Tackling the insider threat to the new hybrid workplace

0 Comments

Now that organizations are set to evolve a hybrid blend of home and office-based work for most employees, it is more important then ever to address the risks that insider threat can – willingly or unwitingly – pose.

The old adage “a chain is only as strong as its weakest link” is regularly repurposed for discussions about cybersecurity. It couldn’t be more apt—except in cyber-arena, each link is represented by an individual employee. That makes a lot of potential weak points for attackers to probe. And they do, relentlessly. Unfortunately, the switch to mass remote working during the course of the pandemic turned a long-running problem into an even bigger challenge for cybersecurity teams.  

Now that organizations are set to evolve a hybrid blend of home and office-based work for most employees, this is a challenge that can’t be ignored any longer. The stakes are simply too high. 

The scale of the insider threat 

Although malicious insiders are a growing issue, the bigger problem relates to negligent or careless employees. Humans are the ones that click on links, set passwords, configure IT systems and code software. They are naturally error-prone and can be manipulated by social engineering. So, naturally they represent a prime cyber-risk for organizations and a major opportunity for threat actors. In a hypothetical world free of human-made mistakes, it’s difficult to imagine a cybersecurity industry worth the estimated US$156 billion it is today.  

How does human error contribute to security risk? A few statistics are worth highlighting. 

  • Some 85 percent of breaches involved a human element last year, according to Verizon 
  • Nearly 19 percent of breaches involved “miscellaneous errors” 
  • Around 35 percent of breaches featured social engineering 
  • Phishing attacks increased 11 percent from 2020-21 
  • Nearly US$2 billion was lost last year to Business Email Compromise (BEC) attacks in which users are tricked into wiring corporate funds to fraudster 
  • Missing devices represent a major but unquantified threat. Over 1,000 were lost or stolen from UK government departments alone in 2020.

The financial impact of such threats is debated. However, one estimate claims that an insider breach on average cost global organizations nearly US$11.5 million in 2019, up by 31 percent on 2017 figures. 

How threat actors are targeting remote workers 

With the pandemic came new opportunities to target employees. Almost overnight, organizations shifted from centralized IT systems secured with proven policies, processes and technology to a distributed workforce. Employees were not only using potentially insecure home networks and devices, but may also have been more distracted by home life, especially those with childcare commitments. Even those without suffered by being more isolated, making it harder to quickly sanity check suspicious emails with colleagues or IT staff. 

Stress also played a potentially key role here, increasing insider risk. According to an ESET report produced last year with business psychology specialist The Myers-Briggs Company, 47 percent of respondents were somewhat or very concerned about their ability to manage stress during the crisis. Stressed employees may be more likely to panic and click on a malicious link, or fail to report a potential breach to IT, the report warned. Long working hours may have a similar effect. Official data from the UK’s Office of National Statistics revealed that home workers were at their desks for on average five hours longer than office-bound colleagues in 2020. 

The ESET report had more concerning findings including: 

  • CISOs reported a 63 percent increase in cybercrime since lockdowns began  
  • Although 80 percent of respondents had a remote working strategy in place, only a quarter said it was effective  
  • Around 80 percent said that increase cyber-risk caused by human factors is a challenge 
  • 80 percent of companies said that an increased cybersecurity risk caused by human factors posed some sort of challenge 

Alongside phishing, other hybrid working threats including: 

  • RDP hijacking, which is used increasingly by ransomware actors. This is facilitated by weak or previously breached credentials 
  • Unpatched systems (eg VPNs, laptops) 
  • WiFi and/or smart home devices without strong passwords 
  • Use of shared devices, where employees’ house mates or children visit risky sites and unwittingly download potentially malicious software 

How to secure the hybrid workplace 

With a partial return to the office, hopefully some of these challenges will recede. Less stress and isolation may positively impact risk reduction efforts. But there’s also the potential for staff to bring bad habits learned during the crisis back into work—along with any malware hiding on devices. The ferrying of laptops back and forth between home and work may also increase the risk of lost or stolen devices. 

However, there are things that security teams can do to minimize the risks associated with the new hybrid workplace. These include: 

  • Mandating use of multi-factor authentication (MFA) for all accounts and devices 
  • Policies to require automatic updates be switched on for all devices 
  • Strong passwords for all home devices including routers 
  • Psychometric testing to help identify where human weaknesses exist. This intel could be used to develop better security protocols and making training more personalized and effective 
  • Strict vetting/auditing of suppliers and their capabilities for mitigating insider threats 
  • Data loss prevention tools
  • Network segmentation  
  • Restricting access rights to least privilege principle 
  • Zero Trust approaches to limit the damage that can be caused by insider incidents 
  • Modifying working culture so those at home don’t burn out. 

Insider risk management is all about trying to protect your weakest link from compromise. With best practice policies and processes supported by the right technology, there is hope for a more secure hybrid workplace.