The Insider Threat

For many organisations, the greatest threat to data security is already inside the building, the insider. Whether friend or foe, insider threats can be especially hard to guard against.

In 2016 ISACA ranked insiders as the second highest threat overall next to malware. I suspect the trend will continue and get much worse.

Who are these people? What makes them so dangerous to your data?

For one, since they are already “in house” they have bypassed your perimeter defense. They need only circumvent any internal controls and then… They also have all the inside knowledge they need to cause maximum damage. They know where all the bodies are buried. What corporate assets are of value and what’s not of value. They understand your workflows and can exploit them. And, worse: They could be “power users” or systems administrators.

They can be an employee. Full-time or part-time. In residence, or remote. They can be a contractor. They can be a vendor requiring temporary access (e.g. a telephone system vendor).

Bottom line: If they have any access to your systems, on-site or remote, you need to consider the possibility that they may be an internal threat.

What can you do to prepare, and how do you mitigate an insider threat? Obviously, you must have in place a solid cyber-security program. For this, there is no substitute: You need to understand and valuate your assets, know your threats and vulnerabilities, have deployed controls via a defense-in-depth strategy, have a good incident response team, and employees trained in cyber-security awareness.

But even with a good cyber-security program in place, insider threats require special attention. You need to go above and beyond in order to be protected from them.

First, you start by understanding the nature of the threat itself. There are two broad classes of insider threats: The intentional agent and the unintentional one. If left unchecked, both can wreak havoc with your business. And, both share at least one common profile: They have the means, the motive, and the opportunity.

Their means are many. They can physically exfiltrate the data by removing printouts of sensitive information, even taking pictures of screens with their mobile phones. If they have the right (or wrong!) privileges, they can copy data on USB drives or transmit data to cloud storage. There have even been cases where “administrators” removed terabytes of data on removable hard disks!

What motivates them? The same things that motivate external actors, only they have easier access to your systems! Many are motivated by money. They may be recruited by your competition, a nation-state, or any other “organisation.” They may have a pressing need for money for any number of reasons (e.g. family emergency, debt, drugs, gambling, etc.)

Others may be motivated by ideology (e.g. a disagreement of company or state policies, a sense of “right vs. wrong,” self-righteousness, etc.) Others still may be motivated by personal reasons (e.g. disgruntled employees, various psychopathologies, even “the thrill of it all,” etc.) Finally, they themselves may be the victims of a crime (e.g. blackmail).

No matter what the motive, the insider will always find a way to rationalise their actions, be it to save the world, to save a loved one, to save themselves, or because “they deserve it.”

There is one exception to the above motives list. That is the accidental insider. Someone that “didn’t know any better” and copied half the database to his private cloud so he can work from home! Or, the one that fell for the phishing scam and clicked-that-link, answered the call from Microsoft when that big-bad-red-alert sign popped up while surfing, and so on. Accident or not, the damage is still very real.

Which leaves us with: Opportunity. Insider threats, accidental or not, require it. How do they get it? If the organisation has poor internal controls, that’s all the opportunity they’ll ever need. No one will know, at least no one will know for a while. What are “poor internal controls?” The list is long!

For example, if your firm has poor on-boarding procedures, lax physical security, no training, etc., then the employee may well be able to access data that they shouldn’t. Similarly, there may be poor implementation of technical access controls, no enforcement segregation of duties and “need-to-know” access, even non-existent asset and data classification.

Worse yet, the company may have poorly trained or inexperienced managers in human resource related matters (e.g. performance reviews, employee behavior monitoring and support, confidential employee help resources, etc.), and/or lacking a sophisticated human resource function altogether.

What type of company fits this profile? The majority of small and midsized businesses who are focused day-in, day-out in surviving. Unfortunately, it is these same businesses that frequently cannot even afford to retain cyber-security expertise, much less rolling out a data loss prevention system (DLP). They are the ones that need it most.

In addition to your cyber-security program, what can you do? What are the signs you need to watch for?
Well, like any good profiler, you need to do your homework! Employees that are having problems should be on the top of your list, followed by the disgruntled ones. How do you identify a disgruntled employee? Just monitor their posts on social media like LinkedIn, FaceBook, or “review” sites like Glassdoor.

Look first at “privileged” users. Worrying about the new marketing associate because he’s going through a nasty divorce is prudent, but less serious than the V.P. with the gambling problem. Think privilege, consider the motive, limit the opportunity.

Next, sensitize your employees to “abnormal behavior.” If you have an HR function, make sure they are engaged. Gather intelligence:

Is someone that never worked late spending endless nights in the office? Are they surfing the file server in areas outside their work scope? Are they constantly “making backups” on USB or accessing cloud storage? Perhaps they are accessing the site remotely all the time? Did they jump ship from your competitor? Could they be a “plant?” Are they still a bit too close with their ex-colleagues at the competition? Are they stressed out of their minds? Are they “living large” on an associate’s salary? Are they “paranoid” of their boss or others?

Talk to your employees, offer your support and help as appropriate, or separate from them permanently and cleanly if you have to. Your detective work, plus a solid cybersecurity program implementation can make all the difference. Stay vigilant, stay engaged, and stay safe.

Information Managment

You Might Also Read: 

 Cyber Security Checklist For Management (£):

Employees That Cause Data Breaches:

 

« Google Wants To Mimic The Human Brain
Guide to Russian Infrastructure Hacking »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Group-IB

Group-IB

Group-IB is a leading provider of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property.

Continuum

Continuum

Continuum is the IT management platform company that allows Managed IT Services Providers to maintain and back up on-premise and cloud-based servers, desktops, mobile devices and other endpoints

Prewen

Prewen

Prewen provide solutions to protect sensitive data across the organisation.

Mocana

Mocana

Mocana provides a software platform that allows you to develop, test and distribute more secure IoT devices and services.

Bericon Forensics

Bericon Forensics

Bericon is one of the longest established forensic science consultancies in the UK. Activities include computer and mobile phone forensics.

Redborder

Redborder

Redborder is an Open Source network visibility, data analytics, and cybersecurity Big Data solution that is scalable up to the needs of enterprise networks and service providers.

SmartContractAudits.com

SmartContractAudits.com

SmartContractAudits.com is the leading platform for finding companies providing smart contract auditing services.

HackHunter

HackHunter

HackHunter’s passive sensor network continuously monitors, detects and alerts when a malicious WiFi network and/or hacking behaviour is identified.

SafeCipher

SafeCipher

At SafeCipher, we pride ourselves on being your single vendor-neutral resource for navigating the complexities of cryptographic data encryption.

IT Band Systems

IT Band Systems

IT Band Systems is an international provider of IT products and services including web server monitoring and web security consulting.

Octiga

Octiga

Octiga is an office 365 cloud security provider. It offers Office 365 monitoring, incident response and recovery tools.

Lupovis

Lupovis

Lupovis is an AI-based deception solution that deploys active decoys turning your network from a flock of sheep to a pack of wolves where the hunter becomes the hunted.

DigitalWell

DigitalWell

DigitalWell provide fully managed IT and communications solutions for a truly innovative end-to-end experience - for your customers and teams.

National Cyber Security Agency (NCSA) - Thailand

National Cyber Security Agency (NCSA) - Thailand

National Cyber Security Agency of Thailand is responsible for coordinating and implementing national cybersecurity policies, strategies, and initiatives.

e-Safer

e-Safer

e-Safer's mission is to provide solutions and services that ensure a safer digital environment.

Cloudbox

Cloudbox

Cloudbox build and maintain a highly secure, compliant IT infrastructure for our clients – with total peace of mind – so they can focus on the market.