Insider threats on the rise in Thailand

• Insider threats remain a big cybersecurity problem for organizations. 
• A report shows an increased in insider threat activities in Thailand. 
• The report also states that employees tend to leak data by accident, which could end up being a bigger problem – insider incompetence.
  

While ransomware remains one of the biggest problems in cybersecurity, insider threats can be a far bigger crisis for organizations. Insider threat attacks can occur anytime and some may even end up causing more damage than a ransomware attack or any other type of cybersecurity incident.

Insider threats in cybersecurity are malicious actions or breaches of trust by people who have authorized access to an organization’s network, data, or systems. These people can be current or former employees, contractors, partners, or vendors. Insider threats can cause significant damage to an organization’s reputation, finances, operations, or security.

Ponemon Institute’s 2022 Cost of Insider Threats: Global Report reveals that insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to US$15.38 million. The time to contain an insider threat incident increased from 77 days to 85 days, leading organizations to spend the most on containment as well.

Some examples of insider threats are:

• Data theft: An insider may steal sensitive or confidential data for personal gain, such as selling it to competitors or hackers, or using it for blackmail or extortion.
• Data sabotage: An insider may intentionally delete, alter, or corrupt data to harm the organization or its customers, such as erasing backups, planting malware, or falsifying records.
• Data leakage: An insider may unintentionally or carelessly expose data to unauthorized parties, such as sending it to the wrong recipient, using unsecured devices or networks, or losing a laptop or USB drive.

One company that has actually witnessed insider threat cyberattacks more than once is Tesla. Investigations of a recent cybersecurity incident revealed that two former employees leaked more than 75,000 individuals’ personal information to a foreign media outlet. Prior to this incident, there had been reports that Tesla workers shared sensitive images recorded by customer cars.

Insider threats in Thailand

In 2022, the National Cyber Security Agency of Thailand registered a total of 835 cyber threats against public and private organizations in the country. Cyberthreats against educational institutions made up 325 of that number. This was followed by threats against government agencies that are part of the non-critical information infrastructure (non-CII), amounting to 243.

Statistics also show that between the first quarter of 2020 and the second quarter of 2023, the number of records exposed in account breaches in Thailand fluctuated significantly. The number of impacted datasets reached its peak in the fourth quarter of 2020 before sharply declining after 2021. Approximately 201,000 datasets were reported as having been leaked in the second quarter of 2023, compared to around 64,400 during the first quarter of the same year.

But what actually caused these incidents? While there are many causes for cybersecurity incidents, a report based on a survey conducted by SearchInform revealed that 46.4% of Thai companies’ representatives noticed an increase in information security incidents caused by employees during this year. Moreover, 35.7% of them named internal incidents as more dangerous than external attacks.

The survey questioned an admittedly small pool of 28 representatives of Thai companies from both governmental and non-governmental organizations. The opinion of 46.4% interviewed (so, between 12-14 people) was that employees more frequently tend to leak data by accident, while 35.7% believe that insiders more often cause such incidents deliberately. At the same time, over 57% of respondents admitted facing data-related incidents due to employee mistakes.

Half of the respondents revealed that the organizations in which they work had experienced an attempt by discharged employees to leak data, while 32.1% of those surveyed said discharged workers had attempted to access corporate infrastructure via a personal account, or with the help of onboard employees.

The majority of those who were interviewed claimed that personal data leaks happen more often in comparison to other types of data breaches. 21.4% of participants named legal information, and accounting and financial documents as the most frequently leaked data.

“We are confused by the fact of low information security protection among Thai businesses and institutes. We see that 75% of companies implemented antivirus protection, but even this solution is not used by all. On DLP, companies in Thailand are at the beginning of the journey – only around 14% of organizations have implemented DLP. However, it is critical to protect data by local and international laws”, said Alexey Pinchuk, chief business development officer of SearchInform.

Preparing for risks

The percentage of Thai companies that notified the affected parties in the aftermath of a data leak and the percentage who didn’t notify anyone was equal at 25%. The top three riskiest channels in terms of data leaks, according to the research, are cloud storage, storage devices (USB) and mobile devices, and email.

Judging by the results of the survey, almost half of Thai companies experienced information security incidents caused by insiders in the past year. Around 36% of those who were surveyed named internal attacks as more dangerous than external ones. The reason is simply that insider threats can be deadlier and costlier as they are not only harder to detect but also have access to a lot more data without triggering anywhere near as many security protocols.

But the survey also highlighted that nearly half of the respondents believed that employees tend to leak data by accident, while more than 50% of surveyed had experienced such incidents in the past. While these may seem harmless at first, the risks such incidents bring can be catastrophic if the issues are not addressed and mitigated fast.

The most widespread type of information security incident was data leakage, with half of those surveyed experiencing data loss caused by a discharged employee. The most frequent information security incident was also data leakage, while cloud storage was named as the most dangerous communication channel in terms of information security risks.

As such, to prevent or mitigate insider threats, organizations need to implement a comprehensive strategy that includes:

• Risk assessment: Identify the most valuable and vulnerable data and systems, and the potential sources and motives of insider threats.
• Security awareness: Educate and train employees on the importance of data protection, the signs of insider threats, and the reporting procedures.
• Access control: Limit and monitor the access and privileges of users based on their roles and responsibilities, and revoke them when they are no longer needed.
• Data protection: Encrypt, backup, and audit data regularly, and use tools such as data loss prevention (DLP) and digital rights management (DRM) to prevent unauthorized copying or sharing.
• Incident response: Detect and respond to insider threats quickly and effectively, and conduct investigations and forensics to determine the cause and impact of the incident.

Businesses need to be prepared for all sorts of threats, be they caused by external or internal threat actors. That means having as robust a strategy in place to deal with insider threat (and insider incompetence) as there is to deal with malware or ransomware.

---

---

---

---