Insider Threat

An insider threat refers to a risk originating from within an organization. These threats are often hard to foresee and can be even harder to stop because incidents typically arise from individuals who have direct access to the company’s networks, sensitive data, intellectual property, and other critical resources.

Here are some key points about insider threats:

    • An insider threat could be a current or former employee (who did not have access revoked), consultant, board member, business partner, or anyone with access to company resources.

    • It encompasses both intentional and unintentional actions.

    • Insiders exploit their authorized access to harm the organization’s equipment, information, networks, systems, business operations, and business reputation.

    • Examples of insider threat activities include corruption, espionage, resource degradation, sabotage, terrorism, and unauthorized information disclosure.

    • Insiders can also serve as a launchpad for cybercriminals to initiate malware or ransomware attacks.

There are different types of Insider Threats. Intentional issues arise from someone who deliberately tries to cause harm to the organization. Motivations may include revenge, dissatisfaction, or other personal grievances. Unintentional Insider Threats are possibly due to employee errors or negligence. Threats may stem from human mistakes, such as sending sensitive information to the wrong email address or clicking on malicious links. Negligent errors can arise from carelessness, like ignoring security policies or using weak passwords. Some do not consider that the Insider threat can also come from third parties. These involve business partners or contractors who compromise an organization’s security. As with the other insider threat situations, third-party threats can be either unintentional or malicious as well.

Challenges in Detecting Insider Threats

Insider threats are difficult to identify and prevent compared to external attacks. Conventional cybersecurity tools (e.g., firewalls, intrusion detection systems) often miss these threats because the person already has access to the resources. Insiders also may be familiar with the organization’s security procedures and vulnerabilities, making protection more challenging. Generally, a behavioral anomaly caught by a system designed to trigger alerts on such behavior can be helpful, but even those systems are not necessarily a guarantee that the insider might be discovered.

How do you avoid the insider threat?

VETTING

There needs to be a process that starts from the hiring of individuals or the selection of a vendor.  It’s important to hire qualified professionals, check references, perform background checks, research the individual’s social media, and perform other due diligence before hiring or forming a partnership with others.  These are the people who will hold the proverbial keys to your kingdom.

When forming a relationship with a third party, regardless of whether or not a contract is in place or if any money is exchanged for the service, it is paramount to perform due diligence on the vendor background, licensure, cybersecurity state, business practices, business continuity, financial stability, and insurance among other documentation.  That due diligence should be regularly reviewed at an appropriate time frame. 

DOCUMENT BEHAVIORS

Have a system of for documenting potential behavior issues for employees.  If issues arise, verbal warnings or conversations don’t leave a record that can be researched, but written documentation – even handwritten and in a locked file cabinet – gives the organization a better idea of what risk certain employees may carry with them.  It’s also important to remember that individuals who are separated from the company in a manner not satisfactory to them may carry a higher risk of insider threat. Any separation should carry an immediate if not preemptive termination of access rights to systems, locations, and equipment.

POLICIES

Policies are excellent deterrents for both accidents and intentional company issues. Often the fear of sanctions is enough to stop someone from causing damage by either reminding them of best practices or outright stopping them from an activity they know they are likely to get caught doing.  Because of this, it’s best to create an Acceptable Use Policy in addition to other strong policies that are reviewed regularly for adoption and made available for employees to review.  Most AUP’s are signed annually as well as agreed to upon use of company systems.

LEAST PRIVILEGE

For both vendors and employees, the amount of access or type of access to any information should be limited to only what is needed to perform their particular job duties.  This limit of the least access and least privilege needed ensures that if there is a data exposure, regardless of intentional or accidental, the information would be limited to what that person was allowed to have access to for their job.

TECHNICAL CONTROLS

Technical controls such as Data Loss Protection are also incredibly helpful in battling both the insider threat and outside malicious activity.  Flags or blocks can be set on the types or amounts of data being moved or deleted, giving organizations a tip off that something might be happening with their data that should not be.  Ultimately, the type of technical controls instituted has to align with both the budget and risk appetite of the company.

Even with an abundance of precautions, controls, and warning systems, it can be difficult or impossible to stop insider threats. Reducing what damage can be done is critical to controlling the risks of insider threat activity. Without as many controls in place as is feasible and possible, a company opens itself up to what could be irreparable damage.