Tackling The Insider Threat: … Where To Start?

Many organisations still believe the definition of an insider threat is limited to a rogue employee purposefully leaking embarrassing information, or nuking a couple of systems when he or she quits and walks out the door with internal or customer data to take to a new job. 

But not all insider threats have to be malicious to cause an incident

Perhaps someone on your marketing team wasn’t aware of their regulatory obligations in handling customer information and handed over a large dataset to a third party processor. In some regions, if the company didn’t get an explicit opt-in from the customer to allow that third party to handle the data, it could be considered a security incident. Or what if someone on the HR team left a flash drive in the lunch room containing personal health information, and that info gets disclosed to other employees? Sure, it may not have been intentional, but it was still an incident caused by an insider.

Taking the threat seriously
Insiders have been behind several significant data breaches, yet many CISOs are still solely focused on keeping the bad guys out, instead of looking within their own company. Richard Henderson, global security strategist at Absolute, a security company offering endpoint visibility and control, believes that this disconnect is due to human nature and behavior.

“No one wants to presume that the people they work with on a daily basis can intentionally or unintentionally cause significant harm to their company,” he says.
“And while building a fortified, walled perimeter and patrolling for signs of attack is an easy decision, it’s not so easy to pivot to newer ways of thinking, like the zero-trust model, or continuous monitoring tools like user/entity behavior analytics. 
“It’s not uncommon to assume that something bad is likely going to happen, but it’s rare to assume it’s because of something someone on your side did.”

Neutralising the Threat
As storage and processing costs continue to plummet on a per-unit basis, it has become more attractive for both malicious and non-malicious insiders to use these technologies to their benefit, Henderson notes. 
“With Internet/Intranet ‘pipes’ larger than they’ve ever been, it can be simple for a malicious insider to hide their goals inside the torrent of traffic that companies have to monitor. 

“At the same time, those very same technologies make it very tempting for employees without nefarious intentions to send data to the cloud, send jobs outside the company for processing, or to merely store confidential information in personal cloud storage so they can easily work from home.”

Neutralising or minimising the insider threat requires a robust and evolved security strategy, he says, but even before that, companies need to gain visibility into all endpoint devices.

If you can’t randomly pick an endpoint device and query it to determine what its current patch status is, what sensitive data resides on it, what software is installed, and where it is physically located, how can you move on to more advanced things like building out a mature insider threat strategy? 

The answer is: you can’t. 
“Everything starts with visibility,” Henderson says. “Visibility into how employees use corporate resources and into how and where data is stored. 

“Visibility into how employees connect to your infrastructure and into the current risk profile of their endpoints. Are they current on patching? How long has a device been outside of the network? Do you have actual visibility of where all your data in your organisation has moved to? Has some of it migrated to the cloud? All of these questions can be addressed with comprehensive asset management and data discovery toolkit.”

Henderson also notes that attempting to spot future malicious insiders during the hiring process is mostly a waste of time.

“We only need to look at the case studies of double-agents or turncoats in the history of intelligence agencies to see that even with the most in-depth, comprehensive, and probing background investigations, there are always going to be insiders that will decide to do something bad,” he notes.
“Circumstances and motivations change for people all the time. We may be able to potentially screen out riskier candidates with larger and more involved background checks, but it will never be able to give a definitive yes or no on someone causing an incident. 
“Those resources would be much better used as investment in other tools that can monitor how employees handle and consume sensitive information.”

Preparing for the Future
It’s difficult to predict the situation we’ll face five years from now. “We could see some organisations make a complete and total move to both virtualised and cloud infrastructures, and we could see others retreat entirely from the cloud,” Henderson points out. But enterprises thinking about security that far ahead should have a plan in place now to actively monitor every single endpoint device in their organization, and that includes contractors they allow to access their internal resources. 

“That monitoring technology needs to look for potential compliance and regulatory violations as well as the movement and storage of important data, whether it be customer or internal data. Knowing what important info exists on your computers allows you to quantify the risks inside your organisation better,” he believes.

Help Net Security

You Might Also Read:

Employees Are Still The Cause Of Most Cyber Breaches:

Businesses Get Better At Detecting Insider Threats:

 

« AI In Conflict: Cyberwar & Robot Soldiers
AI Will Underpin Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Exploit Database (EDB)

Exploit Database (EDB)

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

Allegro Software

Allegro Software

Allegro provide secure software for the Internet of Things.

Blockchain Slovakia

Blockchain Slovakia

Blockchain Slovakia is a non-profit organization that brings together researchers, developers, entrepreneurs, regulators, investors and the public to support blockchain technology in Slovakia.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

National Cyber Security Centre (NCSC) - Ireland

National Cyber Security Centre (NCSC) - Ireland

The National Cyber Security Centre (NCSC) is the operational side of the Department of Communications in regard to network and information security in the Republic of Ireland.

Digital Innovation Hub Slovenia (DIH)

Digital Innovation Hub Slovenia (DIH)

DIH Slovenia is a central hub providing services to grow digital competencies in areas including robotics, IoT, cyberphysical systems and cybersecurity.

Uptycs

Uptycs

Uptycs combines the open source universal agent, osquery, with a scalable security analytics platform for fleet visibility, intrusion detection, vulnerability monitoring and compliance.

Lattice Semiconductor

Lattice Semiconductor

Lattice Semiconductor solves customer problems across the network, from the Edge to the Cloud, in the growing communications, computing, industrial, automotive and consumer markets.

ABCsolutions

ABCsolutions

ABCsolutions is dedicated to assisting businesses and professionals achieve compliance with federal anti-money laundering regulations in an intelligent and pragmatic way.

ZARIOT

ZARIOT

ZARIOT's mission is to restore order to what is becoming connected chaos in IoT by bringing unrivalled security, control and quality of service.

Oman Technology Fund (OTF)

Oman Technology Fund (OTF)

Oman Technology Fund aims to make Oman the preferred destination for emerging tech companies in the region, and an attractive and stimulating destination for venture capital.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

Green Enterprise Solutions

Green Enterprise Solutions

Green Enterprise Solutions are a Namibian company providing Information and Communication Technology (ICT) services to corporate Namibia.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

Chugach Government Solutions (CGS)

Chugach Government Solutions (CGS)

CGS performs work for the Federal Government across 4 unique core lines of business, including: Facilities Management and Maintenance, Construction, Technical IT and Cyber Services, and Educational Se

NVISO Security

NVISO Security

NVISO is a pure-play cyber security consulting firm, focused mainly on the Financial Sector, the Technology Sector, and Government & Critical Infrastructure.