Halodata has released its latest research report ‘Insider Threat Report 2022-Singapore Edition’, highlighting several key trends on insider threats across Singaporean enterprises.
The report assesses the current state of insider threats and the underlying contributing factors. It finds 11% of enterprises to have suffered at least one insider attack over the last year, with only 52% being able to explicitly admit that they have not experienced any related incident in recent months.
It also finds a vast majority of respondents acknowledging their vulnerability to such attacks, with over 10% admitting to being extremely susceptible. Furthermore, more than four fifths of enterprises perceive insider attacks as equally jeopardizing as external cyberattacks, and 90% believe that mitigating such insider threats is relatively more difficult than dealing with external threats – illustrating an uptrend on the awareness of insider threats and their consequences.
Interestingly, the report finds that nearly 80% of enterprises feel that offline insider attacks are more difficult to prevent than network-connected attacks. These results correspond to a notable gap in enterprise efforts to combat threats originating outside IT divisions, with 23% of respondents revealing the non-existence of programs to combat insider threats across non-IT departments, and 41% unaware if such programs exist altogether.
The report, which was based on a survey conducted in April 2022 at the Smart Cybersecurity Summit in Marina Bay Sands, covers a broad cross-section of industries in Singapore, with nearly one fourth of respondents originating from the financial services sector and 15% from the technology and software sector.
Other participating verticals include energy and utilities, communications, transportations, security and data centre services. Views were gauged from a representative sample of enterprises with SMEs comprising 28% of respondents and enterprises with over 10,000 employees comprising another 20%. Of these, one third of respondents were from IT operations departments, while enterprise CISOs comprised another 15%. The survey also drew participation from analysts, risk managers, SOC (Security Operations Centre) managers and CSOs.
Enterprises to enhance their monitoring capabilities
Collectively, the majority of respondents see a strong need for user monitoring, with 66% believing that constant monitoring of insider parties will greatly assist in the detection of potential insider attacks. In total, 99% of respondents feel that user monitoring is able to positively contribute to insider threat prevention.
“Continuous security monitoring enables enterprises to identify malicious activity based on real-time detection of anomalies in insider behaviour and transactions,” said Resham Ganglani, CEO of Halodata Group. “Given the adoption of complex IT architectures, the enterprise threat surface and ensuing vulnerabilities continue to grow. A strong monitoring and analytics framework coupled with highly responsive remedial actions can greatly avert attacks on enterprise networks and assets.”
The COVID-19 pandemic has brought about a drastic rise in the number of remote user endpoints within an enterprise, amplifying insider threat risks. According to the report, over 50% of respondents saw an increase in malicious insider activity since the beginning of the pandemic.
The report also found that work-from-home (WFH) arrangements have a substantial impact on this, with 70% of respondents believing that WFH has aggravated the risks of insider attacks, and 79% of the opinion that it has changed the nature of such threats and its associated detection mechanisms.
“The pandemic has definitely exacerbated insider threat risks. The great resignation for example, has created transitional phases where employee device and application access are left unmonitored, increasing the risk of hijacks, abuse and manipulation,” said Resham. “We found close to a quarter of enterprises agreeing to substantially higher insider threat risks from massive staff turnover, with an overall 88% agreeing to generally elevated risk levels.”
Tackling cultural barriers
An interesting facet to enterprise insider threat activity highlighted in the report is the contribution of a unique cultural factor – the Asian face value of trust. This refers to the inherent trust placed by Asian enterprises on insider parties, including employees, which renders best practice security measures non-implementable.
As a significant cultural barrier, nearly two thirds of Singaporean enterprises feel that this negatively distorts the enterprise’s perception of insider threats, leading to a biased approach to enterprise security.
The report also assessed several threat mitigation approaches and strategies commonly deployed by Singaporean enterprises to address insider threats. While 29% of enterprises reported taking a proactive approach, 30% of respondents rely on real-time reactive measures. More than a third of respondents still resort to post-attack actions, remedying an attack only after it has occurred.
The survey, however, finds 80% of enterprises agreeing that sufficient guidelines would substantially assist threat management efforts, such as those integrated into existing laws such as the PDPA or Employment Act.
With regard to threat mitigation, the enterprises surveyed are well aware of the potential areas of risks where priority detection is most warranted.
The survey shortlisted five major areas that are commonly associated with insider threats. Of these, privileged accounts was identified by two thirds of respondents as the most important place to detect anomalous behaviour, followed by documents and storages by 55% of respondents, and endpoints by 52% of respondents.
Approximately half of the respondents surveyed agree that service accounts and cloud applications were also key areas to monitor for insider attacks.
The need to address tool limitations
The respondents also noted several limitations across existing security tools such as data loss protection (DLP) and zero-trust networks (ZTN) in addressing insider threats. DLP challenges that were cited include the incidences of false positives, policy creation and maintenance, a lack of data context for policy-makers vis-à-vis business teams and a lack of real visibility. Similarly, respondents find that the blanket access granted to insider parties renders ZTN ineffective in guaranteeing the security of enterprise networks and assets.
In terms of accountability in managing enterprise insider threats, the survey finds general consensus among respondents on both IT and Risk and Compliance being the departments that should be at the forefront of implementing insider threat prevention programs. Respondents also see a strong need for the involvement of the Board and HR teams in implementing such programs.