How to safeguard your business against insider cybersecurity threats

by Lev Matveev, founder of SearchInform

The number of cyber incidents is constantly increasing in the UAE. A study conducted by Kaspersky Lab reveals that 87 percent of companies have encountered cyber incidents in the past two years alone.

Furthermore, 2024 has seen a 30 percent increase in insider attacks, which encompass both intentional and accidental breaches of personal data, theft of company databases, violations of information security protocols by employees, internal fraud and stealing. In response to these growing threats, a variety of measures are being developed and implemented to enhance cybersecurity across the region.

What does SearchInform do?

SearchInform is an information security and risk management product vendor and internal threat protection MSS provider.

We have been dedicated to developing information security software for more than 20 years. Our solutions are designed to prevent the leakage of valuable and confidential information, safeguard against corporate fraud, document forgery, theft, and unfair competition, as well as to combat lobbying efforts.

They also assist in achieving compliance with regulatory requirements, such as the Federal Decree Law No. 45 of 2021 Regarding the Protection of Personal Data, also known as the Personal Data Protection Law.

Additionally our software plays a crucial role in identifying resource misuse and inefficient business processes.

We ventured into the Mena market in 2019 by selling product licenses, and in 2023, we established our own office in Dubai, offering information security outsourcing services to businesses and organisations in the UAE. This approach is unique, as all tasks related to safeguarding against insider threats are managed by the service provider.

We supply software, including DCAP and DLP systems, we also assign an information security analyst to the client. This analyst will work with existing systems to furnish the customer with reports. The service operates on a subscription basis.

Dr Al-Kuwaiti has recently announced the adoption of the new cybersecurity strategy. Does SearchInform support such strategic initiatives?

The detailed text of the document isn’t available just yet, but the discussion of cybersecurity at the highest levels in the UAE is a very promising sign! Constructing a digital state without an information security strategy is like building a house without a solid foundation.

Even before the adoption of this strategy, Dr Al-Kuwaiti prioritised the aim of data protection, saying that “data is the new oil, and protecting it is crucial for the integrity and trust of our digital economy”. I should note that recently the focus has shifted to protecting against insider threats, which cause the most serious damage. The majority of successful so-called external attacks occur with the intentional or accidental involvement of insiders.

To substantiate my claims, I shall provide some figures. In 2023, over 72 percent of organisations in the UAE experienced data loss due to internal actions. Furthermore, according to the State of the UAE Cybersecurity Report 2024, which is set to be published at the end of 2024, the UAE has noted a nearly 30 percent rise in incidents related to insider threats.

So, are hacker threats being overstated and should we be more concerned about protecting ourselves from insiders instead?

Certainly, external threats pose a considerable danger. However, the world has grown accustomed to defending itself against them. What’s more concerning are the internal threats, which have long been out of sight. Thankfully, the situation is now improving. 

How exactly is the situation improving?

In the UAE, the importance of defending against insider threats was emphasised by Lt Col Saeed AlShebli, deputy director of digital security department ministry of interior for the UAE.

The expert highlighted one of the key practical measures for ensuring protection as the implementation of Data Loss Prevention (DLP) and Security Information and Event Management (SIEM) systems, which help to prevent data leaks and mitigate harmful user behavior.

The UAE Information Assurance Regulation, issued by the United Arab Emirates Telecommunications and Digital Regulatory Authority, also advises the implementation of Data Loss Prevention (DLP) as a means of safeguarding against information leaks. Thus, it is apparent that this issue has been recognised at the governmental level.

The reality is that not all companies have the resources to implement these systems. There is a shortage of specialists who can work with such protective solutions, and many lack the experience and budget necessary for the deployment of security software.

To ensure that as many companies and organisations as possible can safeguard themselves against insider threats and tackle these longstanding challenges, we have developed and introduced information security outsourcing to the local market.

This service offers a comprehensive turnkey protection, making security accessible and affordable. We regard this as an opportunity to contribute to the advancement of cybersecurity in the UAE and support the achievement of strategic initiatives.

How does MSS enhance the security of organisations and businesses in practice?

Due to a shortage of specialists and budget constraints, many organisations do not implement security software at all and remain “easy targets” for unscrupulous employees. To remedy this, the client has to purchase licences for security software, acquire the necessary hardware for the software, or hire an information security specialist with rare skills and pay the salary. All of this could cost a company with 100 PCs around AED 414,000 a year. 

In the case of MSS, payments are made on a subscription basis. For the same organisation with 100 PCs, the cost would be approximately AED 14,000 per month to provide protection, which is quite reasonable for an organisation of this size.

Our specialists implement the software, including DCAP and DLP systems, in the cloud – either on our side or on the client’s, as per the agreement. An experienced information security specialist reaches out to the client to discuss control priorities and gather essential information regarding the business processes.

Following this, regular monitoring commences, during which the analyst safeguards the company’s assets, identifies any employees’ violations, prevents information security incidents, and assists in meeting regulatory requirements.

All activities occur within a secure perimeter, and the analyst sign a Non-Disclosure Agreement (NDA) with the client. The client always has the option to adjust protection priorities or assign new tasks – the service offers highly flexible customisation options.

The service not only provides comprehensive business protection, but also fulfils the tasks of a reliable business assistant, which is an essential factor in today’s landscape.

What incidents do SearchInform’s specialists most frequently prevent and detect for local clients?  

There is a set of incidents that analysts identify in the majority of organisations: attempts to leak valuable or confidential information (including PII, know-how, financial documents); internal fraud (document or signature forgery, theft, kickbacks); misuse of corporate resources and equipment; complete idleness; internal disputes and dismissals; “insecure” user behavior.

What are the consequences of internal information security incidents?

For instance, leaked PII could enable attackers to execute successful social engineering campaigns. Similarly, leaked technical details, such as network topology, might empower external attackers to carry out a sophisticated assault on an organisation.

Furthermore, leaked know-how could allow competitors to gain access to advanced technology, thereby jeopardising the success or even the very existence of a business. Additionally, leaked commercial information could adversely affect a company’s financial performance. Lastly, data breaches in government organisations may pose a threat to national security.

What type of incidents would SearchInform’s specialists rank second?

Corporate fraud is a significant concern, with document forgery among the most serious and commonly identified incidents. An example of this would be inflating the cost of a purchase or awarding an unspecified bonus.

However, a far more insidious scenario could arise, such as the forgery of a responsible employee’s signature to falsely indicate successful testing of a prototype.

Here’s a case study from the realm of outsourcing. A company employee became involved in the forgery of bank seals on payment orders. Initially, she was diligent in her role within procurement, but after some time, she began to compile a “collection” of various commercial proposals and devised a fraudulent scheme.

Prior to making any purchases, rather than genuinely collecting partners’ commercial proposals, the manager agreed with a company to lobby for a fee and manipulated the remaining proposals in Photoshop, deliberately substituting them with less favourable prices.

Consequently, it appeared that the “appropriate” commercial proposal was, in fact, the most advantageous, although this was far from the truth. As a result, the employer faced regular financial losses amounting to tens of thousands of dirhams.

What does “dangerous user behaviour” mean in professional terms?

This is a broad group of risks where it is impossible to foresee all scenarios in advance. Therefore, constant monitoring by an analyst is required. For example, working with potentially dangerous websites that are not related to the employee’s work tasks may cause damage to the employee’s PC.

Interaction with phishing emails will lead to infection of an employee’s PC with ransomware, which will further affect the organisation’s infrastructure. The same applies to “shadow” software that employees might install on corporate computers without authorisation.

By the way, another case from practice: our analysts recently saved a client tens of thousands of dirhams a month by identifying which software applications was not actually used by the employees. This revelation enabled them to stop subscribing to those services, resulting in substantial monthly savings.

Do you think that idleness and misuse of corporate resources are also information security risks?

It might not be immediately apparent, but the answer is a definite yes. Systematic idleness often leads to consistent shortfalls in profits, as well as direct costs associated with maintaining employees who are occupied with unrelated to work activities during working hours.

For instance, in a company with 100 employees, the average monthly losses due to idleness could exceed AED 250,000. Furthermore, such behavior from certain employees tends to demotivate their colleagues as well.

What are the risks originating from internal conflicts and dismissals?

Here is a practical example. An analyst found inefficiencies within one of the client company’s departments. Upon further investigation, it became clear that the issue lay with the department head. The workload was distributed poorly, and the manager spent the majority of his time on external activities unrelated to his role, whilst making inappropriate comments about his team.

The situation reached a point where the employee with a notable expertise in his field, started actively browsing job search websites and sending out his CV. Our analyst promptly gathered evidence and reported on the situation to the company’s management. This allowed managers to discipline the problematic line manager and bring order to the department.

Consequently, thanks to the service, the company managed to avert the dismissal of valuable employees, enhance the department’s efficiency, and ultimately retain resources. 

What are the essential steps to take in order to safeguard a company against internal threats?

Firstly, it is crucial not to overlook that information security is an integral part of the corporate culture. This is a responsibility that rests with every employee, from those on the frontline to senior management, as well as IT and information security specialists.

It is vital to ensure that the team stays informed about risks and threats, to carry out awareness initiatives regarding data handling practices, and to emphasise that data is an asset, much like office equipment and computers.

Furthermore, please ensure you comply with the practice of “limited data sharing” and refrain from using unlicensed software. As for practical technical measures, the comprehensive list will vary depending on the unique circumstances of each company, its current business processes, and its team.

However, there are several measures that ought to be executed across all organisations:

• Implement an antivirus solution; ideally, consider deploying an EDR platform instead.
• Classify data within the corporate infrastructure and assign appropriate access rights to information.
• Safeguard the channels used for transmitting information.
• Restrict or prohibit the transmission of confidential information through unauthorised channels and limit the use of personal communication channels on work devices.
• Ensure continuous monitoring of all activities occurring within the organisation.