SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

The insider threat: Why Australian businesses are most vulnerable from within

Wed, 25th Sep 2024

In light of recent and all too regular headlines, even those with a keen interest in cybersecurity could be forgiven for thinking external threats are the root cause of all problems.

Whether it's nation-state actors targeting Australian government and private sector networks or hackers holding healthcare providers to ransom, there's no doubt our businesses and institutions are under attack from all angles.

But while government-backed groups and criminal masterminds make for a great story, they are just one aspect of the problem.

In reality, almost all companies are more likely to fall victim to a threat actor from inside their organisation. A 2022 study conducted by Proofpoint found that 67% of companies globally are experiencing between 21 and more than 40 insider-related incidents per year. This data point has been increasing steadily—from 60% in 2020 and 53% in 2018. Organisations around the world are now spending an average of US $15.38 million to resolve insider threats every year.

Whether careless, malicious or compromised, insiders have access to and are walking out the door with our data. In this environment, defending the perimeter from the outside only is futile. Like the urban legend warned us long ago, the call is coming from inside the house.

The people putting your business at risk

In today's world, sensitive information and vital credentials are slipping past traditional security barriers in droves. In fact, almost 40% of Australian security leaders dealt with material data loss in 2024.

How this privileged data escapes may surprise you—organisations' very own employees, often referred to as "insiders," are taking it with them. This is a human-centric problem. Only looking at content fails to address the issue. So, understanding content, i.e. data, along with behaviour and threat insights to build context is key to defending data, and addressing insider risk.

The insiders driving this increasingly costly issue can be grouped into three categories.

Careless or negligent insiders are the biggest cause for concern among CISOs, with more than two thirds of Australian CISOs (69%) considering this group their most significant vulnerability.

They are right to be worried. Careless insiders are the leading cause of insider threats, costing businesses an average of US $484,931 per incident. Unfortunately, for those of us defending against them, the careless insider's lack of intent makes them much harder to detect. In most cases, this incident arises due to poor security hygiene, such as weak credentials or an errant click on a malicious link or attachment.

However, while their mistakes may be minor, the consequences can be anything but. In February, Football Australia accidentally exposed players personal information for 681 days giving public access to more than 100 buckets of data including players' personal documents and contracts.

Malicious or criminal insiders are behind around a quarter (26%) of all incidents, costing organisations an average of US $648,000 on each occasion. As malicious insiders may have privileged network access and actively cover their tracks, defending against them is even more of a challenge.

Those in this category can take many forms. They may have been incentivised by criminals to steal or leak data or act out of frustration or malice towards the business for personal reasons.

One of the main culprits, however, is the job leaver. Of the 39% of Australian CISOs that dealt with data loss in 2024, three in four (77%) believe employees leaving their organisation contributed to the incident.

Once again, their assessments appear to be correct. Proofpoint global data suggests that as much as 87% of anomalous file exfiltration could be caused by departing staff members.

That said, out-and-out malice and financial gain cannot be overlooked, as the Australian National Maritime Museum (ANMM) knows all too well. In 2022, an IT support contractor allegedly diverted an estimated total of $90,000 from the ANMM after changing the bank account details stored in the museum's system to his own.

He was caught and arrested, but not before several of ANMM's customers suffered financial losses.

Compromised insiders are the last group on the list. These threats, while the least common globally (they account for 18% of incidents) are the costliest at an average of US $804,997 per credential theft incident. This occurs when a cybercriminal gains access to a legitimate user account, often via social engineering or a data breach.

In most cases, compromise occurs in the inbox where unwitting victims are lured into entering or sharing their passwords and login details.

While compromise is usually caused by carelessness, what happens next sets the two distinct categories apart. With credentials secured, threat actors are free to access company networks, escalate privileges, drop payloads and exfiltrate data.

Perhaps most concerning of all, a single compromised user can put an entire organisation's data at risk. In 2023, a hospital in Melbourne lost data of 192 patients to a cyber-attack after cybercriminals gained access to the private email account of a staff member. The employee had forwarded work emails to their private account to review and co-ordinate their patient appointments.

Defending from the inside out
Just as an insider's motives can affect their methods, each category also requires a tailored defence. A malicious insider, for example, will simply ignore and circumnavigate any controls put in place to deter negligence.

However, in all cases, visibility and awareness are key. This starts by understanding who is putting your organisation at the most risk. This will include those with higher privileges and access to sensitive data, those who fail or score poorly on cybersecurity training modules and anyone with a history of disciplinary action or grievances against your company.

Once these users have been identified, you can put controls where they are needed most. This could be advanced email filtering to block social engineering lures before they hit the inbox or AI-powered tools to detect unauthorised file transfers or high-risk keywords.

Whatever protections you put in place, security awareness is the bedrock. In almost all cases, careless and compromised insiders are unaware of their vulnerability. Even those taking data to another employer may understand the moral issue while being oblivious to the associated risks.

A comprehensive security education programme must be in place to remind every one of your employees of their responsibilities. As awareness rises, behaviour changes. And as long as people are involved, behavioural change is as powerful a cyber defence as any tool or technology.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X