The Insider Threat

For many organisations, the greatest threat to data security is already inside the building, the insider. Whether friend or foe, insider threats can be especially hard to guard against.

In 2016 ISACA ranked insiders as the second highest threat overall next to malware. I suspect the trend will continue and get much worse.

Who are these people? What makes them so dangerous to your data?

For one, since they are already “in house” they have bypassed your perimeter defense. They need only circumvent any internal controls and then… They also have all the inside knowledge they need to cause maximum damage. They know where all the bodies are buried. What corporate assets are of value and what’s not of value. They understand your workflows and can exploit them. And, worse: They could be “power users” or systems administrators.

They can be an employee. Full-time or part-time. In residence, or remote. They can be a contractor. They can be a vendor requiring temporary access (e.g. a telephone system vendor).

Bottom line: If they have any access to your systems, on-site or remote, you need to consider the possibility that they may be an internal threat.

What can you do to prepare, and how do you mitigate an insider threat? Obviously, you must have in place a solid cyber-security program. For this, there is no substitute: You need to understand and valuate your assets, know your threats and vulnerabilities, have deployed controls via a defense-in-depth strategy, have a good incident response team, and employees trained in cyber-security awareness.

But even with a good cyber-security program in place, insider threats require special attention. You need to go above and beyond in order to be protected from them.

First, you start by understanding the nature of the threat itself. There are two broad classes of insider threats: The intentional agent and the unintentional one. If left unchecked, both can wreak havoc with your business. And, both share at least one common profile: They have the means, the motive, and the opportunity.

Their means are many. They can physically exfiltrate the data by removing printouts of sensitive information, even taking pictures of screens with their mobile phones. If they have the right (or wrong!) privileges, they can copy data on USB drives or transmit data to cloud storage. There have even been cases where “administrators” removed terabytes of data on removable hard disks!

What motivates them? The same things that motivate external actors, only they have easier access to your systems! Many are motivated by money. They may be recruited by your competition, a nation-state, or any other “organisation.” They may have a pressing need for money for any number of reasons (e.g. family emergency, debt, drugs, gambling, etc.)

Others may be motivated by ideology (e.g. a disagreement of company or state policies, a sense of “right vs. wrong,” self-righteousness, etc.) Others still may be motivated by personal reasons (e.g. disgruntled employees, various psychopathologies, even “the thrill of it all,” etc.) Finally, they themselves may be the victims of a crime (e.g. blackmail).

No matter what the motive, the insider will always find a way to rationalise their actions, be it to save the world, to save a loved one, to save themselves, or because “they deserve it.”

There is one exception to the above motives list. That is the accidental insider. Someone that “didn’t know any better” and copied half the database to his private cloud so he can work from home! Or, the one that fell for the phishing scam and clicked-that-link, answered the call from Microsoft when that big-bad-red-alert sign popped up while surfing, and so on. Accident or not, the damage is still very real.

Which leaves us with: Opportunity. Insider threats, accidental or not, require it. How do they get it? If the organisation has poor internal controls, that’s all the opportunity they’ll ever need. No one will know, at least no one will know for a while. What are “poor internal controls?” The list is long!

For example, if your firm has poor on-boarding procedures, lax physical security, no training, etc., then the employee may well be able to access data that they shouldn’t. Similarly, there may be poor implementation of technical access controls, no enforcement segregation of duties and “need-to-know” access, even non-existent asset and data classification.

Worse yet, the company may have poorly trained or inexperienced managers in human resource related matters (e.g. performance reviews, employee behavior monitoring and support, confidential employee help resources, etc.), and/or lacking a sophisticated human resource function altogether.

What type of company fits this profile? The majority of small and midsized businesses who are focused day-in, day-out in surviving. Unfortunately, it is these same businesses that frequently cannot even afford to retain cyber-security expertise, much less rolling out a data loss prevention system (DLP). They are the ones that need it most.

In addition to your cyber-security program, what can you do? What are the signs you need to watch for?
Well, like any good profiler, you need to do your homework! Employees that are having problems should be on the top of your list, followed by the disgruntled ones. How do you identify a disgruntled employee? Just monitor their posts on social media like LinkedIn, FaceBook, or “review” sites like Glassdoor.

Look first at “privileged” users. Worrying about the new marketing associate because he’s going through a nasty divorce is prudent, but less serious than the V.P. with the gambling problem. Think privilege, consider the motive, limit the opportunity.

Next, sensitize your employees to “abnormal behavior.” If you have an HR function, make sure they are engaged. Gather intelligence:

Is someone that never worked late spending endless nights in the office? Are they surfing the file server in areas outside their work scope? Are they constantly “making backups” on USB or accessing cloud storage? Perhaps they are accessing the site remotely all the time? Did they jump ship from your competitor? Could they be a “plant?” Are they still a bit too close with their ex-colleagues at the competition? Are they stressed out of their minds? Are they “living large” on an associate’s salary? Are they “paranoid” of their boss or others?

Talk to your employees, offer your support and help as appropriate, or separate from them permanently and cleanly if you have to. Your detective work, plus a solid cybersecurity program implementation can make all the difference. Stay vigilant, stay engaged, and stay safe.

Information Managment

You Might Also Read: 

 Cyber Security Checklist For Management (£):

Employees That Cause Data Breaches:

 

« Google Wants To Mimic The Human Brain
Guide to Russian Infrastructure Hacking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Global Digital Forensics (GDF)

Global Digital Forensics (GDF)

GDF specialise in Digital Forensics and e-Discovery. Other services include Data Breach Response and Cyber Security.

Experian

Experian

Experian provide software solutions to help organizations prevent identity fraud and crime.

RiskSense

RiskSense

RiskSense empowers enterprises and governments to reveal cyber risk, quickly orchestrate remediation, and monitor the results.

CyberESI

CyberESI

CyberESI is a Managed Security Service Provider providing 24x7 remote security monitoring and management of your mission-critical networks.

Galois

Galois

Galois specializes in the research and development of new technologies that solve the most difficult problems in computer science.

ObjectSecurity

ObjectSecurity

ObjectSecurity is a leader in authorization policy automation. With OpenPMF, you can manage application security policies for access control and auditing.

Sensible Vision

Sensible Vision

SensibleVision helps organizations transparently protect data and prevent costly security breaches by constantly verifying the identities of people who use computers or mobile devices.

Wüpper Management Consulting (WMC)

Wüpper Management Consulting (WMC)

Specialized in compliance, risk management and holistic information security WMC GmbH has longtime implementation experience in global projects.

Corsa Security

Corsa Security

Corsa Security is leading the transformation of network security with a private cloud approach that helps scale network security services with unwavering performance and flexibility.

Practical Assurance

Practical Assurance

Practical Assurance helps companies navigate the rough terrain of information security compliance.

Police Digital Security Centre (PDSC)

Police Digital Security Centre (PDSC)

PDSC is a not-for-profit organisation, owned by the police, that works across the UK in partnership with industry, government, academia and law enforcement.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

Althammer & Kill

Althammer & Kill

Althammer & Kill offers pragmatic solution concepts for data protection and digitization. We advise in the field of data protection, information security and compliance.

FTI Consulting

FTI Consulting

FTI Consulting is a global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes.

Blue Bastion

Blue Bastion

Don’t give cybercriminals the chance to find weaknesses in your company’s cyber security system. Defend your institution from all attacks from all directions with Blue Bastion.

Driven Technologies

Driven Technologies

Driven is a cloud native service provider transforming the way companies leverage technology to improve business by securing, modernizing, and connecting applications, users, and data.