There’s a lot to keep track of when it comes to cybersecurity. Even small businesses need to take steps to protect themselves from data breaches, network outages, phishing, and ransomware. But evidence suggests you have as much—if not more—to worry about from a malicious insider. Malicious insiders present different security challenges than external bad actors. Let’s explore what these threats could mean and how you can protect your business.
What is a malicious insider?
Also known as an “insider threat,” a malicious insider is an employee, contractor, or other individual connected to your business who uses their authorized access or understanding of your business to harm it.
Malicious insiders are harder to spot than external cybercriminals. They often have legitimate access to your business’s data and systems. It’s easy for them to blend into the rest of your staff quite easily. If you run a very small business, chances are good it’s someone you trust. You might find it hard to believe that it is happening.
That’s why the 2020 Cost of Insider Threat Report by the Ponemon Institute found that it took an average of 77 days to find and stop malicious insider attacks. According to The State of Insider Threats 2021, almost 50% of businesses say that it is “impossible” or “very difficult” to stop an insider attack at its earliest stages before damage has been done. Only one-third say their organizations are “very” or “highly effective” in preventing sensitive information from leaking.
A data breach caused by an insider is significantly more costly for organizations than one by an external attacker. The Ponemon Institute study found that the global average cost of an insider threat was $11.45 million, whereas the average cost of a data breach was only $3.86 million.
Why malicious insiders do what they do
Why would an insider wish to do damage? Most commonly, it’s an employee who feels like they’ve been treated poorly. They may become estranged or disgruntled from management, fellow employees, or both. Others are in it for profit and try to sell sensitive data to a competitor or other third party.
And there are even instances of malicious insiders acting as “moles”. They specifically seek employment at a company to steal data to sell on the Dark Web. These latter perpetrators are relatively rare, especially for small businesses.
What kinds of crimes do malicious insiders commit against small businesses?
Malicious insiders can do many things to disrupt or even destroy a small business. Imagine if your main order transaction system for your online store went down for five hours. Or if important financial records you needed for compliance purposes became lost or corrupted. The possibilities are endless. But most mischief from malicious insiders falls into three categories:
1. They steal data
Insiders are typically current employees that steal data they work with as part of their daily jobs. It could encompass anything from intellectual property (IP) to customer lists to other sensitive data. Usually, the intention is to sell it or use it to drive a new business opportunity or career path.
2. They use your IT environment against you
An IT professional or other tech-savvy individual can use technology to hurt a business by interrupting or disabling digital operations. They may introduce malware into the network or deliberately sabotage a transactional system or process to inflict punishment.
3. They commit fraud
Insider fraud happens when an unauthorized employee somehow manages to access or change your data. Usually, this data is used to commit identity theft using your customers’ or other employees’ information.
Signs that a malicious insider is at work
Malicious insiders seldom act on the spur of the moment. They plan their activities carefully instead of taking opportunistic actions. You can use this to your advantage. If you’re aware of the signs, you can try to stop an insider attack in its early stages before damage has been done.
Here are some specific technical things to watch out for:
Unexplained data downloads
The great thing about technology is that it can be tracked. In large businesses, you’d depend on IT to do this. Smaller businesses may have an IT person on staff. Or they may need to use an external consultant for their technical support. In either case, you need to assign someone to monitor your business’s typical network bandwidth use and downloading patterns. If data is suddenly being accessed from your onsite database or cloud data warehouses and copied onto desktop computers, laptops, or external hard drives, you probably have cause to be concerned.
Employees accessing—or trying to access—applications without proper authorization
You have any number of important applications that you depend on to run your business. You should limit access to your customer database and financial records to only those with a definite need. If you notice multiple attempts to sign onto these systems, take it seriously. If unauthorized persons get access to the sensitive information in those systems, they could hold the welfare of your business in their hands.
Excessive granting of access rights
You should only grant system administrative rights to trusted individuals. Among other rights you bestow on them, admins can give access privileges to anyone else they want. There are two things to be aware of here. First, malicious insiders don’t always work alone—sometimes they have coworkers who are collaborators. Second, be wary of who you trust. If you see an increase in the number of people who have elevated rights, they could be using those rights to sift through your systems looking for data to sell. Again, the hard part for small businesses is the person or persons doing this are probably trusted. It can be difficult to believe a seemingly loyal employee or group of employees would be trying to hurt you or your business. Still, you must be vigilant when you see these signs.
Your employees probably log on and off at fairly predictable intervals day after day. If you suddenly see people logging in remotely when they’re usually in the office, or at unusual times, that could be a sign something is off. If there is a rash of failed authentications of users who are trying to log on, that is also a sign of trouble. Be aware of patterns—and when they are broken—at all times.
Best practices for fighting malicious insiders
The single most critical action to take to thwart malicious insider threats is to pay attention. No technology can make up for continuous scrutiny of your network—and your intuition. If an employee is acting strangely or showing antagonism towards management or colleagues, take it seriously. And, of course, monitor your IT environment and protect it with the latest anti-malware, intrusion detection, and authentication tools.
Prioritize and protect valuable digital assets
Know what digital assets you have and where they are stored, whether on-premises or in the cloud. This includes IP, customer data, financial records, and any proprietary applications that are unique to your business. Only give employees access to the systems and data they need to do their jobs—and no more. Prioritize which assets are the most critical and protect them with the latest intrusion and authentication technologies.
Establish and enforce security policies
Require security training that lays out specifically what company policies are with respect to data and systems. Enforce those policies with no exceptions—employees need to perceive you are serious about them.
Nurture a compliant and transparent culture
This goes hand-in-hand with training and policy enforcement. The company must embrace a culture in which malicious insiders will not thrive. Promote openness and transparency. Sincerely attempt to promote employee satisfaction so no one is tempted to take advantage.
Conclusion: Don’t be paranoid, but they might be out to get you
Detecting a malicious insider can be challenging. It’s not just a technical issue, but a behavioral one as well. By identifying the early signs of an insider attack, you can detect malicious insiders before they cause damage to your business.
Although it can be demoralizing to think an employee of yours would be capable of betrayal—whether in anger, or for profit—it’s unfortunately a reality. By paying attention to hints that trouble is brewing, you can address problems in time to prevent disaster.