Fernando Anaya, head of business development for Proofpoint for Spain and Portugal, reviews on this platform the internal security threats and how to respond to them.

Detecting internal threats in organizations is particularly difficult. If it is already a challenge in itself to keep external malicious agents at bay, things get complicated when it comes to unmasking those already inside. An internal threat can go unnoticed without raising too much suspicion, or having to face too many measures. In fact, it takes an average of about 77 days to find and contain such an incident.

It is a phenomenon that is on the rise: in 2019 alone, internal threats cost organizations an average of $ 11.45 million, 31% more than the previous year. Although the consequences of these may be devastating, the truth is that there may be no malicious intention behind them. Almost two thirds of these incidents are due to negligent employee behavior, that is, they originate from human error. These individuals can act in different ways and with many peculiarities, but they lack a motivation to attack, making it so difficult to defend against them.

It is always better to prevent a threat than to detect it. The key is to remain proactive: identify the most common security flaws, ensure that employees are properly trained in best practices, and implement security measures where necessary to mitigate any human error.

The cost of internal negligence

These threats do not require malicious intent to cause considerable harm. Many organizations around the world have paid a heavy price as a result of the negligence of their employees, as some of the largest security breaches have been caused precisely by them.

Phishing attacks remain one of the biggest problems for cybersecurity teams in companies: More than half of organizations experienced such an attack in the past year. However, despite this high incidence rate, only 61% of the global workforce is familiar with the term.

It only takes one employee to click a malicious link to do huge financial and reputational damage to a company, as was the case with Sony Pictures.This company spent $ 35 million to repair its computer systems in 2014, after several of its top executives were victims of a phishing attack. In this attempt, cybercriminals managed to access confidential emails and steal more than 100 terabytes of data.

When a privileged user loses their credentials, whether through phishing attacks or any other means, the impact can be devastating, since these stolen keys can be used to access confidential information, divert funds or paralyze networks, among other actions, for a long period of time. It doesn’t matter what the nature of that internal threat is: the longer it goes undetected, the greater its value. For example, if it continues for 30 days, the average cost of the threat stands at $ 7.2 million; But, if this time exceeds 90 days, this price may rise to $ 13.71 million.

Employee knowledge about security risks

Any organization is at risk of suffering an internal threat, particularly those caused by negligence on the part of the user; and it is that no matter how many tools or controls are put in place, the probability of human error can never be completely eradicated. It is something inherent in people. Furthermore, the larger the company, the greater the risk and, therefore, the more serious the consequences.

Internal threats, and their economic impact, increase in proportion to the number of employees. Organizations with between 25,000 and 75,000 workers spent an average of $ 17.92 million in the past year on insider-related incidents, while those with 500 or 1,000 employees spent $ 6.92 million.

The main risk factor with these negligent internal agents is, by far, their lack of knowledge and awareness about cybersecurity. In any sector or position within a company, we find users who do not have adequate training about what the most common threats are and what their responsibility is when facing them. This is due to not having received a continuous and complete education in this regard. According to an industry study, 68% of managers and senior managers do not have sufficient knowledge about the most persistent attacks and their negative impact on organizations.But what is even more worrying is that 60% of these users do not consider cyber attacks to be a constant concern.

Defending yourself from within the company

Combating insider threats is a complex process, even more so when attackers do not even intend to launch a threat, as it is much more difficult to define and detect. To defend themselves, organizations must focus on three key aspects: their technology, their processes, and most importantly, their people.

All companies need solutions with which to monitor user activity, as well as any unusual requests or access to the system. For this, it is essential to use tools that limit both access to sensitive information and prohibit copying or exporting any such data. This technology must be supported by clearly defined processes that are easy to follow at all times, from device management to network access.

Employees should also be aware of the consequences of not complying with these policies, equipping them with the skills and knowledge necessary to protect the organization. It is a long-distance race in which training must be given regularly and completely, with attack simulations and face-to-face security workshops. Otherwise, employees will not correctly understand the risk that their negligent behaviors pose to the organization, as well as not being aware of their role in defending themselves against possible attacks, so the organization will definitely be in danger.