Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

How Edward Snowden made us think about and forget the Insider Threat

Five years ago, the news media went into a frenzy after The Guardian revealed details about National Security Agency (NSA) surveillance activities. The news was based on classified documents that former NSA IT contractor Edward Snowden stole while he had privileged access to NSA systems and data. It provided clarity on exactly how powerful the NSA’s information collecting machine was. It also gave new life to the insider threat.

As the insider threat poster child, Snowden forced public and private sector organizations to take a hard look at how they are defending themselves against malicious actors that hold positions of trust inside of their firewalls. His actions also gave rise to waves of research revealing just how much damage malicious insiders cause.

Most recently, the Ponemon Institute released a report showing that malicious insiders cost businesses just over $700,000 per incident. The Verizon 2018 Data Breach Investigations Report (DBIR) revealed finding after finding about how malicious insiders are impacting security. Our own 2018 Insider Threat Intelligence Report reveals that malicious insiders are responsible for security bypasses, high-risk application usage, and credential misuse.

Snowden illuminated how nefarious employees and contractors operate. He also cast a shadow over an additional class of insider threat made up of privileged users that includes employees, contractors, partners and executives that operate with their organizations best interests in mind. Since Snowden, this trusted insider segment has gone under appreciated with respect to risk it is driving and resources it deserves.

The aforementioned Ponemon report revealed that trusted insiders are costing companies more than $280,000 in damages for every incident they are involved in. Our annual report revealed numerous instances of trusted insiders that were exposing sensitive data on the open web, engaging in unsafe personal email usage on company machines, and instances of sensitive data transfer taking place on unauthorized USB sticks. The IBM X-Force Threat Intelligence Index 2018 revealed that trusted insiders, which it refers to as “inadvertent insiders,” are responsible for exposing more than 2 billion records and causing 20 percent of reported security incidents.

We should not lose focus on malicious insiders. Snowden, Chelsea Manning, and the Waymo v. Uber case demonstrate that it is alive and well. We do have to start paying more attention to our trusted insiders. Although not regarded as worthy of being made the focus of Hollywood blockbusters, this segment of our workforce is responsible for creating situations that are costing businesses millions annually. In some cases, trusted insiders have made non-malicious errors that changed world history. In the case of the Hillary Clinton for President campaign, a seemingly harmless phishing email created challenges that the campaign says contributed to its loss. Remember the United State Office of Personal Management (OPM) breach? Many security experts have speculated that phishing emails that fooled trusted insiders played a part.

There are steps your organization can take that will help to stop your trusted insiders from making costly mistakes and from walking, or rather clicking, into traps.

Start by gaining visibility over user behaviors taking place in your environment. You don’t have to implement intrusive monitoring practices that amount to big brother style surveillance. There are technologies available, including our platform, that will allow you to gather intelligence needed to identify suspicious trends that indicate when a trusted insider may be going off the rails or under attack.

Make sure you have an early-warning system in place. Tools that sound alarms when suspicious behaviors occur are key, but there are some caveats. Many times, alarms end up being false positives. Effective early-warning alerts must be powered by technologies that understand behavioral context and that know the difference between what’s normal and suspicious.

Take steps to educate your trusted insiders.If you want to shield users against attacks and their own mistakes, you need to invest in tools and programs that provide security and scam education. Research shows that humans can reduce vulnerability rates to attacks and scams by close to 90 percent when they receive training.

Make sure you are providing your users with information needed to avoid making mistakes. To further protect trusted insiders, invest in alerts that that let them know when they are about to engage with risky apps, click on questionable links, open risky emails, and transfer data insecurely.

Be transparent about how your organization is using technology to defend employees. Being open about how you are actively safeguarding company assets and how you want to work with trusted insiders to improve security will show that you are committed to a working relationship based on mutual trust and respect.