What does 'insider threat' mean?
Written by Ian Murphy.
There is a saying among security professionals that 'every breach starts with an insider'. To a great degree, this is true but the reality is that there are many nuances to it. The statement also paints an extremely bleak picture of trust within organisations. This ranges from the malicious member of staff with criminal intent to those who do things by accident or because they simply were not aware of the consequences.
With the advent of tighter privacy controls over data, such as GDPR, any breach, irrespective of its root cause, is likely to have serious consequences for organisations. These range from brand damage with subsequent loss of customer confidence to large fines from regulators. The latter are expected to show a significant rise for any organisation dealing with data from individuals in European Union due to the General Data Protection Regulation.
In order to create working strategies for dealing with an insider breach, organisations need first to understand how it can happen.
Who are the insiders and what threat do they pose?
Before any plan of action can be taken, you have to identify who it is aimed at and why. Some of the most common insiders are:
Criminal: This insider sets out to steal, damage or destroy data, often for financial gain. Those likely to be involved include staff who want to take customers with them to a new job and those who are offered money for data. The latter group, often referred to as ‘sleepers’ in an organisation, are rarely one-hit wonders. If the rewards are right, they will want to embed themselves into the organisation where they can get the best access to the most valuable data.
Angry: These are people who believe that the company or another employee has wronged them in some way. They may harbour a grudge against another employee or the company. Their actions are often extremely damaging. For example, Andrew Skelton, an internal auditor at supermarket chain Morrisons. Skelton leaked the details of over 100,000 employees after being accused at work of dealing legal highs.
Pressured: Debt is a major factor for those who find themselves pressured into helping criminals steal data. Another pressure point is criminal activity outside of work or a lifestyle that leaves an employee open to being blackmailed into colluding with cyber criminals.
Negligent: It is easy to mistake this group for the 'accidental insiders'. They are not. They have had access to cybersecurity training and have been made aware of the risks of phishing or other attacks. However, they continue to behave as if they were immune from the dangers. This is not just about low-level employees. A lot of executives seem to believe that 'it won't happen to me'. The result is the same as with accidental insiders - a foothold inside the organisation for hackers to exploit.
Accidental: An employee falls for a well-crafted spear phishing attack or click on a link or realistic attachment. They may respond to a fake email just because it appears to come from someone more senior than them in the organisation. A more common mistake is sending data to the wrong person in email. The result of their mistake is to provide a foothold for an attacker who can then exploit that by installing malware or selling personal data online.
All five of these categories are very broad. They can be broken into smaller groups and some people fit into multiple categories. The important thing is that basic preventative actions apply to everyone.
What can be done to protect against an insider?
Irrespective of group, there are a number of approaches that can be taken. For some groups, it may require continuous monitoring to ensure that the employees are taking security seriously.
Education: Simple and clear guidance and information on the types of attacks that staff may encounter is essential. It should include information on what to do and be readily available through an intranet or similar.
Know what your critical assets are: Organisations are awash with data. Identify that data which would cause damage to the business it lost. This is typically PII, intellectual property, identity and security credentials, as well as financial systems.
Security policies: All organisations have them, but they can be complex, contradictory, obscure and hard to work with. Any time a security policy impinges on the ability of an employee to do their job, they will find a way around it. Review regularly, make sure that they are fit for purpose and are both accessible and easy to understand.
Patching and maintenance: A significant number of attacks come about through the exploit of know vulnerabilities. Systems that are patched and protected in a timely are harder for an attacker to breach even with the help of an employee.
Access management: The longer a person is with a business the more access they have to data. When they change roles and departments, access is rarely revoked. For executives and senior managers, that means they have excessive access to critical data. No system looking for unauthorised access is going to block someone who has the right permissions, even if they should no longer have them.
Technology: Use security software from the endpoint through to the core systems. Make sure it is maintained and that any alerts are responded to. Many employees wrongly believe that just because they have endpoint security solutions, nothing can happen to them. It is also important that security software is easy to use. Otherwise, staff will bypass systems in order to ‘get the job done’ particularly if working in pressurised roles.
Use advanced security solutions: Behavioural analytics and machine learning are both delivering extra capabilities to detect insider attacks. However, they need to be trained, monitored and trusted before they can become effective.
Know your employee: Soft skills are a better indicator of insider risk than just technical solutions. Talk to the negligent employee and try to understand why they keep taking chances. Do not treat the accidental breach as if it is the end of the world. If you do, users will stop reporting risk.
The insider threat is real. Understanding what it is and why it occurs is a start to protecting the company, its workforce and its customers. We have listed just some of the approaches that can be taken to protect data. Read our recent white paper to find out more.