At RSA 2020 (ah, the good old pre-pandemic days when we still had trade shows), I met with a PR firm with a substantial cybersecurity practice. I asked them, “Hey, is it just me, or do insider breaches not get as much media coverage as outsider breaches?”
Their response:
Outsider breaches are a lot more sensational and get a lot more media attention. It’s sexy to write about a group of hacktivists who penetrated someone’s perimeter with a complex, 12-step hack. It’s not so sexy to write about an employee with an axe to grind.”
But it’s not just the media and reporters that care more about external threats (and as a result, less about insider threats). It seems like CISOs, boards, and entire companies systematically underestimate insider threat and, as a result, under-invest in it.
In McKinsey & Company's 2018 article, Insider threat: The human element of cyberrisk, the authors write:
Insider threat via a company’s own employees (and contractors and vendors) is one of the largest unsolved issues in cybersecurity. It’s present in 50 percent of breaches reported in a recent study. Companies are certainly aware of the problem, but they rarely dedicate the resources or executive attention required to solve it.
Why does this happen?
Why are insider threats systematically underestimated and neglected, relative to outsider threat?
There are 4 possible explanations.
1. Insider threats are often misconstrued.
If you search the internet for “insider threat” or “insider breaches,” most articles continue to focus solely on malicious employees (and contractors) -- an employee on a performance improvement program, an employee with a political agenda, etc.
Malicious employees are only part of the picture.
Insider threat includes employee carelessness, i.e., an employee forgot their laptop in a taxi, and the laptop wasn’t password protected. Someone accidentally misconfigured a MongoDB database and left it open to the public. No employee malice -- just an accident.
But even more importantly -- Insider threats also include a credential theft: an external party that has stolen the credentials of an insider.
Why is this an inside threat? Because the thief has valid credentials, and for all intents and purposes, they appear as insiders to your security monitoring systems.
All phishing and spear-phishing attacks are pre-cursors to insider attacks. Yes, they’re external parties looking to penetrate the perimeter. But, in order to cross the perimeter, they’re trying to steal the credentials of an insider. A successful phishing/spear-phishing attack becomes an insider attack once the compromised credentials are used.
Remember that complex 12-step hack that the media wrote about? At least 1 of those 12 steps probably involved stealing credentials from an insider. In other words, it was an insider breach.
2. The same reason that make flights seem more risky than cars
Okay, time for a quick quiz.
Question one: Name three famous outsider data breaches.
Question two: Name three famous insider breaches.
Chances are, you could readily remember famous outsider data breaches (Experian, Marriott, Facebook,... the list goes on). Also likely, you couldn't think of any or many famous insider data breaches.
Don't worry, you're not the exception here. You -- and probably everyone reading this article -- are a victim of availability bias or the availability heuristic.
Specifically:
The availability heuristic is a phenomenon (which can result in a cognitive bias) in which people predict the frequency of an event based on how easily an example can be brought to mind.
Essentially, the availability heuristic operates on the notion that "if you can think of it, it must be important." Media coverage can help fuel a person's example bias with widespread and extensive coverage of unusual events, such as homicide or airline accidents, and less coverage of more routine, less sensational events, such as common diseases or car accidents.
In other words, if sensational 24/7 media coverage of plane crashes cause most people to overestimate those risks, the same applies to external threats/breaches.
Conversely, the relative lack of media coverage causes most people to underestimate their chances of dying in a car accident. Insider threats -- due to their lack of mass appeal -- and their relative lack of media coverage create a vicious cycle of underestimation and underinvestment.
3. The illusion of control messes with our perception of risk
Why does the Powerball lottery allow people to pick their own numbers? Moreover, why do some people manually -- and painstakingly -- choose their own numbers for the Powerball tickets they buy, even though the outcome is a completely random event?
The answer: control.
It gives people a sense of control.
By giving people a sense of control, it changes their perception of risk and creates overconfidence -- they think they have a higher chance of winning. A perceived higher chance of winning sells more Powerball tickets.
This illusion of control is even more common in familiar situations, and in situations where the person knows the desired outcome.
Take, for example, insider threat. Insiders are employees and contractors. They’ve been through a recruitment and hiring process. They’ve gone through employee onboarding. They regularly get updated training. They all have thick employee handbooks on their desks. For all intents and purposes, it seems like they’re in your span of control. This illusion of control may cause many to underestimate the risk associated with insiders.
4. But they’re INSIDERS.
Perhaps the most compelling why insider threat is systematically underestimated is the name itself: they’re insiders, not outsiders.
Outsiders are anonymous, faceless, hackers from some unnamed foreign country, doing evil things and trying to sell your sensitive data on the dark web.
Insiders aren't just employees and contractors. They’re our co-workers. We know their names and faces. Many of them are our friends. We might even know their spouses and their kids, and we might pet their dog when it comes in to work. We’re on the same team. We’re all running in the same direction and doing the best for our company.
In psychology, this is called in-group bias: we imagine things and people we’re familiar with or fond of as better than things and people we aren’t familiar with or fond of.
We fear and demonize the outsiders, overestimate external threats, and we prioritize investments on the perimeter.
Conversely, we embrace our insiders. We underestimate insider threat and underinvest as a result.
Perhaps, “insider threats” need a make-over.
At Dasera, we enable more insiders to safely use data for insights without increasing your business's risk exposure to both careless and malicious insiders.