What Is An Insider Threat In Cyber Security?
Table of Contents
What is an insider threat in cyber security?
Three Types of Insider Attack
Why Does Someone Become an Insider Threat?
What Are The Signs of an Insider Threat?
6 Ways to Defend Against Insider Threats.
Problems With Insider Threat Reporting
According to CERT an Intentional Insider Threat is a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network and intentionally exceeded or misused that access to negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Someone who has legitimate rights of access within an organisation
with authorised access to an organisation’s network or data
and intentionally exceeds or misuses that access in a manner that causes or could cause harm to the organisation and its stakeholders.
Three Types of Insider Attack
Deliberately damaging or altering company assets.
THEFT OF COMPANY DATA
Taking confidential information out of the company. often to sell to a competitor or to use in setting up a competing company.
Using company assets to financially enrich oneself.
Nobody wakes up one morning and just decides to attack or compromise their company.
Anyone could be an insider threat. Scientists haven’t been able to find one demographic profile for insider threats. They could be men, women, young, old, married, single and in any role. They could be any religion and any ethnicity. They only thing that is certain is that they will have access to valuable data that the company holds.
While some industries are at a higher risk of certain types of intentional insider threat, recent history has shown that you don’t need to be an innovative tech or pharmaceutical company to fall victim to insider threat attacks.
Companies that generate a lot new ideas and products (Intellectual Property) or do a lot of research and development, financial services companies and companies with trade secrets are all more of a target. This information can be hugely valuable to competitors around the world.
Don’t think that insiders are born bad people or that they usually join the company with the intention of acting maliciously. In most situations insider threats come from personal and professional turmoil that eventually increases until it hits a tipping point and they decide to steal data. They could be having money troubles, be going through a difficult divorce or worrying about a sick relative. This is then coupled with stress at work. Perhaps they have a new manager that they don’t get along with or perhaps they are being given too much work. They feel they have had enough and something in their life needs to change.
Perhaps they think that they could sell some of the company products on ebay for a bit of extra cash. Perhaps they are going to move jobs and want to take some of the projects they worked on with them. Perhaps they have been contacted online by someone offering money for information on the company’s new product that will launch next year. Perhaps they want revenge against their employer who refused their application for promotion.
All of these people are insider threats. None of them started out their job thinking they would end up here.
Insider Threat Statistics
- More than 34% of businesses around the globe are affected by insider threats yearly. 34% 34%
- 66% of organizations consider malicious insider attacks or accidental breaches more likely than external attacks. 66% 66%
- Over the last two years, the number of insider incidents has increased by 47%. 47% 47%
- Insider threat stats reveal that more than 70% of attacks are not reported externally. 70% 70%
How do I know if someone is an insider threat or is perhaps in trouble and being manipulated or blackmailed to harm the company?
In most cases the insiders are in some form or personal turmoil at work and at home. These people are having troubles in their personal life or are feeling negative about their work. These things combine to “tip them” over the edge. They may see it as a quick thing to help them get out of financial trouble, they may want revenge on a manager they have, they may be thinking of setting up their own business and this information will help them do that.
There are signs that we can notice in our colleagues, managers and contractors that are potential warning signs. We should always report these because they can be signs of trouble and may even be a cry for help from that person. These are known as “behavioural indicators”
13 Behavioural Signs of an Insider Threat
The following are signs of a potential insider threat actor. Of course not everyone who is printing more documents than usual is an insider threat!
- Working odd hours
- Unexplained wealth
- Photographing information on computers or printed information
- Printing a lot more than usual
- Having documents open that aren’t for them
- Accessing unusual folder and files
- Asking you to open things for them
- Not taking holidays and working longer hours
- Bypassing procedures
- Being overly defensive, aggressive or critical of the organisation
- Being more isolated and not immersing themselves as part of the team
- Not wanting to share what they are doing- storing documents/ presentations they have made on their personal drive not the public drives
- Taking work home unnecessarily
As well behavioural indicators there are also digital indications that an insider attack is taking place.
1. Use of personal cloud storage and unauthorised storage devices
2. Downloading and storing more company data than is required by their role
3. Requesting access to sensitive data not required for the role or project
4. Sharing company data with people outside the organisation or on social media
5. Triggering alerts based on unusual working patterns or data access
6. Generating error messages by attempting to access prohibited files or folders
As you can see, some of these indicators should be being picked up in your logs, others will be visible to those assigning permissions to access data. You should keep the number of people who can allow access to critical data to a minimum.
1. Train your staff to identify the signs of insider threat
By having the right policies in place and give your staff insider threat training your staff in the characteristics outlined in this article, you will have a better chance of detecting an insider threat.
2. Give your staff the confidence to report
If your staff do not know how to spot an insider threat and feel unwilling to report the activities they do see, you are missing key internal defences. In our research into insider threat reporting we found that most employees were uncomfortable reporting any infringement that was committed by anyone except contractors.
3. Identify your data “crown jewels” and limit employee access
By having a clear idea of what data an attacker might be trying to steal you can assign security in a proportionate and cost-effective manner. Think outside the box- what attackers might go after might be different to what you first think it might be.
4. Have clear company policies and make sure they are enforced consistently
Employees need to know what is acceptable behaviour in terms of permissions, storage and data ownership. It is vital that you be seen to be complying with and supporting these policies if you want employees to pay more than just lip service to the policies.
5. Monitor data movement on your network
Have technical controls in place to monitor how data is moving, when and in what quantities. Make sure staff know this is happening and why it occurs so this can function as both detection and deterrent of insider attacks.
6. Have secure backups and recovery processes
In the event that the insider attack leads to the loss of data, either through theft or sabotage, tested data backups can keep an organisation functioning after an insider attack has occurred.
Red Goat conducted a study into insider threat reporting to discover what factors render people more or less liable to report suspicious activity. Through a sample of 1145 participants across a range of job roles, countries and industries, we have gained a valuable insight into the barriers preventing reporting.
- There is a chronic under-reporting of suspicious behaviour for the majority of situations tested.
- Senior staff members are immune from being reported, irrespective of the severity of their actions.
- Contractors and new staff members are the most likely to be reported for suspicious behaviour.
- Employees favoured reporting to HR over Security teams and lack of training was found to be a major barrier to reporting. The qualitative data furnishes us with some colourful case studies to consider.
While it is clear that employees are unwilling to report unauthorised access, anecdotal report collected from interviewees as part of the research shows that it is not uncommon for employees to turn a blind eye to far more serious insider threats and only come forward after the event. This kind of “after the event” whistleblowing is often too little, too late.
Participants reported “lack of knowledge and training” as well as an overall lack of “confidence in confidentiality as barriers to reporting. As one respondent stated “I would rather come forward as a witness after the attack than risk my life and career being ruined by reporting it earlier..”
Read the full report here.