M+E Connections

When it comes to cybersecurity, organizations tend to focus on securing enterprise infrastructures from external threats.

But, when so many resources are devoted to protecting operations from the outside, it is easy to leave a company at risk of another kind of attack: insider threats, according to cybersecurity experts who spoke July 18, during the webinar “From Inside the House: Tackling Intentional & Unintentional Insider Threats.”

The webinar speakers broke down what it takes for an organization to tackle insider threats.

It makes sense that companies are so concerned about external threats. After all, cyber-attacks are always evolving alongside security protocols, so organizations need to remain vigilant.

A recent study from Cybersecurity Insiders found that 74% of organizations are at least moderately vulnerable to insider threats. Insider threats require an entirely different security approach, especially as they bring up an entirely new problem: accidental or unintentional threats. Not all internal damage is done maliciously, and many incidents are caused more by human error than criminal intent.

The Ponemon Institute’s “2022 Cost of Insider Threats Global Report” found that 56% of insider threats came from employee or contractor negligence, organizers of the webinar, episode 13 of the CISO Insights webinar series, pointed out.

Therefore, creating an internally secure environment for an organization requires a multi-pronged strategy that can protect against both intentional and unintentional attacks.

“We’re going to talk about kind of the good, the bad and the ugly with insider threats,” Dan Lohrmann, field CISO for the public sector and client advisor at Presidio, said at the start of the webinar.

“Insider threat is definitely a growing thing, so it’s good to be talking about it today,” said Earl Duby, chief information security officer (CISO) at managed IT service provider Auxiom.

Asked about the biggest threats that keep CISOs up at night, special guest Steven Fox, Washington Technology Services deputy CISO, Policy & Program Management for the state of Washington, said: “The biggest threats that I’ve seen across all my experience are compromised credentials.”

Fox explained: “That could happen through a business email compromise. But most often through social engineering. The most powerful method would be to recreate a portal page for an employee service and have the employees log in where they just give up their credentials without even a phone call…. They simply create a portal and compel the person to think that, ‘Oh, this is an authentic way to access wither a private or a public sector service.’”

He added: “The other one that I’ve seen are unmanaged services or technology such as unmanaged mobile devices including cell phones, tablets and laptops.”

When he’s dealt with insider threats, it has just been a “horrible situation when an executive was the insider threat” at a company, according to Duby. “I’ve had numerous occasions over my career where the insider threat was actually an executive…. I got called into many different investigations over the years, and whenever those investigations involved an executive, it just became exponentially more difficult because, not only are they a little bit more politically protected in the organization – and so you’ve got to have a higher threshold of evidence – but it also causes some reputational damage to the company if you have certain situations happening with executives.

He recalled the time there was an executive in the procurement department of a company and he was “having an illicit affair with one of our suppliers, and what was ending up happening is because they were favorable on the outside of work, [it] was actually translating into unfavorable terms on the inside of work.”

He added: “Eventually, it got to the point where a whistleblower had to contact the compliance line and say, ‘Hey, look, this is what’s going on.’ And then we launched an investigation. And that was really difficult because that was an up and coming executive that the CEO had really high hopes for. So we had to do a much higher level of work to prove that case out.”