Insider threat, the buzzword of this last decade?
These last couple of years, the social-, business- and information platforms have brought the insider threat more to our attention than ever before. The global economic problems, especially those caused by Covid, have led to making this one of the leading security and risk subjects.
Despite the fact that we are now seeing more and more of these insider threat situations in the news, the origins of it are really going back for decades, even centuries. Insiders have brought down empires, are emerged in religious books and have stolen money and sensitive information from various people, organizations, governments and countries since forever.
In the old days though we more referred to insiders as spies and history shows how their motivations have developed over time. The earliest reporting about this goes back to religion and is most probably known by many as the story of the Garden of Eden in where in essence someone with a bad intent, in this case the serpent, convinced Adam and Eve to eat the forbidden fruit, which made them guilty. This example also immediately shows that not everyone knowingly or willingly becomes an insider and that a naive someone, unintendedly, can become a victim of persuasion, bribery or misleading tricks.
So here we directly are back to the question of what insider threat really is. Many times, organizations have reached out to me asking for indicators in order to be able spot someone as also for me to review their insider risk program. Often though, when I asked them to give me a definition of their idea of an insider risk, they gave me a description of a trusted person within their organization who maliciously and intentionally causes harm to the organization and its recourses.
This is right for some part, but the truth is that anyone with authorized access, any individual that you grant, or have granted, access to your property of information, can wittingly or unwittingly harm the organization and its resources. This can be partners, suppliers, vendors, clients, employees, trainees, etc.
As you can see, all organizations are vulnerable in a way because really anyone can be a potential insider threat.
It can happen unintentionally by unknowingly downloading malware, sharing accounts or passwords, as also nowadays with having employees forcibly working remote, that you as an organization have no real control over who else is able to look into documents or files, or listens in on meetings in where sensitive information is shared among the participants. Or what about the phishing attempts? They still are viewed as the biggest vulnerability because they have the tendency to trick employees into sharing organization-sensitive information by posing as a legitimate business or trusted contact. These phishing mails often contain malware attachments or hyperlinks to compromised websites or complex data structures. One click can be enough…
Trusted insiders often commit malicious acts out of jealousy, revenge or financial problems. They commit things like fraud, espionage, theft, unauthorized disclosure, sabotage, workplace violence or other horrible and destructive acts.
The impacts of an insider threat on an organization can range from brand damage, loss of critical data, operational disruption and physical risks.
Without mentioning brand names, here a few examples to give you an idea about what a person with a malicious intent is capable of doing.
· One of the leading social media sites: A security engineer abused his access to stalk women.
· A big soda brand: An insider stole a hard drive full of personnel data.
· A leading Bank: A malicious insider stole personal data, including account information, from 1.5 million customers to provide to a criminal organization.
But did you know that he most critical factor for insider attacks to happen is still due to the lack of awareness, lack of expertise and the lack of training? Not to mention the insufficient data protection strategies or solutions. Another important barrier always seems to be the lack of budget. This while the cost of proactively investing in an insider threat program, even just an awareness program, without a doubt outweighs the cost of a successful insider attack.
Many organizations seem to be very concerned about user privacy when monitoring for insider threats but indicate that they do not have the tools to ensure compliance with the EU’s General Data Protection Regulation (GDPR) and other regulations.
However, the increasing volume of insider threats has forced many organizations to take more proactive steps and deploy user and entity behavior analytics (UEBA) tools to classify, detect, and alert anomalous behavior. Sadly, still many organizations seem to not monitor user behavior at all or only after an incident has already taken place. While, if identified early, many risks can be mitigated before real harm to the organization occurs.
Finding indicators might be challenging at times but it is not impossible. It is mainly all about awareness. To mention a few things that might be worthy looking into:
· When an employee all of a sudden start working odd hours
· Employees who have angry or even violent disagreements with their coworkers, especially if those disagreements are with their managers or executive staff.
· Unexplained financial gain. Someone who all of a sudden has fancy and expensive stuff. When the employee normally drives an old, beat-up car to work every day suddenly shows up in a brand-new Porsche it should raise some eyebrows.
· Employee that loudly voices a disagreement with certain policies. There are known cases about someone holding company data hostage until they got what they wanted.
· Poor performance appraisals that the employee takes very sourly
· When someone gives their notice, take a look back at their activity in the past 90 days and see if they've done anything unusual or accessed data they shouldn't have.
· Financial distress. Especially in combination with hostile or very withdrawn behavior
· Personal changes. An outgoing person that all of sudden becomes jumpy or skittish.
· Unusual, frequent, overseas travel. Especially to a country in where they have no relatives or friends and where there are no tourist attractions.
As you see, most of this comes back to awareness. It is of the utmost importance to educate your employees and to create a safe atmosphere in where people feel valued and heard. I talked about creating that safe environment in an earlier Q&A. I highly recommend implementing this in any organization.
Especially if you cannot afford UEBA tools, yet, make sure to at least make everyone more aware.
Inform your employees about indicators, make them feel heard and valued and have a “neutral” person, for them to go to if they feel they have fallen victim or have noticed something off, whether in the system or with the behavior of a colleague. You can also create an anonymous space like online form for instance where your employees can report their worries.
I trust that this information has given you some answers and insight about what insider threats are, the effect they can have and how creating awareness and a safe environment can be a start in mitigating these risks. There are many insider threat/risk programs out there nowadays, make sure to search for one that suits your situation best.
Would you like more information or
guidance about this subject? Feel free to contact us!