No one likes to think that insider threats would exist in their company and put the organisation at risk of a data breach or be the reason for a non-compliance fine costing £000’s. However, the insider threat is all too real. According to multiple reports, insider threats are behind many of the security issues that we face today. “Cybersecurity Insiders Insider Threat Report 2020”, for example, found that 68% of organisations believe that insider threats are increasing in frequency. In one survey from Egress, “2020 Insider Data Breach Survey” almost all of the IT leaders who responded said that insider breach risk was a “significant concern”.
It is often said in the cybersecurity industry that insider threats are the most difficult to deal with; after all, how can a malicious action or an accidental data leak be detected? Here is our guide to insider threats and how to prevent them.
Types of Insider Threats
An insider is anyone who is currently working with, or has previously worked for, your organisation. This definition covers employees and non-employees such as contractors. Insiders can also be extended to a business associate or a company from your vendor ecosystem. Remote workers too, add to the insider security concerns of a business, with an IBM survey finding security woes are exacerbated by companies not ensuring that remote working security policies are enforced.
A heady mix of elements form Insider Threats, but broadly, two categories describe the root of most Insider Threats:
The Accidental Insider
An article from the EC-Council said that 64% of data loss events are attributable to insiders who “meant well”, in other words, accidents happen. The umbrella term of accidental insider threats covers a wide remit of possible ‘accidents or mishaps’. Some of these mishaps are because of simply not understanding security risks when performing a task; others, like phishing, are because individuals are manipulated by external forces. Misconfiguration of IT systems is another area that is accidental but allows external forces to exploit a system. The accidental insider often comes down to four main problem areas:
- The oops factor: Misunderstanding or lack of knowledge about security processes and risks. The Egress study found 31% of breaches were caused by an employee emailing information to the wrong person
- Trickery: Manipulation by external forces, e.g., phishing. The Egress study found that 41% of accidentally leaked data was due to a phishing email.
- Poor posture: Poor security posture by a company and a lack of enforcement and education about security
- Lack of security skills: Misconfiguration of systems because of poor training or lack of understanding of security at the IT administration level
Those employees and non-employees who purposely intend to cause harm to IT systems or steal data are termed malicious. Unlike accidental insiders, malicious insider threats are typically motivated by the likes of money or revenge. A report from Fortinet into insider threats found that 60% of firms were concerned about the threat of a data breach caused by a malicious insider threat. The survey also looked at motivations for malicious insiders with the top three main reasons being:
- Fraud (55%)
- Money (49%)
- Theft of intellectual property (44%)
Malicious insiders are even recruited on the dark web, with one report pointing out a dark web ad for a bank employee to act as a malicious insider, the gig paid 370,000 roubles (£4,400) per month for one hour’s work a day.
Examples of Insider Threats
No matter if the data breach or other security event is caused maliciously or accidentally, the repercussions are the same. Data breaches and other security issues result in large non-compliance fines, loss of customer trust in an organisation’s ability to protect personal data, and even declines in company share value. Three examples are shown below where insider threats caused company damage:
The disgruntled employee: A company involved in the distribution of protective equipment (PPE) during the Covid-19 pandemic suffered at the hands of an angry employee. The sacked employee, “Dobbins” created two fake user accounts before losing his job. Once sacked, Dobbins logged into the system using the fake accounts. He then edited almost 12,000 records, deleting over 2,000. He finally deactivated the fake accounts. By making these changes, Dobbins seriously disrupted the delivery of PPE to healthcare providers.
Malicious intent for profit: A BUPA employee caused a breach affecting 547,000 customers with the result that the UK’s ICO fined Bupa £175,000. The employee used the company’s CRM system to send himself the personal data of the BUPA customers before then trying to sell it on the dark web.
Accidents happen but they are often inexcusable: The ‘Independent Inquiry into Child Sex Abuse’ (IICSA) came under scrutiny after an employee sent a bulk email to 90 possible victims of child sexual abuse. The employee simply used the cc field instead of the bcc field to enter email addresses. The UK’s ICO fined IICSA £200,000 under the Data Protection Act (DPA2018).
Ways to Detect and Mitigate Insider Threats in Your Organisation
Whilst it can be difficult to detect and prevent insider threats, there are ways to minimise their impact. Here are five ways that help your organisation control insider threats:
Security Awareness Training
As many insider threats are accidental, security awareness training can play an important part in mitigating this cyber risk. Security awareness training should cover aspects of accidental insider threats such as:
- Security hygiene: for example, teaching employees to be cognisant of sending data in a secure manner.
- Phishing: ensuring that employees are up to speed on email and other phishing tricks and aware of credential theft via phishing sites.
- Compliance awareness: ensuring that employees are aware of their role in ensuring that regulatory compliance is adhered to.
Many insider threats are caused by privilege misuse or abuse and poor control of access to sensitive data. Zero trust is based on the principle of “never trust, always verify”. What this boils down to is that employees and/or devices used are challenged when attempting to access resources.
These challenges reflect the sensitivity of the resources, so more sensitive data or apps require more assurance that the person accessing it is who they say they are. A zero trust architecture is a mix of appropriate technologies and an architectural approach that helps to compartmentalise areas of a network. Technologies to support a zero trust architecture include Security Information and Event Management (SIEM) and a Cloud access security broker (CASB).
Authentication and Authorisation
Building on a zero trust architecture is the principle of robust authentication and authorisation. Context aware authentication and authorisation adds an important layer of control into the access of sensitive data. The use of 2FA/MFA to access corporate apps, especially when working remotely, should be enforced. Coupled with monitoring, these processes create a robust security layer.
Looking for Signals of Unusual Behaviour
Malicious insider threats can be difficult to detect but certain machine learning-enabled technologies (ML) can help in threat detection. One of these is employee monitoring in the form of UEBA (User and Entity Behaviour Analytics). UEBA is used to detect unusual behaviours by using ML to spot anomalous patterns of behaviour when humans interact with devices and networks.
Anti-Phishing and Spam Control
Technologies that prevent phishing emails from entering employees’ inboxes in the first place can help prevent accidental insider breaches. Solutions can be used to prevent employees from navigating to malicious URLs. These software services are typically delivered as cloud-based platforms. Email filtering and URL content scanning are useful to provide a safety net to augment security awareness training.
Our employees are our greatest asset, and we must make sure they remain so by empowering them through education and protecting them and our business with the best there is in security technologies.