2..png (1)

A Guide to Insider Threats

September 2019 has been declared National Insider Threat Awareness Month by the US National Counterintelligence and Security Center (NSCS) and the National Insider Threat Task Force (NITTF).

The initiative has been specifically set up to raise awareness of the serious risks posed by insider threats, whilst encouraging employees to recognise and report security incidents so early intervention can occur.

It’s easy to focus on the more pressing Cyber Security threats, but the reality is that insider threats can be equally as damaging and require the same vigilance to help prevent and detect.

These types of attacks are more common than you might think and according to the Verizon Insider Threat Report, 20% of Cyber Security incidents and 15% of data breaches originate from insiders within an organisation.

The attacks can also be extremely costly, with the average incident costing organisations more than $8 million. We tend to think these attacks are premeditated and sinister, and often they are, but the majority of insider threat incidents are as a result of poor security practices by employees.

What is an Insider Threat?

What is an insider threat

An insider threat is a security incident that originates within an organisation itself rather than from an external source. It may be a current or former employee, a contractor, a third-party vendor or any other business associate that has access to the organisation’s data and computer systems.

Every organisation is vulnerable, however, certain industries such as Manufacturing, Healthcare, and Finance tend to have a higher risk profile than others. This may be due to the vast amounts of valuable information they hold.

Types of Insider Threats

Types of insider threats

Insider attacks can be particularly dangerous because unlike external actors attempting to infiltrate a network, insiders will typically have legitimate access to an organisation’s computer systems. They can gain access to sensitive data without arousing suspicions and attacks can often go unnoticed for weeks, even months.

For organisations to stop insider threats, they need to know about the different types of threats and the motivations behind the attack.

  • Malicious Insider – This is an employee who will take advantage of their privileged access to knowingly steal data or commit other negative acts against the organisation. Another type of malicious insider is the disgruntled employee. They will deliberately try and find ways to inflict damage to the organisation if they feel they have been mistreated. This could be editing or deleting large amounts of sensitive data or interfering with critical systems.
  • Compromised Insider – This can often be one of the most dangerous types of insider threats as employees may not even realise that they’ve been compromised. Typically, their computer will be infected with malware as a result of clicking on a phishing link or opening a malicious attachment.
  • Negligent Insider- An employee that doesn’t follow proper IT procedures is known as a negligent insider. Whether they leave their computer unlocked, leave sensitive data in full view or let an authorised person into the building, these employees put their organisation at great risk with poor security practices.

Warning Signs

Warning signs

There are often a number of warning signs that can alert organisations to an insider threat. These include:

  • Downloading or accessing large amounts of sensitive data
  • The use of external storage devices such as USB sticks
  • Accessing data not associated with job role
  • Copying files from sensitive folders
  • Emailing sensitive data outside of the organisation
  • Personality and behavioural changes
  • Working unusual hours

High Profile Examples

High Profile examples

Unfortunately, there’s no shortage of examples of organisations that have been on the receiving end of Insider threat incidents. These high-profile attacks have highlighted the financial and reputational damage that can be inflicted as a result of insider threats. Some of the more notable cases include:

Punjab National Bank

In one of the costliest insider attacks, an employee at Punjab National Bank used the SWIFT interbank communication system to authorise the issuance of money through Letters of Undertaking and Foreign Letters of Credit. Through these fraudulent transactions, the employee was able to transfer funds totalling £1.5 billion.

Morrisons

In 2017, Morrisons, one of the UK’s leading supermarket chains, was held to account after a disgruntled internal auditor published the details of over 100,000 employees. This included sensitive data such as National Insurance numbers, dates of birth and bank account details. 5,518 employees took Morrisons to court claiming the leak had exposed them to the risk of identity theft and potential financial loss. Morrisons was found liable and incurred costs of up to £2 million.

Target

The 2014 Target breach occurred when a third-party employee clicked on a phishing link that helped attackers get into the HVAC vendors network and eventually into Target’s network. The attack compromised the names, addresses, phone numbers, email addresses, and credit card data of over 70 million people. In this particular case, the insider did not have malicious intentions, but the attack caused significant reputational damage and cost the company $300 million.

How can Organisations Defend Against Insider Threats?

How can organistions defend against evolving threats

Security Awareness Training – Training is critical in educating employees on security policies and the threats they are likely to encounter in their day to day role. This could be anything from a phishing email to the importance of physical security in the workplace. Small lapses in judgement have the potential to cause great damage to an organisation so staff need to receive regular training to ensure they know how to identify and respond appropriately to evolving threats.

Use Strong Authentication – If an organisation’s accounts can be compromised, insiders can move laterally around networks stealing sensitive data. Employees should avoid sharing passwords and there should be strong authentication processes in place for access to sensitive applications and systems.

Monitor Employee’s Online Behaviour – Organisations should periodically monitor employee behaviour to detect any suspicious activity. This could be logging in at random times, accessing sensitive data or attempting to copy data from folders that they are not authorised to view. Behavioural analytics can play an important role in identifying users that are acting out of the norm. The earlier organisations can pick up on this behaviour, the quicker they can resolve any issues.

Establish Incident Reporting Process – Organisations should have a clear procedure in place for the reporting and logging of all security incidents. The reporting capability will address the full range of incidents that could occur and set out appropriate responses. This will help flag up any suspicious behaviour and provide all the necessary information required for regulatory reporting.