Skip to main content

Insider Threats vs Malware – Why Data Security Requires a New Approach

Published Date
Author Nathan Hunstad

Woman finding her computer getting a malware attack

Security teams focused on mitigating data loss threats are increasingly facing challenges stemming from AI, budget cuts, and lack of security education. Years of digitization and hybrid and remote work have changed the structure of data use and movement in most organizations. Our Annual Data Exposure Report 2024 research shows the data security problem keeps getting bigger. The average cost of an insider incident is $15 million, and 27% of CISOs ranked insider risk as the most difficult threat to detect. 55% of all insider-driven data loss events are believed to be intentional employee acts, and 87% of organizations have terminated employees in the past 12 months due to insider-driven data loss, making DLP solutions more relevant than ever. But it’s not just the proliferation of cloud tools and remote work that’s accelerating the problem. In many ways, the mindset and strategies that security teams use to attack insider threat are actually aggravating the issue.

Conventional threat response is a game played in black and white, but it shouldn’t be

Until about 4 years ago, the predominant risk to data was from malware and other external threats, which meant hunt-and-block was the name of the game in security operations. In that world the military mindset that guides the tools, strategies and language of data security and cybersecurity makes perfect sense: But defending against external actors and malware is a game played in black and white. The comprehensive security approach needed for full protection isn’t.

As remote work has become routine, and collaboration has become fragmented, the cat and mouse game security teams relied on for years is out of date.

Data protection is a game of nuance — played in full color

Data protection is a fundamentally different problem than malware or external threats for security teams, which means that protecting data from insiders requires a fundamentally different approach. Insider-driven data loss isn’t a black-and-white game with clear sides; it’s a game of nuance, played in full color. These aren’t external bad actors — they’re your colleagues. But their unlimited access can lead to data exfiltration that causes more damage, much faster, usually unintentionally. Quick shortcuts or lapses in judgment are made for the sake of efficiency and personal preferences, but when these one time shortcuts go unchecked, they become habitual behaviors, leading to potential thousands of dollars of data loss. 

Then there’s the rare-but-alarming malicious insider, who uses their insider access to cover their tracks by making intentional IP theft blend in with the noise of everyday productivity. This activity not only blends in with the everyday tasks, but blends in with cultures built around collaboration and trust, making it even more difficult to detect.

Either way, protecting your data from insiders is tightly intertwined with how every business operates. It’s an inherent quality of everyday actions and workflows — people editing, moving and sharing files; connecting remotely, outside the VPN and through cloud apps. 

Navigating this dynamic brings in the concept of risk tolerance. With companies increasingly building competitive advantage around innovation and agility — and the landmark shift toward remote/hybrid work models — the reality is that some data loss is worth tolerating in exchange for value-producing productivity.

The conventional security mentality makes keeping your data safe from insiders harder

Military-inspired language, strategies and mentality (e.g., hunting down and neutralizing threats) common for malware doesn’t work with DLP. In fact, it only makes the problem worse, creating frustration and resentment of harsh security protocols. 

Put another way, applying the conventional security mentality to insider threats puts the security team in an antagonistic position with people that could be effective partners. The twitchy “trigger finger” on DLP, CASB, and other traditional blocking tools shoot down legitimate, valuable and harmless employee activity. This “friendly fire” while intended well, impedes productivity and collaboration — directly working against what the C-suite is driving toward. Moreover, a DLP or CASB only alerts you to bad actions that you’ve already told it to look for–what about all of the other risk that you didn’t specify? The risk that slips through the cracks.

The association that results from a hunt-and-block approach can potentially heighten the risk of data leaks. Because while security teams are tunnel visioned on hunting down the rare malicious employee, they’re creating negative tension with the rest of the well-meaning-but-equally-risky employees. Turning the unintentional data loss incidents into overblown reactions pushes employees to find new ways to work around tools and protocols — and pushes insider threats further into the shadows.

The goal with these unintentional risky users shouldn’t be to “catch” end users doing risky things; the goal should be to get them to do the right things more often. You can’t persuade a hacker or a piece of malware to change behavior. But when it comes to your colleagues, simple education, delivered at the right time, can go a long way toward steering behaviors and building a security-aware culture — getting end users working with you to mitigate harmful insider behaviors.

Protecting and enabling the business

No one wants to block workflows and practices. And with more organizations prioritizing innovation, collaboration and agile productivity, security teams feel more pressure than ever: Leadership demands that you stop breaches and keep the company out of the headlines — yet impeding innovation and productivity could similarly cost security leaders their jobs. So, how do you find the balance between protecting and enabling the business?

The answer lies in communication and education. By educating your colleagues on potential security risks and providing them with simple tips and guidelines, you can effectively persuade them to change their behaviors without impeding their workflows. By understanding the importance of security measures and how they contribute to the overall success of the company, your colleagues will be more likely to comply with security protocols.

With Incydr, when mistakes are made and risky behavior is detected, we protect the relationship between employees and security by sending an in-depth breakdown of best practices with our Instructor feature to keep both the company’s and employee’s data safe.

The post Insider Threats vs Malware – Why Data Security Requires a New Approach appeared first on Code42.

About the Author

As director of security operations at Code42, Nathan leads the team responsible for security tooling, red team exercises and responding to security events. Nathan joined Code42 in 2016, bringing experience from both the private and public sector, and is a graduate of the Masters of Science in Security Technologies (MSST) program at the University of Minnesota.

Profile Photo of Nathan Hunstad
Follow on Linkedin More Content by Nathan Hunstad