As the world entered a new digital reality last year, the community-based whodunnit game Among Us turned out to be a fun platform that would connect families and groups of friends across the globe. While developed a couple of years earlier, it hit the mainstream during the pandemic as people were fascinated by the social dynamics of its accusation and ejection mechanics. The game has quickly gained popularity across the world, including Singapore, during the pandemic period, with over 264 million downloads across several platforms worldwide.
Just like the “impostors” in the game, cybersecurity experts don’t know who to trust in our organisations as anyone could be the careless and malicious insiders and credential thieves who will attack when they're not looking. As the Among Us community often says, they could all be "kinda sus."
Most security teams prioritise threats from outside attacks such as hackers, malware, and ransomware, without realising the potential security risks from insider attacks. As October marks National Cybersecurity Month, we spotlight the need to focus on the rising cases of insider threats worldwide.
Insider Threats by the Numbers
According to the Ponemon Institute’s 2020 Cost of Insider Threats report, the average global cost of insider threats rose by 31% in just two years to $11.45 million, while the number of total incidents nearly doubled (rose by 47%) within the same period. In Asia-Pacific (APAC) particularly, the average annual cost of insider threats is up to $7.89 million.
The study explored three primary insider threat profiles:
- Negligent insiders (those who unintentionally cause issues);
- Criminal and malicious insiders (those who intentionally cause damage); and
- Credential thieves (those who target login information to gain unauthorised access to applications and systems).
Out of these three profiles, employee or contractor negligence was the most frequent actor of insider threats in APAC.
Employee or contractor negligence has an average of 13 incidents annually, a significant gap from criminal and malicious insiders, which has an average of 4.5 annual incidents; followed by credential thieves, averaging 1.4 incidents annually. This data demonstrates the need for employers to increase efforts and initiatives on employee training on cybersecurity risks to reduce or prevent any potential attacks from insiders.
Meanwhile, the 2021 Verizon Data Breach Investigations Report (DBIR) showed that internal factors were behind almost all (99%) cases of the "privilege misuse" category. As the report states, “This pattern is an uncomfortable one — this is where the people we trust betray us.” It further states that the most common motivator is financial gain, with 67% of recorded incidents. Among other drivers of insider attacks are fun (17%), a grudge held against the employer (14%), espionage (9%), convenience (3%) and ideology (1%).
This underscores the gravity and urgency of the situation. Insider threats are difficult to detect, requiring organisations to implement tight, always-on security. In the end, it's all fun and games until you wander into the electrical bay alone and find yourself with an impostor — figuratively and/or literally, as the case may be.
The Insider Security Conundrum
A common tactic for the impostors in the game is to use the vents to go from one room to another to prevent other crew members from seeing them. They do this to scour the entire ship to check out where the crew members are and what they are up to. Upon finding a target busy accomplishing a task, they will approach them from the vent and attack them.
This is how insider threats operate and what makes them difficult to detect for cybersecurity experts.
As the cybersecurity team focuses on other tasks like protecting and defending company data from malicious outsider attacks, it tends to miss what is right behind its back.
For the undercover insiders, meanwhile, it's easy to remain undiscovered when their captors are unaware of what they need to look out for. These insider threat actors have a huge advantage against outside attackers: legitimate access. Stolen credentials from other corporate identities enable insiders to easily move throughout systems to elevate their access and worm further into privileged systems to steal data or use it in ways they shouldn’t.
In framing a strategy for bolstering security measures inside the organisation, you must consider where the responsibility ultimately falls.
Is it solely the purview of the info security teams? Should HR and Legal also share the responsibility since the concern can be traced back to hiring and potential employee vetting?
Truth be told, the better communication and cooperation between departments, the better equipped you are to detect and combat threats and attacks from within. As in Among Us terminologies, the fewer dark and unmonitored areas you have, the more difficult it is for impostors to wander around the ship unnoticed.
Securing your organisation with Zero Trust
Determining the undercover "good" guys is especially difficult as we entered remote and hybrid work as they often don't look far from others. What’s more, sometimes a person will start as the "good" guy and eventually become the other. To address the apprehension, the key is to trust no one until you can continuously verify that they are who they say they are before granting access. This means there are no darkened rooms and hidden vents. Adopting a Zero Trust model offers certainty that employees will unlock and enter only the “rooms” they are supposed to enter to accomplish only the tasks they are supposed to do.
The “Zero Trust” approach is a strategic cybersecurity model designed to protect modern digital business environments and mitigate insider risks and threats. Following the same mindset as the players in Among Us, everyone is "sus", unless verified or proven otherwise. Essentially, when you trust no one to freely and automatically access your systems, you are suspicious of no one. The approach goes a long way in proactively managing insider threats as it limits disruption, strengthens security resilience and protects resources — particularly in hybrid cloud environments.
Organisations across the world enforce Zero Trust to ensure only authorised employees can access data -- and only the data they need - when they need it.
Here are some Zero Trust strategies organisations may implement to protect business data from insider threats:
Interdepartmental cooperation. The responsibility of fortifying cyber resilience has extended from just the IT department to all departments across an organisation. To guarantee secure cross-sharing of data and information, departments should be wary of the risks and be vigilant on who has access to certain sets of data. It may be necessary to block users from transferring o copying data to external sources (USBs, outside email addresses, etc.).
Company training and education. It is crucial to teach employees the risks of falling victim to cyberattacks. Train and test employees against social engineering attacks and encourage them to report security issues. Familiarise them with the Zero Trust approach and its capabilities to mitigate insider threats.
Protect high-power privileged accounts. Organisations should identify the most important administrative accounts, including passwords, and pinpoint potential vulnerabilities that could jeopardise the most sensitive data and critical infrastructure. With this intelligence, they can implement access controls for protecting privileged accounts that present the most risks.
The threat may be coming from inside the house, but security measures must go well beyond a few doors and walls.
The only way to defend against both accidental and malicious insiders is to address the threat, not the individual. This starts by locking down unnecessary, unconstrained access for users, which, if left unchecked, amplifies insider threats. In the new boundary-less world, it empowers organisations to keep their data safe. Sure, it's fun to casually attack and sabotage our friends in virtual games, but it's certainly a different thing when millions of dollars and massive sets of sensitive data are on the line.