You will be surprised to learn who is responsible for 90% of all security incidents

Verizon 2015 data breach report claims that it may not be obvious at first glance, but the common denominator across 90% of all security incidents— is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T uber-patterns. At this point, take your index finger, place it on your chest, and repeat “I am the problem,” as long as it takes to believe it. Good—the first step to recovery is admitting the problem.

 Your organization probably has an image of the hacker who will try to steal your data: a shadowy person in a foreign land who spends almost every waking hour at a computer attempting just about every trick to siphon sensitive information from your company.

Someone like that exists, of course, and you should take every precaution against any and all kinds of external threats. But is your organization prepared to detect and stop a threat that’s closer than you think and is far more potent?

That threat looks nothing like the shadowy foreigner. It’s someone who’s entrusted with your data – someone who might even sit down the hall from your desk. Yes, your employees, privileged users and third-party users pose a far greater risk than the outside hacker. Insiders have access to your files and systems and don’t have to resort to installing malware to steal sensitive data.

Inside threats can be separated into two groups: users with malicious intent and those who mean well but are careless, even negligent, with their digital behavior. Understanding these two and detecting when they’re posing a risk will go a long way toward preventing internal data breaches.

How Are Organizations Addressing Inside Threats?

Unfortunately, not very well. Many organizations rely on tools that attempt to foil outside hackers, but they’ll never detect and stop inside threats because that technology doesn’t review internal activities. Think about the ways data security tools approach external threats. They deal with viruses and malware, for example, and focus on delivery, installation and the many other ways hackers attempt to gain access.

At the end of the kill chain of those tools is the keyboard. That’s basically the end of a hacker’s footprint but it is exactly where inside threats begin. The keyboard is where the trusted insider maliciously or negligently exposes data. The security tools many organizations use today don’t sufficiently contend with keyboard activities.

How Can You Detect Risky Insiders?

Employees and third-party users who maliciously steal or damage data were most likely good people who once deserved to be trusted but at some point flipped. There are four ways to try to minimize or stop them from damaging your business.

• Look for a tipping point. Examine external communications, particularly with other companies, to see if an insider has indeed flipped and is about to release sensitive data.
• Keep an eye out for insiders who are searching for data. Privileged users can access most data and unfortunately not immediately raise any red flags because of that unfettered access. But ordinary users don’t have a wide range of access and may search for data they’re not supposed to see. You need to profile their behavior and look for anomalies.
• Be wary of insiders who hide the data they gathered. Anyone who places files in zip folders or password-protects and encrypts your data is probably up to no good.
• Watch for data exfiltration. You need to be vigilant and look for patterns of behavior that suggest data is being taken out of the system. Workers have a wide array of applications and services that increase productivity but also place data at risk. It’s been never more crucial to know what insiders share and store in the cloud.

What Kind of Tools Should Manage Insider Threats?

Most solutions that focus on internal data leaks come to the rescue too late. And the reason is that when an insider becomes malicious, there’s already been a slow, almost undetectable chain of activities that lead to the breaking point. It usually doesn’t happen instantaneously; an insider doesn’t become malicious in just one day.

A malicious insider builds confidence by first taking small amounts of data and eventually has the sureness that an even bigger amount of data can be leaked. If your organization can find the malicious user at the point he flipped – communicating with competitors or hiding data – the chances of stopping an internal breach are so much better than blindly looking for big data to leave without any context to narrow prevention efforts.

Why is Dealing with Insider Threat so Hard?

Negligent users create a lot of noise in your system – the number and scope of activities they perform each day make it difficult to discern legitimate, safe use from unauthorized, careless use. So you need to get rid of that noise.

Most employees don’t mean to harm your business but sharing sensitive data on a cloud storage program that may seem efficient to them but is unauthorized by your IT department puts the business at risk.

their careless file-sharing activities are as ill-advised as them downloading an infected file from the Web.

Many companies try to deter negligent computer behavior with annual or even monthly training, or by printing comprehensive policies. But employees get busy with work and often forget these expectations.

Instead of sporadic attempts at education that will quickly be forgotten, organizations should have a program that alerts employees to policy violations in real time. By reminding them in the moment that they’re putting data at risk, you’ll greatly reduce the chance of a data breach caused by negligence. And if you can do that alongside the detection of bad actors, your organization will have a solid insider-threat detection program.

What Makes an Insider Threat Program Effective?

You want to make it difficult for negligent and bad users to put data at risk. Think of your program as airport security. Not every airline passenger is asked to undergo a complete security check; it happens every so often but enough that it deters all passengers from acting out of turn.

Taking that approach at your organization could work wonders. Occasionally reviewing the digital activities of some employees will put all employees on alert and act as a strong deterrent.

Also, your organization needs a program that detects inside threats in real-time and prevents bad and negligent actions from happening before it is too late. If you can have a complete view of user activity and can act quickly on inside threats, you’ll stop data breaches before they cripple business.

learn more about inside threats and how to detect and prevent them.