IBM, the largest industrial research organisation in the world, has found that malicious insider threats caused the most expensive data breaches in 2024 – costing an average of $4,99-million per incident – and these already-elusive breaches are becoming harder to detect, says cybersecurity group, NordLayer.
As trusted members of an organisation, employees can inadvertently or maliciously engage in risky cybersecurity behaviour that is harder to detect and lead to data breaches that can cost millions of dollars to remediate.
Andrius Buinovskis, a cybersecurity expert at NordLayer, says that as more companies adopt a browser-first approach, mitigating insider threats will become even more challenging due to the limited visibility security administrators have into employee activity within the browser.
Cybersecurity risks that originate from within a company are referred to as insider threats. The term encompasses all threats emerging from dangerous employee activity, whether intentional or not. Deliberate employee actions – such as selling confidential data to competitors or leaking private information out of spite – are also called malicious insider threats.
Buinovskis explains several reasons why these cybersecurity incidents can pack a hefty punch.
“Employees have access to incredibly sensitive data and resources which, when leaked, can have devastating consequences to a company’s reputation, result in GDPR fines, or be used for ransomware demands,” says Buinovskis. “Insider threats pose a significant danger due to their high impact, but they’re also harder to detect. Employees are trusted members of the organisation, and their malicious actions can blend in with usual activity, potentially going unnoticed for months.”
Buinovskis highlights that spotting malicious activity inside the organisation has become even more challenging due to the rise of Web-based software as a service (SaaS) applications.
“Consumer-grade browsers do not offer security admins a comprehensive view into employee activity, creating the perfect environment to carry out malicious activities without getting caught,” says Buinovskis. “As a result, the risk of data exfiltration, sharing credentials and confidential information, data theft, unauthorised Web application use, and even sabotage by deleting or modifying critical information are all amplified in cloud-first, browser-heavy working environments.”
He explains that in traditional IT environments these threats can be mitigated by ADR (automated detection and response) and XDR (extended detection and response), which observe network connections, file-based systems, and desktop applications. However, their observability of browser activity is very limited – for example, they cannot distinguish between normal work tasks and data exfiltration, or which records were accessed or downloaded.
Additionally, consumer-grade browsers do not offer the possibility of enforcing centralised security controls. Consequently, employees can act as they please: download malicious browser extensions, screenshot or copy sensitive data, and share it with outside parties – all of which can lead to devastating data breaches.
“Companies are shifting to a browser-based working environment for greater efficiency and collaboration,” Buinovskis says. “However, as the reliance on the browser continues to grow, so will the cyberrisks. This is especially true for small to medium businesses that might not even have had robust ADR and XDR solutions in the first place and now, consequently, have even less observability into their employee activity.”
Buinovskis explains that investing in cybersecurity awareness training for employees is the first step in mitigating unintentional insider threats. However, he emphasises that businesses need to have comprehensive defences in place to safeguard against employee error and malicious insiders.
“The longer malicious employee activity remains undetected, the greater its impact and the more extensive the resulting damage,” he says. “This underscores the importance of robust observability and rapid incident response.
“Companies must prioritise strict access controls, strong user authentication, and continuous employee activity monitoring to mitigate insider threats effectively,” Buinovskis adds. “For organisations operating in a Web-based SaaS environment, leveraging the built-in security tools and enhanced observability of an enterprise browser is essential for comprehensive protection.”