Fight the good fight: Five strategies to manage insider threats

The cost of living wasn’t the only index rising in 2023. The increase in the cost of insider fraud actually made inflation look tame. According to IBM’s Cost of a Data Breach 2023 report, the average cost of a malicious insider attack was $4.9 million, which is a 9.6% increase over the $4.4 million attributed to other attack vectors, such as externally hacked customer information. 

Why? The causes of insider threats range from economic pressure to pandemic-inspired hybrid work arrangements. Neither will alleviate in 2024, and it will be up to each individual company to craft a strategy to mitigate them. Insider threats are no longer a pandemic-related phenomenon and cannot be countered with 2020’s solutions. A recent FS Tech report shows that 71% of all companies want an integrated, holistic solution to fight insider threats, and it is this kind of approach that will enable companies to delineate between accidental and malicious threats and mitigate the damage from them. 

That integrated solution mixes technology, analytics and proactive scenario planning. It can be broken down into five specific strategies, outlined here: 

Technology: Companies have three choices when it comes to insider threat management technology. The first is checking the log files showing all interactions an employee has during a business day. The problem here is that management would need to be tipped off about suspicious behavior first, leading to the time-consuming analysis of log files. And if suspicions are correct, the log files may show that a crime has already been committed. The absence of technology can also lead to a culture of fear in which suspicion wins out over evidence. Technology is available that can sense suspicious behavior (such as unauthorized access to core payments or information platforms) and alert the right personnel. Today’s innovative technology can give companies evidence of potential insider threats by integrating user behavior at the application level. This “record and replay” integration lives within a company’s ecosystem, which can contain multiple lifecycles, different platforms and applications. In 2023 insider threats were managed via a solution-based approach. 2024 will be about the company’s ecosystem and will favor interoperability over invasive tactics.

Cloud agility: Building on the interoperability theme, data exists in a cloud-based ecosystem as well as in on-premise data warehouses. Insider threat management needs to evolve with the cloud, and the solution a company chooses needs to adapt to both environments. Cloud-based applications provide users with access to data and resources from anywhere, increasing the potential for unauthorized access or misuse of data by insiders. It's crucial to implement strict access controls, monitoring, and user activity alerts to mitigate these risks. Cloud environments can also complicate the investigation of insider incidents due to the lack of physical control over hardware and potentially limited access to logs and data. Planning for incident response in the cloud and understanding the role of technology in detection and defense in an investigation is essential. 

Data and behavioral analytics: One of the beauties of application-level insider threat management technology is that even when there is no suspicious activity to detect, the solution generates data, and that data should generate an easy-to-consume dashboard. How many employees changed their contact information? How many requested file access they would have been unauthorized for in the past? Each series of actions should be visible through an advanced analytics engine or should send the security team to data lakes or third-party analytics. Then, the solution should tailor analytics to identify unauthorized changes to client data, employee policy violations (snooping), and more.

Enterprise case management: If the technology or employee report indicates insider threats are active and malicious, the company needs ready access to the information that will stop it and instigate an investigation. The FS Tech report shows that only 29% of respondents had the information required to investigate insider threats, with 26% saying they had some of the needed data. More concerning is that 45% either don’t have the information or have gaps in said information. A solid enterprise case management system – one that coordinates all the technology and data necessary to detect and investigate insider threats in one system – can consolidate that information. 

Here, a use case can illustrate the point. The Delaware Criminal Justice Information System (DELJIS) agency facilitates the electronic sharing of information among all participating agencies, including case information from initial contact to case-closing events (i.e. arrest data, motor vehicle and license data, crime incident data). The information maintained by CJIS is highly sensitive, and there are many cases that require the ability to reconstruct user actions in order to find what exact data was accessed by a specific user. In addition, it is necessary to know, beyond a “reasonable doubt,” that no one else would have accessed the same information within the timeframe in question. If an incident needed investigation, the investigation team had to plough through mountains of paper logs. Depending on the type of search requested, one second of case activity could be represented by one box full of paper. The investigation process had significant shortcomings. It was manual and labour-intensive, leaving room for errors and long turnaround times.

DELJIS turned to a “record and replay” application-level solution that reconstructs end-user sessions and allows investigators to quickly search for user sessions based on any field value that appeared on any user screen. Investigators can now visually replay user sessions, screen by screen. The patented technology tracks user behavior patterns at the application screen level and can build profiles of users and user groups. The analytics engine generates alerts on suspicious events in real time. An event may be considered suspicious if the current activity of an end-user is different from their usual behaviour in the past, or if their actions are different from their peers in the same department, or from peers with similar roles.

Personas and scenario planning: When the pandemic first took hold and insider fraud started climbing, analysts and investigators leaned on the Cressey Fraud Triangle methodology to help predict the profiles of potential malicious actors. The triangle sets out three reasons an employee would turn toward insider fraud: pressure, opportunity and rationale. It worked for a time, but then it became apparent that even senior executives were becoming problematic employees. However, creating the right profiling, risk indicators, and anomaly detection is critical for identifying potential insider fraud threats. Behavioural analytics and technology help determine false positives and fine-tune out-of-the-box profiling without invading employee privacy. 

There are other factors that can add up to innovative and secure insider threat management. These five, however, are essential to helping companies lock down their core systems and avoid the financial and reputational damage that insider threats can produce. Because no one wants to see a $4.9 million hit in 2024.