Insider Threats – The Complete Who, Why, How And What Guide To Dealing With Them

Insider Threat

Insider threats, the most perfect way to execute a crime, from within the organization, under your own nose, while staying close to the one they betray. This is in no way a new paradigm of things; betrayals have been a common notion in history. The infamous saga of Julius Cesar. A disgruntled roman senator who stabbed his friend for the sake of politics. Although this is a story of epic magnitude, and many of the insider threat stories are sometimes as simple as clicking on the wrong email, some parallels can be drawn to show how the fallacies in human behavior can do so much damage.

The IBM 2018 X-Force Threat Intelligence Index stated how insider threats are a cause for 60% of attacks. This type of cyber attack is on the rise now, more than ever, and shows no signs of slowing down. The report says there is a 5% year-over-year increase in insider threats. The reason for this is simply because of how simple it is to carry it out and how easily it takes advantage of the lack of security measures in organizations today. When you think of hacking, you’d assume it involves some highly advanced code to impair a company’s network or releasing a virus into someone’s computer. Although such attacks are rampant, the good old-fashioned stealing is still a very viable option for an insider with an intent.

But, you cannot only assume that every employee or every insider breach was because an employee has been rubbing his hands and plotting against you—because some times it is because of a very flawed nature of humans—being careless. Either they execute a task without a malicious intention, or a bad actor took advantage of their negligence.

Either way, insider threats are a topic that you must deal with sensitivity, smartly. You don’t want your employees feeling like they are under scrutiny all the time, neither should you allow any of them to take advantage of your trust blatantly. There is a fine line with executing stringent measures for security with the right technology and awareness, and merely implementing rules and regulations out of fear.

Let’s discuss what this fine line is, what are the types of insider threats, how you can recognize them, and what can you do to address them.

Types of Insider Threats:

Broadly, insider threats can be classified as those with an intention and those without one. The ones with an intention willingly compromise data and for either monetary benefits or on accounts of a personal grudge. The ones without intention are victims of cybercrime like the organization itself. Unknowingly they aid the hacker or leak information. Among these, there are several differentiators:

The insider without a clue

Who is it?
This is the insider who had no clue what he/she has done. Their typical day would involve interacting with the internet with no stringent security measures in place.

How is it carried out?

Phished out: One day, as they go about their mailing routines, they come across an email that looks like it is their bank asking them for some personal information for an emergency bank formality with a deadline of a few hours. Hurryingly, (innocently and stupidly) the employee enters the information, without a second thought owing to the deadline. The hacker now gets hold of sensitive information, putting the employee’s accesses, and eventually, the entire organizational network at risk.

Facebook and Google fell victims to fake invoice phishing scams, costing them $100 million, according to a report.

Passwords, who?: Humans are forgetful. Losing laptops and personal devices are not unheard of, but what next? How easy is it for a hacker to go from finding a laptop to hacking into it?

An employee loses a laptop with sensitive information that is not encrypted. This puts them as well as the ones whose information is in it at risk. There is a break-in at your workplace, and these devices are stolen, or other devices like an unencrypted USB drive is stolen.

These are very real possibilities, and for Fresenius Medical Care of North America, this happened five times over, according to a report. They were breached due to such incidents in a single year.

Why does this happen, and what can you do?

The primary reason this insider creates opportunities for bad actors is negligence because of a lack of awareness. They do not know of the security problems caused by storing highly sensitive information in an unencrypted personal device, storing passwords on books and insecure excel files, and others.

This calls for regular security training sessions, and not the ones for the sake of formality. You have to make it interesting enough for them to take it seriously. There will always be the employees who could care less about the many rules and regulations, and what’s at stake. To them, explain the real-world incidents that could not only cause damage to your business, but also to their assets. That ought to get their interests piqued if nothing else.

As much as you’d like to believe that you can dust off your hands after a session, it doesn’t end there. You have to take it a step further and implement policies of lease privilege, where everyone in the organization has access to only what they need, and nothing more nor anything less. So if their account is ever compromised, you’ll know that the damage is still in control, buying you time to tackle the situation.

The insider looking to make more:

Who is it?
The tale of the malicious insiders who simply have malicious intent. These are the ones who take advantage of the access at hand for monetary benefits either by merely selling out your data or conducting full-blown corporate espionage.

How is it carried out?

Competitor snitch: Consider insiders who are in sales. Your employee wants to pursue newer opportunities and wants something to help them ramp up their growth level in there. A simple solution would be to take all the possible sales leads and run with it. Unless you track who has made unreasonable downloads, then you probably just gifted your competitor with business opportunities.

Situational need: Employees go through the ups and downs of life like everyone else. Some of these personal situations may lead them to act differently. Either they have a lot of debt to cover, they bought a new house hoping to get a raise soon but did not or they splurged on a lot of things and now do not know how to make it up. Unless the company cares enough to notice these things, addresses the big changes in an employee’s life, the lack of communication can lead to an employee scheming against the company for money on the side.

Malicious scheming: These are insiders who plot and scheme to no end. Slowly downloading sensitive information and selling it to others, downloading new projects and send it to a competitor, are among them.

An AMSC employee sold their engineering material to their competitor Sinovel for $20,000. The company received justice only after a 6-year long fight, which costed them their revenue, stocks, and a lot of jobs.

Why does this happen and what can you do?

This happens due to the lack of awareness from the employer’s end as to whom they are hiring. It is essential to carry out thorough background checks before hiring an employee.

Another major reason is the lack of tracking of the employee data. Monitoring does not necessarily mean invading your employee’s privacy but rather notice behavioral changes, notice how they deal with your network, are there any abnormalities? Are they accessing sensitive files? Are they logging in at odd hours? Are they requesting access to data they don’t need?

Tracking these changes can make a difference between you staying secure and getting hacked. Regular certification of accesses is a step in this direction. Regularly monitor what are the current accesses with your employee, which accesses can stay and which are to be revoked. These campaigns must be a mandatory practice.

A risk engine that can generate reports daily, recognize anomalies with accesses, and assign a risk score to accesses is another need of the hour. These engines not only provide data but step-up authentication, when risk scores are high and even suspend the access altogether when the access is to a sensitive file.

The insider that got away

Who is it?
These are the insiders who land your business in trouble after leaving. They put down their papers and start their mission to collect your data.

How is it carried out?

Disgruntled employee: In a typical organization with several employees, there are bound to be differences of opinion and different kinds of people. Sometimes these tend to get out of hand. Consider the tension between an employee and his/her manager. If the employee is unable to get their tasks right and the manager fails to covey this without offending them, this leads to an argument. The manager fires the employee on accounts of this behavior. This employee now has several reasons to take this personally and might even want to inflict damage. They can take advantage of their current accesses and sell vital information, or ruin several aspects of your organizational network out of spite.

An employee in Canadian Pacific Railway (CPR) was fired for insubordination, according to a report. He chose to resign before he could was let go, and in the process, he deleted some critical files, removed admin accounts, changed passwords, and cleaned out his hard drive. He was eventually caught, but these changes did deter the company for a bit.

Too privileged for their own good: Privileged accounts in an organization are those who have access to sensitive files, admin-level access, essentially accesses that can make or break your company. Surprisingly, these accesses are the ones that do not have enough stringent regulations. An employee with privileged access, whose accesses aren’t monitored, has full potential to go rogue.

The Google’s self driving car project, Wyamo, is a classic example. An employee with privileged access downloaded their trade secrets of intellectual property and joined Otto, which was later acquired by Uber. However, this was later proved, and a mutual agreement was singed with Uber not to use this information.

Why does this happen, and what can you do?

Employees are the heart of an organization. Certain sensitive situations must be dealt with maturity to ensure employees don’t leave begrudgingly. Before employees leave an organization, a thorough check of their accesses must be done. Their activities during their last days with the organizations must also be monitored vigilantly.
Most importantly, privileged access management must be a mandatory practice. Solutions like MFA, governance, and risk management should be a holistic solution to handle privileged accesses.

The insider who is not really an insider

Who is it?
The insiders who are in your organizations aren’t the only ones capable of an insider threat. Third-party employees are a huge risk too.

How is it carried out?

Contractors, supple chain vendors, and others: Third parties also have access to the sensitive information in your organization. IF your security is top-notch, you provide access only to the right people, your employees are well trained, but, your third-party vendor barely has a security policy, then it can completely nullify your efforts.
Anthem, a health insurance company, ramped their security after a cyber attack, but due to their third-party vendor’s negligence, they had a breach. An employee sent an email consisting of patient information to his email address. Although the third-party informed the patients immediately, it was still a breach of trust.

Why does this happen, and what can you do?
Third party vendors can be the backdoor entry to your security. While choosing vendors, organizations must be thorough. Every vendor must be bound by a contract which states their dedication to security as well.
Regular auditing of third-party vendors is a must. You might be compliant, but every other contractor with access to your data must be compliant as well. If ever there is a breach, the responsibility is on you too.

Evolve with the changing landscape of cybersecurity

Today, it is no longer enough that you secure yourself from external threats with a firewall. With decreasing data access control on cloud, multiple devices, IoT, 5G, and the growing technology, you can never be too secure.

The only way to deal with insider threats is to holistically manage risk. This can only happen by implementing intelligent solutions, backed up by a zero trust policy. Identity and access management is the solution to protect from threats, above and beyond, as well as close to home.

Trust the technology to trust your employees.

Leave a comment

You must be logged in to post a comment.