Internal threats 101: What they are and how to avoid them

We’ve warned you before that half of all small to midsize businesses have endured at least one cyberattack. But did you know that “the biggest cybersecurity threats are inside your company?”

That’s an eye-opening claim from a 2016 report by the Harvard Business Review. It’s also backed by data from IBM’s 2016 Cyber Security Intelligence Index. According to that report, some “60% of all attacks were carried out by insiders,” with 75 percent of those coming from malicious actors. (The rest were inadvertent—which is better but still bad.)

What’s more, these internal threats can be particularly harmful. A 2017 article from Tripwire stated that “53 percent of companies estimate remediation costs of $100,000 and more, with 12 percent estimating a cost of more than $1 million.”

Ouch.

On top of that, insider threats can go undetected for years on end. And guilt in such cases is really difficult to establish. It’s little wonder why an estimated “74 percent of companies feel that they are vulnerable to insider threats,” and a whopping 7 percent classify their vulnerability as “extreme.”

The conclusion?

While it’s critical to defend against external cybersecurity threats (and they are, generally speaking, more widely sensationalized), internal threats are just as important to catch. Today, we’ll be giving you a leg up by delving into what constitutes an internal threat and how you can mitigate the risks.

Just what is an internal threat?

For a straightforward definition, we turn to SecureList:

“Internal threats include any harmful actions with data that violate at least one of the fundamental principles of information security (integrity, availability, and confidentiality) and originate from within a company’s information system.”

Easy enough to comprehend, but classifying internal threats goes even deeper. According to CSO, internal vulnerabilities come in three main flavors: accidental, negligent and malicious. Those first two have a degree of overlap, as there’s no ill will on the part of the employees who are responsible.

Accidental threats arise when employees aren’t well-educated on proper protocol (and, by extension, open your company to maladies like ransomware and phishing schemes). Negligent threats occur when employees understand the protocols but willfully ignore them in favor of completing a task the “easy way.”

Malicious threats, on the other hand, are a whole different ballgame.

The offending employee might be holding a grudge. They might have been paid off. Whatever the case, malicious instances are categorized by employees within your company who wish to intentionally cause damage. Those employees use their knowledge of your systems to further their less-than-well-intended goals.

How to guard against internal threats

The strategies you employ for mitigating internal threat risk will vary based on the types of danger we listed above.

For accidental and negligent threats, education and enforcement are key. As EY so succinctly put it, “education is prevention.” Getting employees up to speed is a great way to cut down on the mistakes that can put your organization in a cybersecurity predicament.

A solid IT support team can help with educational efforts. Combine that with a no-nonsense policy that reminds employees that cybersecurity rules are not to be taken lightly. That’s how to deal with a sizable portion of the internal risks your company faces.

Malicious threats require a different approach.

Preventing these are where background checks, employee monitoring and restricted access to various systems will benefit your overall preparedness. Again, leveraging IT pros to formulate a strategy will grant you significant benefit.

With the right methodologies in place, your vulnerability will diminish drastically.