You may have heard the term ‘insider threat’ before but, what does it actually mean?
In the context of cyber security, as the name suggests, it refers to threats that come from inside an organisation.
That doesn’t necessarily mean an employee, although it certainly can be an employee, but it can also be third-party vendors, contractors, or partners too.
Here’s a statistic that should make you sit up and pay attention.
25% of all security incidents involve insiders.
And it’s important to understand that not all insider threats are intentional or malicious.
It’s quite common that a negligent employee falls victim to some sort of attack, such as a phishing attack. That is an unintentional insider threat.
Of course, some insider threats are malicious.
They can include intentional theft or destruction of company data, or, even corporate espionage where company secrets are shared or sold.
Whether intentional or otherwise, keep in mind that the consequences are the same, and insider threats can come from any level within an organisation.
Without sounding like an in-house legal counsel, the answer is ‘it depends’.
As we just agreed, given some insider threats are intentional and others are not, the starting points are complex.
Reducing your unintentional insider threats is an ongoing process of education, maintaining robust security systems, and proactive stress testing of the same.
But when we think about intentional insider threats (the malicious ones), we can learn a lot by considering human behaviour.
We can likely agree that nobody wakes up one morning a happy, satisfied, and fulfilled employee and, without warning, decides they’re going to attack their employer.
It's more likely a process filled with multiple key moments that leads to someone becoming an insider threat.
Most people are not bad apples ‘per se’, but often become a threat as a result of three key factors:
And when these three factors align, it can yield an insider threat from an otherwise ‘regular Joe’ who wouldn’t have normally considered becoming such.
There are generally 3 typical types of insider attacks:
Let’s start with sabotage and theft first as fraud is a bit of an outlier.
In general terms, sabotage and theft tend to occur at the end of employment.
Common reasons are because they’ve been fired or made redundant for example and the motivations can be quite complex.
Sabotage can be a result of seeking vengeance against the employer. They’re angry because they were let go, and they want their ‘revenge’.
Theft can be more complicated and tends to be people who are in difficult situations. Maybe they have financial stress, relationship hardship at home, or they could be dissatisfied with you, their employer.
It could just be that they perceive ‘you (the company) can afford it so 'it’s ‘okay’.
Or it could be that they believe they’ve worked so hard on something that they have some sort of entitlement to it (and take a copy of it), even though, legally, it belongs to the company.
Whatever the motivation, it's complicated. It’s too easy to simply say they’re ‘bad people’ as it can be very much about the circumstance that leads them down this path.
As a starting point, there are certain departments that are more obvious targets. It could be the sales and marketing team that has the client database, the engineering team who holds a lot of the design IP, or the finance team that handles the $$$’s.
Step 1 - Increase monitoring around those employees first rather than your entire cohort of staff. Be alert to shifts in behaviour, unusual activity, or changes in routines. You never know what’s gone on at home before they arrive at the office!
Step 2 - Given the higher-than-average occurrence of sabotage and theft at the end of employment, you can adapt your off-boarding processes accordingly.
When somebody hands in their notice or is let go, increase your monitoring of their activities. And be sure to communicate that to your staff otherwise, mistrust can quickly develop.
Step 3 - Ensure that you have robust processes in place for employees or contractors who are being off-boarded. It’s important to protect the company network and other digital systems.
Ensure back-ups are up to date so that ‘ctrl-alt-delete’ does not actually delete all information from their machines or devices. Ensure that access privileges are withdrawn at the appropriate time (which could be before they leave in certain circumstances).
And always keep in mind…
We don’t wish to be cynical, but history has shown that an insider threat can come from any level of the organisation at any time.
There is a famous case study of a highly decorated former US General called David Petraeus, who was head of the CIA. After 37 years of exemplary service and loyalty to his country, his marriage came under pressure, and he had an extramarital affair.
That affair ultimately led to him sharing classified information with his mistress, a crime to which he pleaded guilty.
And as an interesting side note. The way in which they shared that classified information was via a Gmail account. He would add it to an email that was stored as a ‘draft’, and she would retrieve the information from that draft email and then delete the email… Thus, the emails were never ‘sent’, which made detection much harder.
So. A sobering conclusion is that it doesn't matter who it is because even the leader of an organisation could flip someday and become the next insider threat.
What checks and balances do you have in place to limit the likelihood of an insider threat and achieve early detection?
Members of the Cyber Heroes community can access a deep-dive cyber security audit that identifies threats to their organisation. Through a process of rolling review, those risks are proactively managed to reduce or eliminate them.
Dramatically lower the risk to your people, profits and reputation by getting in front of the cyber criminals and, sleep better at night as a result.