In building your cyber security programme, you have likely focused on protecting your perimeter and keeping unknown threat actors from accessing your systems, networks and data. In doing so, have you ever considered what the people you trust are doing with their access to your systems, networks and data? You might have considered your top salesperson walking out of the door with their little black book, but the insider threat goes far beyond this.
An insider threat can stem from a trusted employee, a third-party contractor, or even a supply chain vendor. Their intent may be malicious, seeking to do maximum damage or harm, or they may find themselves unknowingly constituting an insider threat, often believing that they are being helpful. The accidental insider threat can also result from social engineering or a desire to make their lives easier by bypassing security controls and established processes.
Now employees are being asked, once again, to work from home where we can, there is a perception that employees are more likely to try to exfiltrate data when working from home. News reports about businesses investing in covert employee monitoring software would appear to reflect the perception that bosses should be able to peer over their employees’ shoulders at any time. In addition, the increase in digital transformation programmes in enterprises means that perimeters are expanding, taking in third-party platform-, infrastructure- and software-as-a-service solutions and vendors. This vastly increases the number of individuals who may have access to some or all of your corporate data, increasing the likelihood associated with risks to data protection, and increases the complexity of securing access to that data, with controls being spread across numerous systems and administration consoles. It is now not uncommon for employees in HR, finance and marketing teams to be given administrator access to line-of-business applications and systems.
Individuals who could constitute an insider threat likely have the ability to access sensitive data (IP, strategy, customer lists, trade secrets etc.) by means of their privileged access, or the ability to edit or change data. Alternatively, they may be able to use their own privileged access to change the access rights of others. They may be able to make changes to, sabotage or disrupt system or application availability through having access to underlying servers and infrastructure or privileged administration panels. They may even be able to bypass controls or falsely authorise certain transactions, whether they be financial, technical or otherwise.
This definition of an insider threat could apply to any employee, contractor, vendor or third party at some point in their relationship with a company. Insider threats are unique and highly complex. There are a number of factors which make an individual more likely to pose an insider threat, including being compromised, suffering financial difficulties, feeling resentment towards their employer or simply a desire for personal gain. Conversely, accidental insider threats tend to result from negligence or a curiosity for or creativity in finding new ways of working. Accidental insider threats often believe their actions to be helpful, rather than harmful.
Sources such as Verizon’s Data Breach Investigations Report and Ponemon Institute research have identified that as many as 30% of data breaches are insider driven, with the primary motivation being financial, and that although insider threats are more likely to be accidental than malicious, insider threat still constitutes a significant financial and reputational risk to organisations.
The question is what can organisations do to counter the insider threat? Firstly, insider threat must be considered when building information security programmes and developing strategies. Although responsibility for managing insider threat can fall to one or more of your HR, Legal, IT, Security and Compliance teams, organisations must take a joined up approach. Only an approach that blends people, process and technology, taking a holistic, cross-company approach, can successfully mitigate the risk posed by insider threat. This approach must combine policy, awareness training and robust data classification, as well as the ability to detect, respond to and mitigate threats posed by insiders. Following established security good practices is helpful, as these present a tried-and-tested approach to securing your organisation. Implementing the principles of zero trust, which we have previously talked about at length, ensures that rights and privileges are checked before access is granted. From a HR perspective, background checking can help, especially when individuals are recruited to or employees are promoted to privileged positions. Adding additional layers of controls and ensuring that privileges are separated, so that the same person cannot request and authorise an action or transaction means there are barriers in place to reduce the likelihood of an insider succeeding in achieving their aims. Regular internal and external penetration testing can identify vulnerabilities and misconfigurations which can be exploited by internal and external threat actors.
There is no silver bullet to solving insider threat. Organisations will only succeed in reducing their risk by understanding your people and what’s at risk, by understanding the context in which people operate and work, especially knowing what data is visible and accessible, and, finally, being in a position to respond to incidents and effectively address and mitigate the risks.
This article was written in collaboration with my colleague Jacques du Toit. To understand the insider threat that your organisation faces and how you can build robust cyber security programmes to address the risk, please reach out to either of us via LinkedIn for an impartial, informal conversation.