What Is An Insider Threat In Cyber Security?
What is an Insider Threat in Cyber Security?
According to CERT an Intentional Insider Threat is “ a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network and intentionally exceeded or misused that access to negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”
An employee, contractor or business partner
Someone who has legitimate rights of access to data and systems within an organisation
Intentionally exceeds or misuses that access in a manner that causes or could cause harm to the organisation and its stakeholders.
Three Types of Insider Attack
Deliberately damaging or altering company assets.
Taking confidential information out of the company. often to sell to a competitor or to use in setting up a competing company.
Using company assets to financially enrich oneself.
Why Does Someone Become an Insider Threat?
“Nobody wakes up one morning and just decides to attack or compromise their company.”
Anyone could be an insider threat. Scientists haven’t been able to find one demographic profile for insider threats. They could be men, women, young, old, married, single and in any role. They could be any religion and any ethnicity. They only thing that is certain is that they will have access to valuable data that the company holds.
While some industries are at a higher risk of certain types of intentional insider threat, recent history has shown that you don’t need to be an innovative tech or pharmaceutical company to fall victim to insider threat attacks.
Companies with lots of IP or R&D are particularly at risk
Companies that generate a lot new ideas and products (Intellectual Property) or do a lot of research and development, financial services companies and companies with trade secrets are all more of a target. This information can be hugely valuable to competitors around the world.
Don’t think that insiders are born bad people or that they usually join the company with the intention of acting maliciously. In most situations insider threats come from personal and professional turmoil that eventually increases until it hits a tipping point and they decide to steal data. They could be having money troubles, be going through a difficult divorce or worrying about a sick relative. This is then coupled with stress at work. Perhaps they have a new manager that they don’t get along with or perhaps they are being given too much work. They feel they have had enough and something in their life needs to change.
Perhaps they think that they could sell some of the company products on ebay for a bit of extra cash. Perhaps they are going to move jobs and want to take some of the projects they worked on with them. Perhaps they have been contacted online by someone offering money for information on the company’s new product that will launch next year. Perhaps they want revenge against their employer who refused their application for promotion.
All of these people are insider threats. None of them started out their job thinking they would end up here.
Insider Threat Statistics – Source: Techjury.net
What Are The Signs of an Insider Threat?
How do I know if someone is an insider threat or is perhaps in trouble and being manipulated or blackmailed to harm the company?
In most cases the insiders are in some form or personal turmoil at work and at home. These people are having troubles in their personal life or are feeling negative about their work. These things combine to “tip them” over the edge. They may see it as a quick thing to help them get out of financial trouble, they may want revenge on a manager they have, they may be thinking of setting up their own business and this information will help them do that.
There are signs that we can notice in our colleagues, managers and contractors that are potential warning signs. We should always report these because they can be signs of trouble and may even be a cry for help from that person. These are known as “behavioural indicators”
13 Behavioural Signs of an Insider Threat
The following are signs of a potential insider threat actor. Of course not everyone who is printing more documents than usual is an insider threat!
- Working odd hours
- Unexplained wealth
- Photographing information
- Printing a lot
- Having unnecessary documents
- Accessing unusual files
- Asking you to open things for them
- Not taking holidays and working longer hours
- Bypassing procedures
- Being overly defensive, aggressive or critical of the organisation
- Being more isolated from the rest of the team
- Not wanting to share what they are doing
- Taking work home unnecessarily
6 Digital indicators of Intentional Insider Threat
As well behavioural indicators there are also digital indications that an insider attack is taking place.
1. Use of personal cloud storage and unauthorised storage devices
2. Downloading and storing more company data than is required by their role
3. Requesting access to sensitive data not required for the role or project
4. Sharing company data with people outside the organisation or on social media
5. Triggering alerts based on unusual working patterns or data access
6. Generating error messages by attempting to access prohibited files or folders
As you can see, some of these indicators should be being picked up in your logs, others will be visible to those assigning permissions to access data. You should keep the number of people who can allow access to critical data to a minimum.
6 Ways to Defend Against Insider Threats
1. Train your staff to identify the signs of insider threat
By having the right policies in place and give your employees training in the characteristics outlined in this article, you will have a better chance of detecting an insider threat.
2. Give your staff the confidence to report
If your staff do not know how to spot an insider threat and feel unwilling to report the activities they do see, you are missing key internal defences. In our research into insider threat reporting we found that most employees were uncomfortable reporting any infringement that was committed by anyone except contractors.
3. Identify your data “crown jewels” and limit employee access
By having a clear idea of what data an attacker might be trying to steal you can assign security in a proportionate and cost-effective manner. Think outside the box- what attackers might go after might be different to what you first think it might be.
4. Have clear company policies and make sure they are enforced consistently
Employees need to know what is acceptable behaviour in terms of permissions, storage and data ownership. It is vital that you be seen to be complying with and supporting these policies if you want employees to pay more than just lip service to the policies.
5. Monitor data movement on your network
Have technical controls in place to monitor how data is moving, when and in what quantities. Make sure staff know this is happening and why it occurs so this can function as both detection and deterrent of insider attacks.
6. Have employee assistance programs at the heart
The most effective insider threat programs are those that place employee support and wellbeing at their core. If someone is struggling for whatever reason you need to make sure the life vest they need to stay afloat comes from you. Employee assistance programs are a critical investment for insider threat management programs. Not all insider threats are bad apples!
Problems with Insider Threat Reporting
Red Goat conducted a study into insider threat reporting to discover what factors render people more or less liable to report suspicious activity. Through a sample of 1145 participants across a range of job roles, countries and industries, we have gained a valuable insight into the barriers preventing reporting.
- There is a chronic under-reporting of suspicious behaviour for the majority of situations tested.
- Senior staff members are immune from being reported, irrespective of the severity of their actions.
- Contractors and new staff members are the most likely to be reported for suspicious behaviour.
- Employees favoured reporting to HR over Security teams and lack of training was found to be a major barrier to reporting. The qualitative data furnishes us with some colourful case studies to consider.
Why is reporting so hard?
While it is clear that employees are unwilling to report unauthorised access, anecdotal report collected from interviewees as part of the research shows that it is not uncommon for employees to turn a blind eye to far more serious insider threats and only come forward after the event. This kind of “after the event” whistleblowing is often too little, too late.
Participants reported “lack of knowledge and training” as well as an overall lack of “confidence in confidentiality as barriers to reporting. As one respondent stated “I would rather come forward as a witness after the attack than risk my life and career being ruined by reporting it earlier..”