I recently had the pleasure of listening to Jenny Radcliffe speak at the PCI Community Meeting in Portland Oregon. Jenny is known worldwide as the “People Hacker,” practicing the art of social engineering. Jenny defines social engineering as “a no-tech mixture of psychology, con-artistry, cunning and guile” that aims to manipulate “human factors to gain unauthorized access to resources and assets. It’s the active weaponization of your human vulnerabilities, behaviors, and errors.” During her presentation, she highlighted the perception that people are our weakest link.
The term “insider threat” refers to the threat to network and data security that users with legitimate access can represent. These insiders can knowingly or unknowingly take actions that compromise digital resources and assets. It’s important to recognize that insiders do not always have malicious intent. An unintentional action can cause just as much damage as one with nefarious purposes. According to the 2023 Insider Threat Report by Cyber Security Insiders, 74% of organizations are at least moderately vulnerable to an insider threat.
Additionally, the insider who poses a threat doesn’t have to be an employee. Any third-party partner with insider access, such as contractors, consultants, and IT service providers, could create risks to an organization's networks and data.
Types of Insider Threats
In general, people with access to your network pose threats for one of three reasons:
- Malicious intent: These insiders are employees or other verified users who are looking for ways to steal data or disrupt operations. Motives can vary. Some are looking to sell information; some may be looking to use it to advance their careers or cause harm to the organization or another employee. Although this may seem to be the scariest form of insider threat, Malicious insiders are only responsible for about 14% of insider threat-related incidents.
- Negligence: The most impactful form of insider threat is negligence, accounting for nearly 62% of incidents. These are people who know the policies and best practices but don’t carefully follow them. They can create vulnerabilities that make it easier for those with malicious intent to steal data or comprise the organization.
- Inadequate training: New employees who have access to sensitive information or networks but are not yet trained in security best practices also represent a risk. The first six months are critical, according to research from CybeReady. During this time, most employees are receiving general on-the-job training on how to do their jobs and, for example, are up to 50 percent more likely to click on phishing emails than their colleagues who have been with the organization for 6-12 months.
A Growing, but Preventable, Problem
The cost of insider threat incidents has grown by 76 percent in the last four years, according to a study by Ponemon. The average cost of these incidents for North American organizations is now $17.53 million.
However, there are measures you can take to mitigate the possible harm from insider threats:
- Access Control
Ensure employees only have access to the information they need and are properly trained. Use multifactor authentication to confirm that only authorized people are logging in as a safeguard against employees or authorized third parties inadvertently giving hackers credentials to use your network.
- Monitor Activity
Monitoring systems will alert security personnel to unusual data transfers or abnormal patterns of activity, giving them time to intervene before data loss or theft.
- Background checks
Perform checks not only on employees but all contractors and vendors who will have access to sensitive data. This can help you identify and stop security risks proactively.
- Awareness training
Conduct training early and often to minimize the threat of both negligent and uneducated employees.
- Maintain PCI compliance
PCI security standards help organizations ensure that they are taking measures to protect cardholder data from threats, both external and internal.
Be on Guard
At the conclusion of her talk, Jenny offered that “we are only human.” As such, we shouldn’t be surprised by an insider threat incident. But she expressed that this can also be our greatest strength, offering a quote from Randy Pausch’s book, The Last Lecture:
“One thing that makes it possible to be an optimist is if you have a contingency plan for when all hell breaks loose.”
Make the most of insider threat awareness month to assess risks from insiders and take action to protect your business.
To learn more about securing payment technology, contact us.