insider Threat and Insider Risk.
Moreover, familiarize yourself with the tools and technologies that can aid in mitigating insider threats. User behavior analytics, data loss prevention solutions, and continuous monitoring are just a few of the resources at your disposal.
Here are five notable solutions in random order:
- Ekran System: Ekran System is an advanced insider threat management solution known for its continuous user activity monitoring.
- IBM QRadar: Combines AI and threat intelligence for real-time monitoring and detection of insider threats.
- ManageEngine: EventLog Analyzer and Vulnerability Manager Plus.
- SolarWinds Security Event Manager: Offers SIEM and log management for identifying and mitigating insider threats.
- Teramind: Offers insider threat prevention through user activity monitoring and behavior analytics.
The September 2023 National Insider Threat Awareness Month is a stark reminder that cybersecurity is a multifaceted challenge. Insider threats are insidious, but we can strengthen our defenses with awareness and knowledge. As we navigate this ever-evolving digital landscape, let’s embrace vigilance and collectively work towards a safer, more secure future.
In closing, remember that cybersecurity is not just a buzzword; it’s a necessity. Let NITAM be a starting point on your journey towards a more secure digital environment.