How MSSPs Can Mitigate Insider Threats for Their Customers


When the COVID-19 lockdowns began in March 2020, the number of remote workers surged from 9% to 77% in a matter of weeks; a transition that more than half of the firms surveyed by Iometrics and Global Workplace Analytics acknowledge they were unprepared to make.

Recognizing an opportunity to exploit the crisis, cybercriminals quickly launched a massive phishing campaign targeting consumers and remote workers. According to the Cybersecurity and Infrastructure Security Agency (CISA), insider security breaches skyrocketed, increasing 47% over 2018 and driving a 31% increase in average costs to $11.45M.

What could account for this massive increase in insider threats? Does working from home make employees more likely to behave like cyber criminals? The short answer? No. Malicious intent is only rarely involved.

Types of Insider Threats

According to a Ponemon Institute survey, insider threats (also known as internal threats) can generally be assigned to one of three categories and cost ranges:

  • Compromised insiders who are often unaware that their systems, credentials, or access privileges have been appropriated by an external threat actor.
  • Careless or negligent insiders who cause harm inadvertently. For example, an employee sends an email containing personally identifiable information to the wrong email address. Incidents caused by negligent insiders cost organizations the least, “only” $307,111 on average. But since they comprise 62% of reported incidents, the totals can add up quickly to as much as $4.58 million annually. Although unintentional, errors like these can seriously damage a company’s reputation and result in severe regulatory penalties.
  • Criminal or malicious insiders committing acts of theft, sabotage, or espionage. Although they attract the most notoriety, criminal and malicious insiders accounted for only 23% of insider attacks cited in the survey. However, given the $755,760 average cost of each such attack, the sum can reach $4.08 million annually. Insiders like these may be motivated by financial distress or political/ religious ideology, may be seeking revenge for perceived wrongs or work conflicts, or may have been swayed by inducements from cyber-criminal and state-sponsored threat groups.

In its report, Ponemon attributes these costs to “monitoring and surveillance, investigation, escalation, incident response, containment, ex-post analysis and remediation.” Notably, the costs for investigation are growing fastest, rising 86% in only two years to average $103,798.

Insider Threat Detection Challenges

Risky insiders look very much like their innocent colleagues. They use networks and data to do their jobs. They’re assigned privileges and expected to use them productively. Sometimes, however, organizations can detect behavioral and digital early warning signs that an insider incident is imminent or already in progress.

Behavioral Warning Signs

  • Repeated attempts to evade security controls
  • Flagrant violations of acceptable use policies
  • Hostile outbursts aimed at colleagues and supervisors

Digital Warning Signs

  • Frequently logging into company databases outside of normal work hours
  • Emailing large quantities of data to external entities
  • Accessing sensitive data that is not pertinent to the worker’s role and responsibilities

Insider Threat Management

BlackBerry recommends that organizations begin by re-examining their existing security controls and processes to assess their suitability for managing insider risks. Next-gen endpoint protection platforms and endpoint detection and response solutions should be deployed that utilize artificial intelligence and machine learning to mitigate insider threats before they escalate into major security incidents.

Organizations should also transition to a prevention-first, Zero Trust security posture that uses continuous authentication to adapt policies dynamically based on an employee’s up-to-the-minute threat profile. And unified endpoint management systems should be deployed that provide security operations center analysts with visibility and policy control over every kind of endpoint an insider can use to access enterprise resources.

BlackBerry stands ready to help, with the portfolio of service and software solutions organizations need to reduce insider risks, enhance remote worker productivity, and secure maximum value from their investments in mobile and cloud technologies.

Click here to learn more about preventing insider threats.

Find out more about BlackBerry and the BlackBerry Cylance MSSP Partners Program. Read more BlackBerry Cylance blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.