The Insider Threat

For many organisations, the greatest threat to data security is already inside the building, the insider. Whether friend or foe, insider threats can be especially hard to guard against.

In 2016 ISACA ranked insiders as the second highest threat overall next to malware. I suspect the trend will continue and get much worse.

Who are these people? What makes them so dangerous to your data?

For one, since they are already “in house” they have bypassed your perimeter defense. They need only circumvent any internal controls and then… They also have all the inside knowledge they need to cause maximum damage. They know where all the bodies are buried. What corporate assets are of value and what’s not of value. They understand your workflows and can exploit them. And, worse: They could be “power users” or systems administrators.

They can be an employee. Full-time or part-time. In residence, or remote. They can be a contractor. They can be a vendor requiring temporary access (e.g. a telephone system vendor).

Bottom line: If they have any access to your systems, on-site or remote, you need to consider the possibility that they may be an internal threat.

What can you do to prepare, and how do you mitigate an insider threat? Obviously, you must have in place a solid cyber-security program. For this, there is no substitute: You need to understand and valuate your assets, know your threats and vulnerabilities, have deployed controls via a defense-in-depth strategy, have a good incident response team, and employees trained in cyber-security awareness.

But even with a good cyber-security program in place, insider threats require special attention. You need to go above and beyond in order to be protected from them.

First, you start by understanding the nature of the threat itself. There are two broad classes of insider threats: The intentional agent and the unintentional one. If left unchecked, both can wreak havoc with your business. And, both share at least one common profile: They have the means, the motive, and the opportunity.

Their means are many. They can physically exfiltrate the data by removing printouts of sensitive information, even taking pictures of screens with their mobile phones. If they have the right (or wrong!) privileges, they can copy data on USB drives or transmit data to cloud storage. There have even been cases where “administrators” removed terabytes of data on removable hard disks!

What motivates them? The same things that motivate external actors, only they have easier access to your systems! Many are motivated by money. They may be recruited by your competition, a nation-state, or any other “organisation.” They may have a pressing need for money for any number of reasons (e.g. family emergency, debt, drugs, gambling, etc.)

Others may be motivated by ideology (e.g. a disagreement of company or state policies, a sense of “right vs. wrong,” self-righteousness, etc.) Others still may be motivated by personal reasons (e.g. disgruntled employees, various psychopathologies, even “the thrill of it all,” etc.) Finally, they themselves may be the victims of a crime (e.g. blackmail).

No matter what the motive, the insider will always find a way to rationalise their actions, be it to save the world, to save a loved one, to save themselves, or because “they deserve it.”

There is one exception to the above motives list. That is the accidental insider. Someone that “didn’t know any better” and copied half the database to his private cloud so he can work from home! Or, the one that fell for the phishing scam and clicked-that-link, answered the call from Microsoft when that big-bad-red-alert sign popped up while surfing, and so on. Accident or not, the damage is still very real.

Which leaves us with: Opportunity. Insider threats, accidental or not, require it. How do they get it? If the organisation has poor internal controls, that’s all the opportunity they’ll ever need. No one will know, at least no one will know for a while. What are “poor internal controls?” The list is long!

For example, if your firm has poor on-boarding procedures, lax physical security, no training, etc., then the employee may well be able to access data that they shouldn’t. Similarly, there may be poor implementation of technical access controls, no enforcement segregation of duties and “need-to-know” access, even non-existent asset and data classification.

Worse yet, the company may have poorly trained or inexperienced managers in human resource related matters (e.g. performance reviews, employee behavior monitoring and support, confidential employee help resources, etc.), and/or lacking a sophisticated human resource function altogether.

What type of company fits this profile? The majority of small and midsized businesses who are focused day-in, day-out in surviving. Unfortunately, it is these same businesses that frequently cannot even afford to retain cyber-security expertise, much less rolling out a data loss prevention system (DLP). They are the ones that need it most.

In addition to your cyber-security program, what can you do? What are the signs you need to watch for?
Well, like any good profiler, you need to do your homework! Employees that are having problems should be on the top of your list, followed by the disgruntled ones. How do you identify a disgruntled employee? Just monitor their posts on social media like LinkedIn, FaceBook, or “review” sites like Glassdoor.

Look first at “privileged” users. Worrying about the new marketing associate because he’s going through a nasty divorce is prudent, but less serious than the V.P. with the gambling problem. Think privilege, consider the motive, limit the opportunity.

Next, sensitize your employees to “abnormal behavior.” If you have an HR function, make sure they are engaged. Gather intelligence:

Is someone that never worked late spending endless nights in the office? Are they surfing the file server in areas outside their work scope? Are they constantly “making backups” on USB or accessing cloud storage? Perhaps they are accessing the site remotely all the time? Did they jump ship from your competitor? Could they be a “plant?” Are they still a bit too close with their ex-colleagues at the competition? Are they stressed out of their minds? Are they “living large” on an associate’s salary? Are they “paranoid” of their boss or others?

Talk to your employees, offer your support and help as appropriate, or separate from them permanently and cleanly if you have to. Your detective work, plus a solid cybersecurity program implementation can make all the difference. Stay vigilant, stay engaged, and stay safe.

Information Managment

You Might Also Read: 

 Cyber Security Checklist For Management (£):

Employees That Cause Data Breaches:

 

« Google Wants To Mimic The Human Brain
Guide to Russian Infrastructure Hacking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

NuHarbor Security

NuHarbor Security

NuHarbor is a leading information security consulting and advisory firm specializing in Information Security, Compliance, and Risk Management.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

Cradlepoint

Cradlepoint

With Cradlepoint customers leverage the speed and economics of wired and wireless Internet broadband for branch, mobile, and IoT networks while maintaining end-to-end visibility, security and control.

Post-Quantum

Post-Quantum

Post-Quantum offer a unique, patented quantum-resistant encryption algorithm that can be applied to existing products and networks.

Kryptus

Kryptus

Kryptus provides a wide array of solutions for hardware, firmware and software ranging from semiconductors to complex digital certificate management systems.

Agility Networks

Agility Networks

Agility Networks is a technology company providing integrated services and solutions for Digital Transformation and Cyber Security.

Attack Research

Attack Research

We go far beyond standard tools and scripted tests. Find out if your network or technology can stand real-world and dedicated attackers.

Zacco

Zacco

Zacco offer a 360° perspective on intellectual property: From patent filing and trademark registration to software development, digital brand protection, cyber security and portfolio management.

Winbond Electronics

Winbond Electronics

Winbond is a Specialty memory IC company. Product lines include Code Storage Flash Memory, TrustME® Secure Flash, Specialty DRAM and Mobile DRAM.

Picnic

Picnic

Picnic is a gritty, pioneering team of intelligence and cybersecurity specialists focused on solving the security challenge of our time - social engineering.

Pathlock

Pathlock

Pathlock (formerly Greenlight) help enterprises and organizations automate the enforcement of any process, access, or IT general control, for any business application.

Federal Bureau of Investigation (FBI)

Federal Bureau of Investigation (FBI)

The mission of the FBI is to protect and defend against intelligence threats, uphold and enforce criminal laws, and provide criminal justice services.

Stacklok

Stacklok

Stacklok are an Open Source first security company enabling safe Open Source Software consumption.

Diversified Search Group - Alta Associates

Diversified Search Group - Alta Associates

Diversified Search Group is an industry leader in recruiting diverse, inclusive and transformational leadership for clients.

Downdetector

Downdetector

Downdetector helps people all over the world understand disruptions to vital services such as the internet, social media, web hosting platforms, banks, games, entertainment, and more.

Vantor

Vantor

Vantor is a Managed Security Services Provider (MSSP) that specializes in providing outsourced, managed cybersecurity services.