What is an Insider Threat, and what Isn’tOliver Bock
Of the many menacing forces that can do to harm to the running of a organization, the most dangerous, though conversely the least frequently discussed, is the insider threat.
More than half of all cyber-attacks were carried out by people in trusted positions of the companies targeted. They were insiders. Yet there is still no proved method of entirely removing the threat of this group.
This is partly due to their very nature. Insiders are people, not programs, and like all people, are prone to error and mistake. People will always be liable to make mistakes which can lead to serious consequences. Lapses of judgement or a simple lack of knowledge can be all that it takes for the situation to change from inside threat to certain actor. Loose lips sink ships, as they say.
Inside threats are a very real risk to all companies, regardless of the size of the company or the trust felt between those working within in. Small business CEO’s often naively believe that they know their business so well that they’d notice if anything was amiss. This is sadly not the case.
This article will discuss what qualifies as an insider threat, the types of insider threat that are most common, and ways of trying to reduce the possibility of an insider threat having lasting consequences.
Insider Threat: A Definition
If only the insider threat was as easy to manage as it is to offer a definition.
An insider threat is one of two things. It is a current or former employee, partner or consultant of a company who has or did have privileged access to the core systems of that company. The threat to a business is that this person will use their privileged access to get their hands on extremely sensitive data. The legal consequences of a security breach to a company can be severe.
The threat may not necessarily be carried out intentionally, but may be a lack of protocol or the influence of ignorance that leads to a current or former employee, partner or consultant to jeopardize the security systems of an organization.
This is a deeply worrying topic for businesses as threats can potentially come from any person to whom access is granted. More worrying is that these threats are set to cost businesses $2 trillion by 2019.
The Usual Suspects
The insider threat definition can be broken down further. Within the umbrella of threat, there are three main types that an organization needs to look out for. In this section we will deal with these three types.
- The Negligent or Ignorant Threats
First on the list are negligent or ignorant staff members, partners, sub-contractors or consultants who, with no malice intended, accidentally damage, share, lose or delete privileged information that could be used for illicit gain in the hands of the wrong people.
This could be as unfortunate as an employee forgetting documents that jeopardize national security or someone who transfers a file over, for example, Dropbox rather than the in-house service. Whenever a person steps outside of the accepted regulations in regards to security, they can be considered as acting negligently.
Negligent employees do not intend to harm, nor do they intend to gain for their wrongful acts. They may be unaware of certain company policies or decide to skirt around a few regulations that they think are tiresome and waste time.
And while these mistakes are personally forgivable, they are nevertheless a major source of woe and cost to companies worldwide.
- The Unwitting Threats
Exploitation through malware and phishing is another potential threat that enters an organization via an employee. Programs will ill intentions most commonly gain access to a company’s system through the clicking of a link in an email, or the accidental opening of a contaminated file.
- The Threats Who Mean Harm
These are the insiders who have access to a company’s information and have the explicit intention of doing harm.
They could be disgraced employees, who plan to get payback for being fired. One classic tactic of this type of threat is to leave a Logic Bomb to disrupt the information system of their hated ex-employer.
Or they could be current employers who decide to take advantage of their position for nefarious gains, as one employee from the Korea Credit Bureau did, affecting 40% of the country’s population.
If a company is particularly unfortunate, they may have hired someone who acts on behalf of a hacking group to steal information from the inside.
Despite being the most popularized type of insider threat, malicious attacks are not the most common. They are however, the most costly. It is vitally important to protect organizations from such attacks through strong security measures.
Safeguarding Against Insider Threat
This is difficult because by their very nature, insider threats come from trust employees. Unlike outside threats, from hacker groups and malicious software that attempt to gain access to information, an employee sitting at a desk will trip no alarms. There are a variety of best practice policies a company can take to attempt to reduce the ability of insider threats to do damage, intended or otherwise. Here are some simple steps that can be taken to reduce the threat from inside sources.
- Password Security: Whenever an employee is removed or leaves of their own accord, passwords need to be reset and secured. This way, an old employee or third-party collaborator isn’t able to walk through the front door without detection.
- Enhance Employee’s Security Knowledge – Offer non-technical employees classes to inform them of security online. This way they are less likely to be able to detect suspicious activity that could be caused malware or other malicious software.
- Security Policies – There is a real need for a clear and enforceable data policy that each employee, regardless of position, can follow. These policies should lock down threats by instructing how data is to be transferred and handled.
- Encrypt any valuable data. This should go without saying.
- Define Privileges – But privileges can be defined by position. Least privilege practices give account holders access to the least amount of information that they need to do their jobs rather than the most.
- Monitor User Actions – Log what users do while on the system. If employees know that their actions are tracked, and can be back traced, they are less likely to take potentially harmful decisions, such as downloading unknown software.
- Use Security Software – Security software is a vital tool in protection against insider threat, and one that could be the difference between insiders successfully accessing important information or not. Security companies like Onion ID provide software to mitigate threat from insiders by offering granular control of user access to refine who gets access to specific types of information.
What Is Not an Insider Threat
We already know that most cyber-attacks against companies come from inside the company, but of course many do not. If a company has solid security measures that are routinely strengthened and reviewed, the realization that a there is something awry in the system can very easily lead to the assumption that it has been carried out from within.
However, there is a danger to this. Sophisticated software can pretend to have originated from inside company walls.
Advanced malware can easily pull on the cloak of a friend, and can enter networks through many means. Zero day attacks, whereby a piece of external software is brought in-house but has an undiscovered security flaw, is one way.
Possible but less likely is remote devices, hidden within range of devices with access to a system, that can be controlled far away from the building or campus where a network is housed. Proximity to the targeted network is all that is needed. Anybody unconnected to an organization can plant devices such as these with just one visit to an office building.
Due to the nature of the inside threat, they will always be difficult to stop. Every small company, international organization, and government is vulnerable to attack and not even the most severe punishments can always dissuade inside actors. Regardless of personal opinion on the matter, the cases of Chelsea Manning and Edward Snowden illustrate this.
But there are best policies that can be enacted to reduce the risk of this as much as possible. Though the tips mentioned are not exhaustive, they are some useful steps to take to improve the security of sensitive information. Security software provides the best solution to access by unwanted guests.
Remember that there is no standard profile for those who are likely to be threats. Unfortunately, trust is not always enough to keep people from making poor decisions. Do not give employees or access to privileged information unless they absolutely require it.