By Stuart Wright | Global Head of Compliance and Risk
When we think about “insider threats” to our organisations, it’s all too easy for our minds to conjure up clichéd images of elaborate plots from a spy film, where the rookie agent goes undercover to get inside information, and then saves the day with just a few minutes to spare. Or perhaps we think about corporate espionage, where an unscrupulous employee infiltrates a competitor by getting a low-level admin job and creeping around the office late at night stealing valuable data that will give their employer a competitive edge.
The reality of the insider threat is almost always a little less exciting, and certainly less dramatic incidents are far more commonplace than the dramatised examples above.
There’s also a lot we can do to try and protect against these attacks, and in this blog post, we’ll talk about some of the key things you should be considering to help address the insider threat.
What is an insider threat?
At the risk of stating the obvious, insider threats are threats that originate from within your organisation, typically relating to your employees or trusted partners. They can fall into two broad categories:
1. Purposefully malicious insiders
This is your stereotypical disgruntled employee, someone who is already on the inside and is trusted, who is motivated to act maliciously. Their motivations and malicious actions could include:
- Planning to resign, and so steal corporate secrets and customer information
- Feeling unhappy about how they’re treated, and wanting to cause harm to their employer
- Wanting access to confidential information for their own personal benefit
This type of malicious insider presents a significant problem to your organisation. They very likely already have legitimate access to your organisation’s information, and so their actions won’t necessarily trip any alarms or cause suspicion. Even if they don’t have access to sensitive data, at the very least they have access to your internal systems, and are in a good position from which to launch an attack.
Employees could also act maliciously because they’re motivated to do so by an outsider or outside influence, for example you may have employees that are open to bribery. Adverse personal factors such as financial worries can also be their motivation, and blackmail of a personally compromised employee by an outsider is also a very real threat (albeit it less common).
2. Negligent or unaware insiders
These insiders are likely blissfully unaware of the threat they pose. Again, these employees have legitimate access to your information, but unlike their malicious colleagues, they have no malevolent intent. They’re likely to cause harm by:
- Not following policies and processes designed to provide protection
- Falling victim to social engineering attacks such as phishing, and inadvertently allowing an attacker to access information
- Deliberately bypassing security controls but without malicious intent, for example emailing files home to work on their personal computer
Although their actions are likely well intended, and not purposefully negligent, they can still be a challenge to detect. Their access to information is authorised and legitimate, so detecting potentially dangerous patterns within what is largely an authorised business process, is incredibly challenging.
How big is the problem?
According to research published by Verizon, the idea that insiders represent the biggest threat to your organisation is an erroneous one. They attribute 70% of all breaches to external actors, with the remaining 30% thought to involve insiders, a number which is on the rise.
The same Verizon report also concludes that in over 80% of hacking breaches, either brute-force attacks or compromised user credentials were involved. During a brute-force attack the attacker uses a piece of software to rapidly cycle through millions of possible passwords until the correct one is revealed. The success rate for such an attack is relatively high due to the use of dictionary-based passwords.
Stolen user credentials should also be a concern for organisations, as our employees tend to be tempted to reuse passwords they find easy to remember. The problem this causes is simple. If their password is compromised in one place and made public, then all other systems or applications where they use that same password are vulnerable to compromise.
However, an attacker gains access to a user password, be that via a brute-force attack or by using stolen information (or any other method for that matter, such as phishing), the end result is likely the same. An attacker now has the credentials for a legitimate user, and if they’re able to use them, their activity will be difficult to detect.
What can we do about it?
Addressing the threat of deliberately malicious insiders is difficult, for the reasons already explained, which is that they have both the motive and the opportunity to commit their crime.
Think about a scenario where a shop cashier handles cash as part of their job – they have an opportunity to steal money and potentially the motivation to do so. If they do commit a crime, there will probably be CCTV footage that captures them in the act. But does the shop security review that footage on a 24x7 basis? Probably not – but that doesn’t matter, because the theft of hard cash is easy to detect; it will be missing at the end of the day. The CCTV footage will be used after the event to prove what happened.
Now consider the scenario is theft of a list of your customers stored in a spreadsheet, which a malicious insider attaches to an email and sends to their personal email address. This is far less likely to be identified, for a number of reasons. As with the cashier, the employee had legitimate access to both the spreadsheet and the email system. Unlike with the theft of hard cash, the original spreadsheet remains in place, so there’s nothing missing, no reason to raise the alarm. Evidence probably exists in access logs, email logs, and on file servers, but it’s unlikely that any of those events are correlated to build up and reveal the bigger picture.
Detecting (never mind preventing) these types of attack requires a combination of technological and process-based controls, which themselves would warrant a dedicated blog post. Instead let’s concentrate on ways to prevent and detect threats that arise from negligent or unaware insiders.
1. Understand the risks
To prevent and detect, we must first understand where and how we are vulnerable to the insider threat. It’s important to have a comprehensive view of critical systems and information assets that we’re trying to protect, and to understand how our organisation uses them. Simply put, if we don’t know where our most valued assets are, we can’t protect them.
With an understanding of our assets, we can complete a risk assessment and ensure we put in place appropriate controls to protect them.
2. Technical controls
Technical controls will without doubt help to reduce risk, but they won’t remove it. We can cover the basics such as antimalware, intrusion prevention, firewalls, access control – the list goes on. What we cannot control with technology is user behaviour. Access to webmail might be restricted in the corporate network or on VPN, but if your employees can take their laptops home and browse freely then your control is not fully effective. Your password policy might require a twenty-character complex password, but if your employees can be tricked into sharing it, it’s not offering any level of protection.
3. User education and awareness
Never underestimate the ingenuity of an employee when faced with a technical control that gets in their way. Whether it’s dropping off the VPN to access a website you blocked (because it was known to host malware), or password protecting files to bypass your email filter, they’ll often find a way. Their motivation might not be malicious, but the end results may be harmful.
Education is therefore key – the view that our employees should “know better” is plain wrong. It’s unfair and unrealistic to expect employees to default to working in a secure way, and to be aware of the potential impacts of their actions.
It’s our role, as information security professionals, to educate them. Of course, we must put in place technical controls and harden our systems to handle the obvious threats, those that can easily be detected by a computer, but we also need to harden our people.
What does good security awareness look like?
Security awareness should not be seen as something we do purely for compliance reasons, but an investment in keeping our organisation secure. This is no different to investing in hardware and software to achieve the same goal, yet often proves more difficult to fund. Your training program should cover common threats your employees will likely face, and should be underpinned by a few basic concepts:
- No blame – employees should feel safe reporting potential mistakes they’ve made, reducing the potential time to detect and respond to an incident
- Have value – not just at work but also at home. Security awareness doesn’t start or end in the workplace, and showing value outside of 9-5 will make your content more relatable and memorable
- Be continual – don’t look at security awareness as a once per year exercise. Cover it at inductions, and refresh and update regularly throughout the year
- Mix it up – don’t rely on a single method for delivering guidance. Try to include a mix of classroom-based training, CBT, and make helpful resources available internally via Intranets or your support team
- Don’t undermine it – ensure you’re not sending mixed messages to your employees. Your helpdesk should not ask people for their passwords, and senior management should not be exempt from the training and following the rules
- Don’t be a policy lecture – policies are important, but don’t make your awareness training an out-and-out lecture on how to follow corporate policies
In conclusion, Insider threats are very real, and the impact of an attack from the inside has the potential to cause your organisation significant harm. They’re also hard to defend against, and one of the primary weapons in your armoury should be a culture of security awareness across your entire organisation.
Want to find out more on what you can do to prevent Insider attacks? Don’t hesitate to get in touch with your local team.