While high-profile cybersecurity breaches originating from malicious insiders are on the rise, many cybersecurity professionals continue to focus exclusively on external threats, forgetting that a threat could be sat right beside them.
It’s easy to put the notion of an insider threat to the back of our minds, however looking at the spate of cybersecurity breaches last year, many of them had one thing common – they originated from a malicious insider.
Many security teams assume that their employees would not compromise the reputation, operations, or even existence of the business. However, the truth is that no one is immune.
There are various type of insider threats; malicious insiders often seek financial gain, look for revenge, or can even result from insider collusion, where a relationship with an organisation or hacker group has been formed. Unintentional insider threats on the other hand are more well-meaning but are no less dangers as these employees fall victim to social engineering techniques or phishing emails – something that needs to be addressed proactively by security professionals.
Key behavioural traits of an insider threat that businesses can look out for, include:
Resignation: Individuals leaving on bad terms are important to monitor as they often maintain access to intellectual property initially. It is highly possible that they could – and often will – sabotage intellectual property. However, it’s important to note that an employee could be leaving the company on great terms, but still have less-than-honourable intentions regarding their access to IP. It’s sadly not uncommon for someone to take data to their next gig to sweeten the deal.
Ignorance: These individuals were never trained on their personal responsibility over company data and have little knowledge of the company’s security practices. As such, they are highly susceptible to phishing and other similar attacks. A clear warning sign of this is if you see someone walk away from their computer or laptop without locking their screens first
Discontent: These individuals often voice their grievances and dissatisfaction in the office, display combative behaviour and a resistance to change. A sure warning sign is if this is done with little regard to the audience, whether it includes new hires, interviewees, management or even media. They feel wronged by the company and feel like they have something to gain; this is often in the form of IP theft
Personal life: These individuals are easy to influence due to personal reasons and are often the ones who get blackmailed into handing over intellectual property. Sometimes financial motivation is also a factor, where employees can see gains by selling company confidential information. Warning signs can include unusual working hours, frequent absence from work, or general suspicious activity at the workplace such as someone covering something up when you are walking over to say hello.
Why insider threats are dangerous
1. They are hard to identify
Since insider threats already have access to the network with authorised credentials, their access does not flag on a traditional monitoring system. They also often already have access to sensitive data and awareness of the existing security measures in place and how to get around them. Combine this all with a lack of visibility into user access and data activity, and the difficulty of identifying threat actors is incredibly challenging.
2. They are expensive
Like a traditional threat actor, the longer they go undetected and are free to roam the network, the more damage they can do. Even with baselining, often threat actor activity can get caught in a baseline, making it much more difficult to identify their rogue behaviour. The fact that they are not raising alarms means you are talking some serious potential damage. Indeed, the Ponemon Institute revealed that the average cost of insider threats per year for an organisation is $8.76 million.
3. They risk compliance
Data protection and compliance should also be considered because an insider threat will often make the exfiltration of data their objective. Last year, Coca Cola suffered an insider threat attack which saw the personal information of about 8000 of its employees leave the building. Not only this, but the dwell time of the incident was extended. They didn’t realise it had happened until law enforcement informed them of the data breach.
4. They cause operational disaster
As seen with Tesla, an insider threat can sabotage operations and risk an organisation’s competitive edge. In this instance, a disgruntled employee who lost out on a promotion made ‘direct code changes to the Tesla Manufacturing Operating System under false usernames and exported large amounts of highly sensitive data to unknown parties’ according to a letter addressed to employees.
Mitigating insider threats
Insider threats take many forms and companies must ensure they evaluate the risk. Policy is needed to reduce insider threats. Employee handbooks that are easily accessible can detail how employees can protect customers data, for example the do’s and don’ts with company laptops. It’s also important that employees fully understand all information in the handbook.
Awareness and training is critical. Companies should put a programme in place and make sure that senior management continuously reinforce that programme. Businesses should consider having a security culture improvement programme. Again, it should be supported by senior management, but perhaps with ways to measure the success of the programme.
Ultimately, companies must invest in technology that will help them to respond to and prevent insider threats from moving data externally. Organisations can identify what data has left their network, and how to prevent data leaving in the future by looking for similar information on all other data assets.