The Insider Threat

For many organisations, the greatest threat to data security is already inside the building, the insider. Whether friend or foe, insider threats can be especially hard to guard against.

In 2016 ISACA ranked insiders as the second highest threat overall next to malware. I suspect the trend will continue and get much worse.

Who are these people? What makes them so dangerous to your data?

For one, since they are already “in house” they have bypassed your perimeter defense. They need only circumvent any internal controls and then… They also have all the inside knowledge they need to cause maximum damage. They know where all the bodies are buried. What corporate assets are of value and what’s not of value. They understand your workflows and can exploit them. And, worse: They could be “power users” or systems administrators.

They can be an employee. Full-time or part-time. In residence, or remote. They can be a contractor. They can be a vendor requiring temporary access (e.g. a telephone system vendor).

Bottom line: If they have any access to your systems, on-site or remote, you need to consider the possibility that they may be an internal threat.

What can you do to prepare, and how do you mitigate an insider threat? Obviously, you must have in place a solid cyber-security program. For this, there is no substitute: You need to understand and valuate your assets, know your threats and vulnerabilities, have deployed controls via a defense-in-depth strategy, have a good incident response team, and employees trained in cyber-security awareness.

But even with a good cyber-security program in place, insider threats require special attention. You need to go above and beyond in order to be protected from them.

First, you start by understanding the nature of the threat itself. There are two broad classes of insider threats: The intentional agent and the unintentional one. If left unchecked, both can wreak havoc with your business. And, both share at least one common profile: They have the means, the motive, and the opportunity.

Their means are many. They can physically exfiltrate the data by removing printouts of sensitive information, even taking pictures of screens with their mobile phones. If they have the right (or wrong!) privileges, they can copy data on USB drives or transmit data to cloud storage. There have even been cases where “administrators” removed terabytes of data on removable hard disks!

What motivates them? The same things that motivate external actors, only they have easier access to your systems! Many are motivated by money. They may be recruited by your competition, a nation-state, or any other “organisation.” They may have a pressing need for money for any number of reasons (e.g. family emergency, debt, drugs, gambling, etc.)

Others may be motivated by ideology (e.g. a disagreement of company or state policies, a sense of “right vs. wrong,” self-righteousness, etc.) Others still may be motivated by personal reasons (e.g. disgruntled employees, various psychopathologies, even “the thrill of it all,” etc.) Finally, they themselves may be the victims of a crime (e.g. blackmail).

No matter what the motive, the insider will always find a way to rationalise their actions, be it to save the world, to save a loved one, to save themselves, or because “they deserve it.”

There is one exception to the above motives list. That is the accidental insider. Someone that “didn’t know any better” and copied half the database to his private cloud so he can work from home! Or, the one that fell for the phishing scam and clicked-that-link, answered the call from Microsoft when that big-bad-red-alert sign popped up while surfing, and so on. Accident or not, the damage is still very real.

Which leaves us with: Opportunity. Insider threats, accidental or not, require it. How do they get it? If the organisation has poor internal controls, that’s all the opportunity they’ll ever need. No one will know, at least no one will know for a while. What are “poor internal controls?” The list is long!

For example, if your firm has poor on-boarding procedures, lax physical security, no training, etc., then the employee may well be able to access data that they shouldn’t. Similarly, there may be poor implementation of technical access controls, no enforcement segregation of duties and “need-to-know” access, even non-existent asset and data classification.

Worse yet, the company may have poorly trained or inexperienced managers in human resource related matters (e.g. performance reviews, employee behavior monitoring and support, confidential employee help resources, etc.), and/or lacking a sophisticated human resource function altogether.

What type of company fits this profile? The majority of small and midsized businesses who are focused day-in, day-out in surviving. Unfortunately, it is these same businesses that frequently cannot even afford to retain cyber-security expertise, much less rolling out a data loss prevention system (DLP). They are the ones that need it most.

In addition to your cyber-security program, what can you do? What are the signs you need to watch for?
Well, like any good profiler, you need to do your homework! Employees that are having problems should be on the top of your list, followed by the disgruntled ones. How do you identify a disgruntled employee? Just monitor their posts on social media like LinkedIn, FaceBook, or “review” sites like Glassdoor.

Look first at “privileged” users. Worrying about the new marketing associate because he’s going through a nasty divorce is prudent, but less serious than the V.P. with the gambling problem. Think privilege, consider the motive, limit the opportunity.

Next, sensitize your employees to “abnormal behavior.” If you have an HR function, make sure they are engaged. Gather intelligence:

Is someone that never worked late spending endless nights in the office? Are they surfing the file server in areas outside their work scope? Are they constantly “making backups” on USB or accessing cloud storage? Perhaps they are accessing the site remotely all the time? Did they jump ship from your competitor? Could they be a “plant?” Are they still a bit too close with their ex-colleagues at the competition? Are they stressed out of their minds? Are they “living large” on an associate’s salary? Are they “paranoid” of their boss or others?

Talk to your employees, offer your support and help as appropriate, or separate from them permanently and cleanly if you have to. Your detective work, plus a solid cybersecurity program implementation can make all the difference. Stay vigilant, stay engaged, and stay safe.

Information Managment

You Might Also Read: 

 Cyber Security Checklist For Management (£):

Employees That Cause Data Breaches:

 

« Google Wants To Mimic The Human Brain
Guide to Russian Infrastructure Hacking »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Conscio Technologies

Conscio Technologies

Conscio Technologies is a specialist in IT security awareness. Our solutions allow you to easily manage innovative online IT awareness campaigns.

MSAB

MSAB

MSAB is a pioneer in forensic technology for mobile device examination.

ID Agent

ID Agent

ID Agent provides a comprehensive set of threat intelligence and identity monitoring solutions.

CIRISK

CIRISK

CIRISK offers a wide range of services from consulting to audit or project management to help you develop your cyber security or information security strategy.

Eperi

Eperi

Eperi is a leading provider of Cloud Data Protection (CDP) solutions with 15 years of experience in data encryption for databases, (SaaS) applications and files.

FifthDomain

FifthDomain

We are a specialist cyber security education and training company tackling the global cyber security skills shortage.

Yellow Brand Protection

Yellow Brand Protection

Yellow Brand Protection operates 24/7 to protect brands' Intellectual Property (IP) from infringements on all kinds of online distribution channels.

Netsurion

Netsurion

Netsurion powers secure and agile networks for highly distributed and small-to-medium enterprises and the IT providers that serve them.

Kontex

Kontex

Kontex is a Cyber Security consultancy creating resilient solutions. From Strategy, Advisory and Implementation to Management and everything in between.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

NetApp

NetApp

The NetApp portfolio includes intelligent cloud services, data services, and storage infrastructure that helps organizations manage applications and data everywhere across hybrid cloud environments.

ResilientX

ResilientX

ResilientX is an All-In-One Security Testing Platform designed to help MSPs and SMBs to perform their security testing and assessments without having to outsource IT.

Cool Waters Cyber

Cool Waters Cyber

Cool Waters Cyber manage cyber security governance, risk and compliance.

NetDescribe

NetDescribe

NetDescribe, part of Xantaro Group, advises and supports companies in building secure and stable IT environments.

Metrodata Group

Metrodata Group

PT. Metrodata Electronics, known as Metrodata Group, is the leading information communication technology company in Indonesia.

Triovega

Triovega

Triovega are a leading provider for production security and efficiency. Our solutions enhance OT security, and reduce production downtime.