Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

Leadership

Meet the MetaCompliance Leadership Team

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

An Introduction to Insider Threats

Insider Threat

about the author

Share this post

No one likes to think that insider threats would exist in their company and put the organisation at risk of a data breach or be the reason for a non-compliance fine costing £000’s. However, the insider threat is all too real. According to multiple reports, insider threats are behind many of the security issues that we face today. “Cybersecurity Insiders Insider Threat Report 2020”, for example, found that 68% of organisations believe that insider threats are increasing in frequency. In one survey from Egress, “2020 Insider Data Breach Survey” almost all of the IT leaders who responded said that insider breach risk was a “significant concern”.

It is often said in the cyber security industry that insider threats are the most difficult to deal with; after all, how can a malicious action or an accidental data leak be detected? Here is our guide to insider threats and how to prevent them.

Types of Insider Threats

An insider is anyone who is currently working with, or has previously worked for, your organisation. This definition covers employees and non-employees such as contractors. Insiders can also be extended to a business associate or a company from your vendor ecosystem. Remote workers too, add to the insider security concerns of a business, with an IBM survey finding security woes are exacerbated by companies not ensuring that remote working security policies are enforced.

The Accidental Insider

An article from the EC-Council said that 64% of data loss events are attributable to insiders who “meant well”, in other words, accidents happen. The umbrella term of accidental insider threats covers a wide remit of possible ‘accidents or mishaps’. Some of these mishaps are because of simply not understanding security risks when performing a task; others, like phishing or social engineering, are because individuals are manipulated by external forces. Misconfiguration of IT systems is another area that is accidental but allows external forces to exploit a system. The accidental insider often comes down to four main problem areas:

  • The oops factor: Misunderstanding or lack of knowledge about security processes and risks. The Egress study found 31% of breaches were caused by an employee emailing information to the wrong person
  • Trickery: Manipulation by external forces, e.g., phishing. The Egress study found that 41% of accidentally leaked data was due to a phishing email.
  • Poor posture: Poor security posture by a company and a lack of enforcement and education about security
  • Lack of security skills: Misconfiguration of systems because of poor training or lack of understanding of security at the IT administration level

Malicious Insiders

Those employees and non-employees who purposely intend to cause harm to IT systems or steal data are termed malicious. Unlike accidental insiders, malicious insider threats are typically motivated by the likes of money or revenge. A report from Fortinet into insider threats found that 60% of firms were concerned about the threat of a data breach caused by a malicious insider threat. The survey also looked at motivations for malicious insiders with the top three main reasons being:

  1. Fraud (55%)
  2. Money (49%)
  3. Theft of intellectual property (44%)

Malicious insiders are even recruited on the dark web, with one report pointing out a dark web ad for a bank employee to act as a malicious insider, the gig paid 370,000 roubles (£4,400) per month for one hour’s work a day.

Examples of Insider Threats

No matter if the data breach or other security event is caused maliciously or accidentally, the repercussions are the same. Data breaches and other security issues result in large non-compliance fines, loss of customer trust in an organisation’s ability to protect sensitive information, and even declines in company share value. Three examples are shown below where insider attacks caused company damage:

The disgruntled employee: A company involved in the distribution of protective equipment (PPE) during the Covid-19 pandemic suffered at the hands of an angry employee. The former employee, “Dobbins” created two fake user accounts before losing his job. Once sacked, Dobbins logged into the system using the fake accounts. He then edited almost 12,000 records, deleting over 2,000. He finally deactivated the fake accounts. By making these changes, Dobbins seriously disrupted the delivery of PPE to healthcare providers.

Malicious intent for profit: A BUPA employee caused a breach affecting 547,000 customers with the result that the UK’s ICO fined Bupa £175,000. The employee used the company’s CRM system to send himself the personal data of the BUPA customers before then trying to sell the compromised accounts on the dark web.

Accidents happen but they are often inexcusable: The ‘Independent Inquiry into Child Sex Abuse’ (IICSA) came under scrutiny after an employee sent a bulk email to 90 possible victims of child sexual abuse. The employee simply used the cc field instead of the bcc field to enter email addresses. The UK’s ICO fined IICSA £200,000 under the Data Protection Act (DPA2018).

Ways to Detect and Mitigate Insider Threats in Your Organisation

Whilst it can be difficult to detect and prevent insider attacks, there are ways to minimise their impact. Here are five ways that help your organisation control insider threats:

Security Awareness Training

As many insider threats are accidental, security awareness training can play an important part in mitigating this cyber risk. Security awareness training should cover aspects of accidental insider threats such as:

  • Security hygiene: for example, teaching employees to be cognisant of sending data in a secure manner.
  • Phishing: ensuring that employees are up to speed on email and other phishing tricks and aware of credential theft via phishing sites.
  • Compliance awareness: ensuring that employees are aware of their role in ensuring that regulatory compliance is adhered to.

Zero Trust

Many insider threats are caused by privilege misuse or abuse and poor control of access to sensitive data. Zero trust is based on the principle of “never trust, always verify”. What this boils down to is that employees and/or devices used are challenged when attempting to access resources.

These challenges reflect the sensitivity of the resources, so more sensitive data or apps require more assurance that the person accessing it is who they say they are. A zero trust architecture is a mix of appropriate technologies and an architectural approach that helps to compartmentalise areas of a network. Technologies to support a zero trust architecture include Security Information and Event Management (SIEM) and a Cloud access security broker (CASB).

Authentication and Authorisation

Building on a zero trust architecture is the principle of robust authentication and authorisation. Context aware authentication and authorisation adds an important layer of control into the access of sensitive data. The use of 2FA/MFA to access corporate apps, especially when working remotely, should be enforced. Coupled with monitoring, these processes create a robust security layer.

Looking for Signals of Unusual Behaviour

Malicious insider threats can be difficult to detect but certain machine learning-enabled technologies (ML) can help in threat detection and alert your security team to any unusual activity. One of these is employee monitoring in the form of UEBA (User and Entity Behaviour Analytics). UEBA is used to detect unusual behaviours by using ML to spot anomalous patterns of behaviour when humans interact with devices and networks.

Anti-Phishing and Spam Control

Technologies that prevent phishing emails from entering employees’ inboxes in the first place can help prevent accidental insider breaches. Solutions can be used to prevent employees from navigating to malicious URLs. These software services are typically delivered as cloud-based platforms. Email filtering and URL content scanning are useful to provide a safety net to augment security awareness training.

Our employees are our greatest asset, and we must make sure they remain so by empowering them through education and protecting them and our business with the best there is in security technologies.

Cyber Security Awareness for Dummies

Other Articles on Cyber Security Awareness Training You Might Find Interesting