Web applications offer powerful workforce efficiencies, but they are not without their risks. Misconfiguration of web applications can open the door to insider abuse or misuse, throwing sensitive company data and employee privacy into jeopardy.
The DTEX i³ team, who provides insider risk services and publishes regular insider risk research, has identified several high-risk vulnerabilities in over a dozen web application categories, including workplace monitoring and employee rewards programs.
In response to the findings, which are based on hundreds of customer risk assessments conducted globally throughout 2023, the DTEX i³ team has issued a Threat Advisory which includes operational scenarios observed by the i³ team and specific actions to mitigate the risks associated with unauthorized access.
The Dangers of Unauthorized Access
The 2023 Cost of Insider Risks Global Report found that malicious insiders account for 25% of all insider-related security incidents. While less common compared with non-malicious insider incidents (i.e., outsmarted or negligent cases), malicious insiders come at the highest cost, averaging $701,500 per incident.
What makes malicious insiders (i.e., whose who abuse their data access for harmful or illegal activities) so insidious is that they are often difficult to detect. Afterall, they are entrusted with handling sensitive data. This includes intellectual property, corporate financial data, source code, personally identifiable information, and everything in between.
The second operational scenario, outlined in the Threat Advisory, paints a scary picture of the type of data that can be accessed without authority just through the misconfiguration of a workplace monitoring application. In the described scenario, it was possible to view locations, employee attributes, work projects and physical security controls. As the saying goes, a picture is worth a thousand words. The same rings true with workforce monitoring video feeds.
“For a motivated insider, the camera feed would provide ample information to plan an attack, from espionage to IP and PII theft” – DTEX i³.
Early Risk Detection Triumphs Incident Response
The latest i³ Threat Advisory provides actionable insights for insider risk practitioners on how to detect and prevent the risks associated with unauthorized access to web applications before vulnerability abuse occurs.
Regular security risk assessments and ongoing monitoring can play a key role in early insider risk detection, affording a proactive approach to insider risk management.
Read the DTEX i³ Threat Advisory: Insecure Web Apps Creating High Risk for Insider Abuse for the complete list of web application categories vulnerable to exploitation, and recommendations for early mitigation.