In an increasingly digital world, Australian businesses are more vulnerable than ever to one of the most dangerous yet underestimated cybersecurity risks: insider threats.

These threats, which originate from within an organisation, pose a unique challenge as they often fly under the radar due to the use of valid credentials and seemingly legitimate access.  However, they are potent and can result not just in loss of brand reputation but cost organisations millions in revenue disruption as recently evidenced by the recent breach at UK retailer, Marks & Spencer, which is expected to hit the company £300m in lost profits.

Unlike external cyberattacks, insider threats are particularly difficult to detect. They typically involve employees, contractors, or business partners who either intentionally or unintentionally misuse access privileges.

This complexity is amplified when cybercriminals compromise these insiders’ credentials, turning them into unwitting accomplices.

Understanding the insider threat landscape

An insider’s access to an organisation’s most valuable assets makes these attacks harder to identify and remediate. The impacts of the threats are far reaching and have the potential to cause irrevocable financial damage.

Beyond these financial losses, organisations that fall victim to insider attacks can also face severe reputational and regulatory repercussions. To overcome this challenge, organisations need to take a smarter, more proactive security approach.

Insider threats can originate with authorised users, such as employees, contractors, and business partners, who intentionally or accidentally misuse their legitimate access, or have their accounts hijacked by cybercriminals.

The amount of sensitive data at risk from an insider threat is massive. Common targets for insider threats are financial reporting data, customer data, product or technical documents, and employee data.

There are several types of insider threats of which organisations need to be aware:

1. Malicious insiders: Typically, malicious insiders are employees or contractors who act with the deliberate aim of stealing information or disrupting operations.
2. Negligent insiders: Negligent insiders are employees who do not follow proper IT procedures.
3. Compromised insiders: The most common examples of compromised insiders are employees that have had their devices infected with malware or credentials compromised. Earlier this year, by way of example, Coinbase experienced a data breach that resulted in unauthorised access to customer data and a US$20m ransom demand.  The breach, which resulted from an employee of an Indian IT sourcing company, led to the exposure of personal information of just under 70,000 Coinbase users and cost the organisation hundreds of millions of dollars in remediation.

Why traditional security measures fall short

Procedures and controls are the essential first line of defence against insider threats. However, many traditional security tools were designed to detect incoming attacks rather than analyse valid credential use and activity.

Augmenting an organisation’s security information and event management (SIEM) platform with an advanced user and entity behaviour analytics (UEBA) solution employs an intelligent approach to overcome this challenge.

It uses variations of artificial intelligence (AI) and machine learning (ML), data enrichment, and data science to improve threat detection investigation and response (TDIR) of insider threats.

Leveraging UEBA enables organisations to stop insider threats before they become incidents in several ways:

• Signature-free incident detection:
  UEBA tools use advanced analytics to detect abnormal and risky activity, eliminating the need for predefined correlation rules or threat patterns. It delivers meaningful alerts with minimal setup and tuning, reducing false alarms. With UEBA tools, security teams can conduct in-depth investigations into suspicious activities earlier in the attack cycle to uncover hidden insider threats faster.
• Dynamic peer grouping: UEBA not only performs behavioural baselining of individual entities but also dynamically groups similar entities, such as users from the same department or IoT devices of the same class. This allows the analysis of normal collective behaviour across the entire group and identifies individuals exhibiting risky behaviour.
• Real-time alerts: UEBA tools continuously analyse network activity, allowing security teams to detect insider threats as they occur. This is crucial in today’s threat landscape, where threats can proliferate and cause damage in a matter of minutes. Once a threat is detected, UEBA tools can send out alerts in real time. This enables security teams to respond swiftly and mitigate the threat before it can cause significant damage.
• Automation and response: A key feature of modern UEBA tools is their ability to automate and orchestrate various security tasks. Automation allows these tools to execute predefined actions automatically when certain criteria are met. For example, if the system detects multiple failed log-in attempts from a user within a short period, it can automatically lock the account to prevent unauthorised access.

While AI-driven tools like UEBA are essential, technology alone cannot solve the insider threat problem. A strong security posture also requires a culture of vigilance and accountability.

Regular employee education and training are critical components of this approach. Staff must be taught to recognise phishing attempts, follow access protocols, and report suspicious activity without hesitation.

Organisations should also implement clear access controls and ensure that employees only have access to the data necessary for their roles. Periodic audits can help enforce these policies and catch anomalies before they escalate.

A future-proof strategy

As cyberthreats grow more advanced, so too must the defences of Australian businesses. Insider threats, while challenging, are not insurmountable. By combining advanced analytics with smart policy enforcement and employee education, organisations can significantly reduce their risk.

UEBA represents a major shift in how businesses defend against internal risks, offering a proactive, intelligent approach to identifying and neutralising threats before they cause serious harm.

In a climate where data is currency and trust is critical, defending against insider threats is not just a technical necessity – it’s a business imperative.