U.S. Critical Infrastructure at Risk from Insider Threats

You may be prepared for threats originating outside your organization, but it’s worth considering how those attackers breach your defenses. Some might exploit your online platform’s vulnerabilities, and some could use botnet attacks, but an increasing number of security incidents originate with insider threats.

Although many insider threats are more accidental than not, they can still pose a major risk to your organization. However, the intent does not matter as much as what you can do to prevent attacks from human vectors. Implementing insider threat prevention will give you automated prevention and detection tools that can monitor your environment for unusual activity and advise your security teams of the risk level, enabling them to keep potential attacks under control. Insiders threats is also becoming a major cause of cloud-based attacks, making a cloud data security program an absolute must for organizations.

What is an Insider Threat?

An insider threat is typically an employee or user who, intentionally or unintentionally, enables or facilitates attacks on an organization’s infrastructure or data. The majority of insider threats are unintentional, but they can be just as devastating to an organization as a malicious threat.

Some common types of insider threats include:

• Negligent: When users fail to log out of their accounts, improperly store data, or click on phishing emails, their errors can provide an opportunity for attackers to compromise their credentials or access sensitive information. Well-intentioned users may also email themselves files to work on at home, but this creates many potential vulnerabilities. Attackers could find that data on a less secure home network, the employee’s email could be hacked, or the message could be sent to the wrong person.
• Complacent: Everyone does it. Your IT department tells you to change your password every 90 days, but you forget. Alternatively, you change one character and call it a day, or you use a password that you’ve already created for another account. Perhaps you store your company credentials in the browser of your personal computer. Things like this make it easier for you to access your accounts; however, they also make it easier for attackers to access your accounts. A credential scraping or brute force attack is made much easier if there are patterns.
• Malicious: These threats generally come from recently terminated or dissatisfied employees. They may have financial motives, but sometimes they just want to damage their current or former organization. While it’s easy to assume that most insider threats are malicious, they are actually in the minority.

Insider Threats to U.S. Critical National Infrastructure

Across 525 critical decision-makers for US industries that comprise national infrastructure, the majority report an increase in insider threats. 77% of organizations across industries have increasingly seen insider threats as a result of financial stress (malicious) and remote work (non-malicious). Malicious actors with a financial motivation are more common in the financial sector, but they are still in the minority in all industries.

Organizations are finding that most of the insider threats can be attributed to carelessness or insufficient understanding of security protocols, and attackers haven’t missed a beat. Many attackers focus on social engineering or compromised credential attacks, which allow them to steal or manipulate legitimate credentials to serve their own ends.

These types of attacks are difficult to detect because they use legitimate accounts. There could be unusual use patterns or access attempts, but without constant monitoring, many organizations are none the wiser. For any organization critical to U.S. infrastructure, this can have broad impacts. When one of these companies goes down, large groups of people are affected.

Managing the Insider Threat

To mitigate the risks of insider threats, which is especially important for companies in infrastructure-related industries, organizations need to adopt insider threat prevention and detection strategies. While malicious leaks are not the bulk of insider threats, they can still be crippling, so it’s important that security teams always delete accounts and restrict access when someone leaves the company.

To manage the more benign insiders, companies should not permit any more access to any user than what is absolutely necessary. Training is essential for employees to understand the impact their complacency or negligence could have. They should never email themselves company files, and their work and personal accounts should always be completely separated with no credentials in common. Data access should also be monitored to detect any unusual activities or requests.

Insider threat detection solutions use analytics and machine learning to find patterns in data access attempts, which helps them pinpoint unusual activity and alert you quickly. Another benefit to detection solutions is prioritization, which is automated to help security teams work on the most critical vulnerabilities. To deal with security compromises effectively, you need a fast response time, which is best achieved with automated tools.

Ultimately, insider threats will always exist, especially as many organizations are permanently invested in the hybrid or remote workforce. However, to protect critical infrastructure, organizations must leverage all possible tools to prevent and handle attacks. By restricting permissions and using automated tools to facilitate monitoring and quick detection, your organization can get a leg up on insider threats.