Preventing Insider Threats: What Does it Take to Guard Against Data Exfiltration?

Not all cybersecurity threats your business faces come from beyond your perimeter. One growing risk every enterprise must deal with is that of insider threats – those that originate from your own employees.

Whether due to negligence or malice, these issues can be particularly hard to defend against, as they can by their very nature bypass some of your key lines of defense. However, the damage they can do may be significant, especially if they are to successfully exfiltrate data from the business to put in the hands of criminals or competitors.

Recognizing and preventing these attacks therefore needs to be a key priority in any cybersecurity strategy. So what do you need to know to go about this?

According to the US government’s Cybersecurity and Infrastructure Security Agency (CISA), insider threats typically fall into two categories. These are unintentional threats – whether caused by accident or negligence – and intentional, or malicious, threats.

The Ponemon Institute’s 2022 Cost of Insider Threats Global Report estimates that just over half of incidents (56 percent) are the result of negligence. Meanwhile, a quarter (26 percent) come from criminal activity and the remainder are related to the use of stolen credentials.

Negligence can come in many forms, such as sharing and reusing passwords, losing laptops or mobile devices containing sensitive data, or even simply holding a door open for someone that allows a criminal access to a secure area. Malicious insiders, meanwhile, often have a grievance against their employer, and their motivation may either be personal financial gain, or just to get even with the business by doing damage.

Effective cybersecurity training and policy enforcement can help reduce the impact of careless behavior. For example, educating employees on how to spot phishing attacks reduces inadvertent sharing of information, while the ability to remotely wipe stolen devices is also helpful.

However, malicious insiders are harder to stop, as their suspicious actions are more likely to go unnoticed and they may find it easier to bypass company security.

Another growing issue that firms need to take into account is that criminal gangs are increasingly seeking to recruit privileged employees, either through bribery or blackmail, in order to grant them access to systems, or to exfiltrate data on their behalf. This may be especially hard to stop as they may lack the warning signs that other disgruntled insiders may have.

The financial costs of insider threat breaches can be high, especially when company data is successfully exfiltrated. According to the Ponemon Institute, the average global cost to remediate these threats is now $15.38 million a year. However, for firms in the US, the cost is even higher, at $17.53 million.

This includes expenses related directly to the theft or loss of mission-critical data, damage to equipment, the impact of any downtime on productivity, legal and regulatory costs and the reputational impact of such breaches.

The loss of private data such as trade secrets can be another serious consequence of insider threats. This can include people looking to take data to a new employer when they leave, or to sell to the highest bidder.

For example, in 2020, the FBI revealed details of a long-running incident at General Electric, where a disgruntled employee had downloaded and exfiltrated thousands of sensitive files. These included a mathematical model used to calibrate turbines in power plants that would have been extremely valuable to competitors and could have caused the firm to miss out on contracts.

Insider threats can also lead to ransomware attacks. Today’s attacks are often double extortion attacks, where hackers threaten to publicly release data unless they receive a ransom payment quickly. This often puts pressure on firms to pay up when they otherwise wouldn’t. Even if payments are paid, the public release of data – and the reputational damage that comes with it – remains a risk.

One of the best ways to counter insider threats is to make it harder for data to leave the business undetected. To this end, dedicated anti data exfiltration (ADX) tools are a hugely valuable asset. They differ from other solutions such as EDR since they monitor outbound traffic from your entire network, actively blocking any unauthorized attempts to remove data as they occur.

There are several factors within this. An ADX solution looks at details such as attempts to communicate with known hacking command and control centers, the use of unfamiliar or suspicious IP addresses, connections to servers in high-risk countries and unusual volumes of traffic being generated by processes where this is not expected.

This then allows firms to proactively and automatically block any transfer of data before it leaves the network, with no human input required. This therefore makes it much harder for malicious insiders to remove data and safeguards against accidental errors that could compromise sensitive information.

However, it’s always important to remember that there’s no one silver bullet to prevent cyberthreats. A good cybersecurity strategy needs to take a layered approach and assume that bad actors will always find a way, if they aren’t on the inside already. By making this assumption and focusing on preventing the data from leaving, a company’s most valuable asset is secured.

Learn more about the risks of data exfiltration and how you can prevent it.