David is a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation. He runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. He has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.
Insider Threats: Foul play hidden in plain sight
Most organisations are primarily focused on protecting their digital assets from external attackers. This tactic makes a whole lot of sense, but with the caveat that some of the biggest cyber incidents happen from the inside. Current and former employees, business partners, contractors and people working for third parties like managed service providers (MSPs) may accidentally (or deliberately) become weak links in a company’s security posture.
All these individuals have a certain degree of access to proprietary business data, which means that any violation of enterprise policies or deliberate offense can lead organisations down a rabbit hole of security issues. The negative aftermath of an insider’s activity runs the gamut from intellectual property theft and reputational issues – to unauthorised payments and heavy fines for non-compliance by regulators.
Catalysts for misdemeanour
What goals do these double-dealing folks seek to achieve? The FBI singles out two types of motives: personal and organisational. Scenarios involving personal factors are typically fuelled by opportunities for financial gain, retaliation by dissatisfied staff, thrill-seeking, susceptibility to flattery, self-esteem issues, vulnerability to blackmail, peculiar ideological views, or compulsive behaviour precipitated by alcohol or drug addiction.
The root causes that put organisations at risk of insider threats are crude remote work policies, a lack of clear-cut rules specifying ways to handle sensitive information, time pressure leading to security slip-ups, and insufficient mechanisms to prevent personnel and third parties from exiting the organisation with confidential digital content.
Types of insiders
Simply put, the peril stems from individuals who want to cause harm on purpose or from heedless employees who make blunders without realising it. However, this classification is somewhat rudimentary and does not reflect all the nuances of this multi-faceted phenomenon. Let’s zoom into the issue further and figure out how to unmask the evildoers wearing a poker face.
Employees who neglect proper digital hygiene may unwittingly make an adversary’s day. They are the ones most likely to get baited by phishers and hand over corporate data, download persistent malware masquerading as a benign program, open a virus-riddled email attachment, or greenlight a payment to someone pretending to be a senior manager. This is typically the biggest risk group and are also the ones that can benefit most from regular cyber awareness training. Unfortunately, 37% of Australian employees recently surveyed by Mimecast admitted to “skipping cyber awareness and privacy training”, which leads to our second group – defiant users.
Defiant users dislike rules and resist authority, making them another potential security risk. These individuals tend to ignore obvious signs of danger and keep engaging in risky behaviour without a second thought while they pursue their curiosity or the thrill of “adventure”. They can be easy to manipulate and therefore might become pawns in a threat actor’s wicked game.
The menace can also emerge from seasoned spies who seek to capitalise on their data access privileges. Their objective is to harvest business-critical information and disrupt the company’s activities from the inside. These people are usually in cahoots with a third-party such as a nation-state, an intelligence agency, or a competitor.
Cybercrooks who act on their own can also amass company data to sell it to the highest bidder via dark web forums later on. The jeopardy becomes more impactful if the malefactor is part of the IT team and has broad access to the target’s IT infrastructure. These felons don’t usually start out to conspire with external actors, but eventually do so to monetise the information they’ve extracted.
The silver lining is that there are typical red flags that are conspicuous enough to pinpoint misconduct before any real damage is done. The following anomalies should give security professionals a heads-up:
An employee copies work-related files to removable storage media without apparent necessity.
A user repeatedly establishes remote access to the corporate network on weekends, at night, during holidays, or other unusual times.
A staff member ignores corporate security policies by installing dubious apps on their work computer or visiting questionable websites.
A user purchases luxury goods they could not afford before and has started living well beyond their means in general.
An employee has become unusually inquisitive about business information that does not fit the context of their regular duties.
Stopping insiders in their tracks
There are battle-tested methods to counter such conspiracies proactively. To ensure early detection, security professionals need to maintain and regularly monitor event logs that reflect all forms of abnormal activity highlighted above. Organisations should also make sure their employees know and stick to enterprise policies, especially those relating to data management.
Adhering to the principle of least privilege (PoLP) is a hugely important component of corporate security because it minimises the risk of unauthorised access to sensitive information assets. Also, it is a good idea to establish convenient procedures for employees to report suspicious activity. When dismissing someone, businesses need to revoke all their login credentials immediately.
According to Mimecast’s latest research, 76% of all surveyed organisations in Australia were impacted by their lack of cyber preparedness last year, up considerably from 62% the year before. To prevent your company from ending up in that statistic in 2021, combine the above tips with the use of a trusted email security service and reputable anti-malware tools.
Vulnerability management solutions can harden your defences further by pinpointing any loopholes in your network that may allow an insider to break the rules and bypass corporate restrictions.