The Insider Threat

For many organisations, the greatest threat to data security is already inside the building, the insider. Whether friend or foe, insider threats can be especially hard to guard against.

In 2016 ISACA ranked insiders as the second highest threat overall next to malware. I suspect the trend will continue and get much worse.

Who are these people? What makes them so dangerous to your data?

For one, since they are already “in house” they have bypassed your perimeter defense. They need only circumvent any internal controls and then… They also have all the inside knowledge they need to cause maximum damage. They know where all the bodies are buried. What corporate assets are of value and what’s not of value. They understand your workflows and can exploit them. And, worse: They could be “power users” or systems administrators.

They can be an employee. Full-time or part-time. In residence, or remote. They can be a contractor. They can be a vendor requiring temporary access (e.g. a telephone system vendor).

Bottom line: If they have any access to your systems, on-site or remote, you need to consider the possibility that they may be an internal threat.

What can you do to prepare, and how do you mitigate an insider threat? Obviously, you must have in place a solid cyber-security program. For this, there is no substitute: You need to understand and valuate your assets, know your threats and vulnerabilities, have deployed controls via a defense-in-depth strategy, have a good incident response team, and employees trained in cyber-security awareness.

But even with a good cyber-security program in place, insider threats require special attention. You need to go above and beyond in order to be protected from them.

First, you start by understanding the nature of the threat itself. There are two broad classes of insider threats: The intentional agent and the unintentional one. If left unchecked, both can wreak havoc with your business. And, both share at least one common profile: They have the means, the motive, and the opportunity.

Their means are many. They can physically exfiltrate the data by removing printouts of sensitive information, even taking pictures of screens with their mobile phones. If they have the right (or wrong!) privileges, they can copy data on USB drives or transmit data to cloud storage. There have even been cases where “administrators” removed terabytes of data on removable hard disks!

What motivates them? The same things that motivate external actors, only they have easier access to your systems! Many are motivated by money. They may be recruited by your competition, a nation-state, or any other “organisation.” They may have a pressing need for money for any number of reasons (e.g. family emergency, debt, drugs, gambling, etc.)

Others may be motivated by ideology (e.g. a disagreement of company or state policies, a sense of “right vs. wrong,” self-righteousness, etc.) Others still may be motivated by personal reasons (e.g. disgruntled employees, various psychopathologies, even “the thrill of it all,” etc.) Finally, they themselves may be the victims of a crime (e.g. blackmail).

No matter what the motive, the insider will always find a way to rationalise their actions, be it to save the world, to save a loved one, to save themselves, or because “they deserve it.”

There is one exception to the above motives list. That is the accidental insider. Someone that “didn’t know any better” and copied half the database to his private cloud so he can work from home! Or, the one that fell for the phishing scam and clicked-that-link, answered the call from Microsoft when that big-bad-red-alert sign popped up while surfing, and so on. Accident or not, the damage is still very real.

Which leaves us with: Opportunity. Insider threats, accidental or not, require it. How do they get it? If the organisation has poor internal controls, that’s all the opportunity they’ll ever need. No one will know, at least no one will know for a while. What are “poor internal controls?” The list is long!

For example, if your firm has poor on-boarding procedures, lax physical security, no training, etc., then the employee may well be able to access data that they shouldn’t. Similarly, there may be poor implementation of technical access controls, no enforcement segregation of duties and “need-to-know” access, even non-existent asset and data classification.

Worse yet, the company may have poorly trained or inexperienced managers in human resource related matters (e.g. performance reviews, employee behavior monitoring and support, confidential employee help resources, etc.), and/or lacking a sophisticated human resource function altogether.

What type of company fits this profile? The majority of small and midsized businesses who are focused day-in, day-out in surviving. Unfortunately, it is these same businesses that frequently cannot even afford to retain cyber-security expertise, much less rolling out a data loss prevention system (DLP). They are the ones that need it most.

In addition to your cyber-security program, what can you do? What are the signs you need to watch for?
Well, like any good profiler, you need to do your homework! Employees that are having problems should be on the top of your list, followed by the disgruntled ones. How do you identify a disgruntled employee? Just monitor their posts on social media like LinkedIn, FaceBook, or “review” sites like Glassdoor.

Look first at “privileged” users. Worrying about the new marketing associate because he’s going through a nasty divorce is prudent, but less serious than the V.P. with the gambling problem. Think privilege, consider the motive, limit the opportunity.

Next, sensitize your employees to “abnormal behavior.” If you have an HR function, make sure they are engaged. Gather intelligence:

Is someone that never worked late spending endless nights in the office? Are they surfing the file server in areas outside their work scope? Are they constantly “making backups” on USB or accessing cloud storage? Perhaps they are accessing the site remotely all the time? Did they jump ship from your competitor? Could they be a “plant?” Are they still a bit too close with their ex-colleagues at the competition? Are they stressed out of their minds? Are they “living large” on an associate’s salary? Are they “paranoid” of their boss or others?

Talk to your employees, offer your support and help as appropriate, or separate from them permanently and cleanly if you have to. Your detective work, plus a solid cybersecurity program implementation can make all the difference. Stay vigilant, stay engaged, and stay safe.

Information Managment

You Might Also Read: 

 Cyber Security Checklist For Management (£):

Employees That Cause Data Breaches:

 

« Google Wants To Mimic The Human Brain
Guide to Russian Infrastructure Hacking »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MetaCompliance

MetaCompliance

MetaCompliance is a cyber security and compliance organisation that helps transform your company culture and safeguard your data and values.

King & Spalding

King & Spalding

King & Spalding is an international law firm with offices in the United States, Europe and the Middle East. Practice areas include Data, Privacy & Security.

EY Advisory

EY Advisory

EY is a multinational professional services firm headquartered in the UK. EY Advisory service areas include Cybersecurity.

Cybersecurity Association of Maryland (CAMI)

Cybersecurity Association of Maryland (CAMI)

CAMI’s mission is to create a global cybersecurity marketplace in Maryland and generate thousands of high-pay jobs through the cybersecurity industry.

MAD Security

MAD Security

MAD Security is a premier provider of information and cybersecurity solutions that combine technology, managed security services, support and training.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

Ockam

Ockam

Ockam gives you the tools you need to establish an architecture for trust within your connected device applications.

RFA

RFA

RFA is a unique IT, financial cloud and managed cyber-security provider to the financial services and alternative investment sectors.

RackTop Systems

RackTop Systems

RackTop Systems is the pioneer of CyberConverged data security, a new market that fuses data storage with advanced security and compliance into a single platform.

Loki Labs

Loki Labs

Loki Labs provides expert cyber security solutions and services, including vulnerability assessments & penetration testing, emergency incident response, and managed security.

Mindmajix Technologies

Mindmajix Technologies

Mindmajix is a live and interactive e-learning platform that offers professional online IT training in areas including cyber security.

Pragma Strategy

Pragma Strategy

Pragma is a CREST approved global provider of cybersecurity solutions. We help organisations strengthen cyber resilience and safeguard valuable information assets with a pragmatic approach.

CyberconIQ

CyberconIQ

CyberconIQ provide an integrated Human Defense Platform that reduces the probability and/or the cost of a cybersecurity breach by measurably improving our clients risk posture and compliance culture.

DigitalPlatforms

DigitalPlatforms

DigitalPlatforms SpA is an Italian group with the mission of providing end-to-end solutions and Internet of Things and Cyber technologies to companies that manage critical infrastructures.

SquareX

SquareX

Squarex secures your online activities without compromising productivity.

Zyxel Networks

Zyxel Networks

Zyxel Networks is a leading provider of secure, AI-powered networking solutions for small to medium businesses (SMBs) and the enterprise edge.