Over two-thirds of businesses have seen insider threats get more frequent in the last year, with the average annual cost amounting to over $11.45 million. Preying on employee negligence and exploiting human error, such as clicking on a suspicious link or leaving an unsecured laptop on a train, insider threats can have devastating consequences. As a result, organisations require a zero-trust approach to cybersecurity.
Hinged on the ‘never trust, always verify’ philosophy, a zero-trust framework ensures only the people and devices who are trusted entities have access, using continuous validation to keep systems secure and malicious insiders at bay. We spoke to several cybersecurity experts to learn the fundamentals of a zero-trust approach and their best practices for developing a robust cybersecurity programme.
Zero trust needs to extend to authentication
The Verizon 2022 Report illustrates that a significant majority of ransomware breaches are a result of stolen credentials, with an almost 30% increase in use since 2017. When credentials are stolen, compromised insiders can use the employee’s devices as a ‘homebase’ within the network from which they can scan file shares, escalate privileges and infect other systems.
Jasson Casey, CTO of Beyond Identity, explains that attackers don’t break in, they log in. “Antiquated authentication methods – be it passwords or traditional MFA – continue to put organisations at risk. It’s time organisations shut the front door on the main way adversaries gain initial access to systems, stopping any future ransomware attacks in their tracks.”
Casey explains the benefits of Zero Trust Authentication (ZTA), a subcategory of zero trust that was developed in response to weak passwords and MFA.
“Adopting authentication that has been designed to accelerate the journey to zero trust security paradigms significantly reduces risk, by ensuring continuous authentication whilst eliminating all credentials and codes that attackers use to plant ransomware crops. By leveraging the combination of biometrics and Passkeys based on the Fast Identity Online (FIDO) standards, organisations are able to always know who and what device is requesting access.”
Understanding your landscape is key
Clear visibility is also crucial for understanding the threat landscape that an organisation resides in. However, Gartner reports that few organisations today have an accurate picture of their own threat landscape.
Security and risk management leaders are struggling to know what threats should constitute real concerns for their organisations, notes Brett Candon, Vice President for International at Cyware. “Threat intelligence helps enterprises get ahead of attacks, but it isn’t easy to segregate, correlate, and prioritise the huge volumes of available threat data to create a ‘single source of truth’. Adding threat intelligence, however, isn’t enough. We must connect the dots.
“This next-generation approach to cybersecurity – often referred to as cyber fusion – unifies all security functions such as threat intelligence, security automation, threat response, security orchestration, incident response, and others into a single connected platform which detects, manages, and responds to threats in an integrated and collaborative manner.”
Candon adds, “at the end of the day, threat intelligence only works when it can communicate the relevant data to the right people, at the right time, so they can quickly take meaningful action. As has been written about many times over, there is no silver bullet when it comes to tackling cybercrime – whether it’s a genuine mistake or a deliberate, targeted attack – but by fusing disparate elements of the cybersecurity stack, the risk of falling victim will be reduced.”
Such a thing as too much visibility?
When the threat lies within, who has access to what also becomes a huge issue. Andy Bates, Practice Director – Security at Node4, argues that many businesses are simply too trusting of their employees, allowing everyone to have access to all files, even confidential information such as HR documents or financial spreadsheets.
“Most businesses have segmented security within the environment to avoid attackers from moving laterally through their system and the same approach should be applied to insiders to restrict their access to information that doesn’t concern them.
“Best practise should be to apply role-based access control and a ‘zero-trust’ mindset,” Bates elaborates. “This means that only employees who require information to perform their job can access it and that their identity is reconfirmed whenever they do. This should be a minimum for all organisations to reduce the risk of data breaches and stop possible threats in their tracks. Working with a dedicated security operations centre (SOC) will ensure that this is implemented effectively and securely. And, as a third party, they can better assess suspicious activity within the organisation and will ensure that experienced cybersecurity experts are on hand to monitor your digital environment 24/7.”
Encouraging the engaged bystander
It’s a worrying thought, but there’s very little protection in place for an organisation if someone with trusted access to their IT systems is intent on causing harm.
Hugh Scantlebury, CEO and Founder of Aqilla, explains that this is why the role of an engaged bystander is so important. “All too often, we don’t know how to spot the early signs of an internal IT security breach — or if we do see something suspicious, we’re conflicted about coming forward in case we wrongly accuse a colleague.
“Organisations need to create an environment where engaged bystanders can feel confident about reporting their concerns. This means regular and consistent education about potentially suspicious behaviour — and a commitment to developing processes and frameworks that allow potential worries to be reported in confidence.”
Insider Threat Awareness Month serves as a reminder that bad actors often lie closer to home. Adopting a zero-trust model that combines a strong cybersecurity culture, awareness training, technical solutions and strict security protocols is the key to helping organisations bolster their defences and eliminate a host of insider threats.