What is an Insider Threat?
Have you ever considered what the people you trust are doing with their access to your systems, networks and data? You might have considered your top salesperson walking out of the door with their little black book, but the insider threat goes far beyond this.
Insider threat can stem from trusted employees, third-party contractors, or supply chain vendors. Their intent may be malicious, seeking to do maximum damage or harm. They may find themselves unknowingly constituting an insider threat, believing that they are being helpful. The accidental insider threat can also result from social engineering or a desire to make their lives easier by bypassing security controls and established processes.
There is a perception employees will try to exfiltrate data when working from home. News reports businesses investing in covert employee monitoring software. Reflecting the perception bosses should be able to peer over their employees’ shoulders at any time. The increase in digital transformation programmes in enterprises means perimeters are expanding, taking in third-party platform, infrastructure- and software-as-a-service solutions and vendors.
The number of individuals who may have access to some or all of your corporate data, increases risks to data protection, and the complexity of securing access to that data, with controls being spread across numerous systems and administration consoles. Such as employees in HR, finance and marketing teams being given administrator access to line-of-business applications and systems.
An insider threat could access sensitive data (IP, strategy, customer lists, trade secrets etc.) by means of their privileged access, or the ability to edit or change data. Or they may be able to use their own privileged access to change the access rights of others. They may be able to make changes to, sabotage or disrupt system or application availability through having access to underlying servers and infrastructure or privileged administration panels. They could bypass controls or falsely authorise certain financial and technical transactions.
Insider threats are unique and highly complex. Several factors make an individual more likely to pose an insider threat, including being compromised, suffering financial difficulties, feeling resentment towards their employer or simply a desire for personal gain. Conversely, accidental insider threats tend to result from negligence or a curiosity for or creativity in finding new ways of working. Accidental insider threats often believe their actions to be helpful, rather than harmful.
Sources such as Verizon’s Data Breach Investigations Report and Ponemon Institute research have identified that as many as 30% of data breaches are insider driven, with the primary motivation being financial, and that although insider threats are more likely to be accidental than malicious, insider threat still constitutes a significant financial and reputational risk to organisations.
What can organisations do to counter the insider threat?
- Insider threat must be considered when building information security programmes and developing strategies. Although responsibility for managing insider threat can fall to one or more of your HR, Legal, IT, Security and Compliance teams, organisations must take a joined-up approach. Only an approach that blends people, process and technology, taking a holistic, cross-company approach, can successfully mitigate the risk posed by insider threat.
- Combine policy, awareness training and robust data classification, as well as the ability to detect, respond to and mitigate threats posed by insiders.
- Following established security good practices is helpful, they present a tried-and-tested approach to securing your organisation.
- Implementing the principles of zero trust, ensures that rights and privileges are checked before access is granted.
- From a HR perspective, background checking helps. Particularly when individuals are recruited or employees are promoted to privileged positions.
- Add additional layers of controls to ensure privileges are separated, so the same person cannot request and authorise an action or transaction. Ensuring barriers are in place to reduce an insider succeeding in achieving their aims.
- Regular internal and external penetration testing can identify vulnerabilities and misconfigurations which can be exploited by internal and external threat actors.
There is no silver bullet to solving insider threat. Organisations will only succeed in reducing their risk by understanding their people and what is at risk, understanding the context in which people operate and work, knowing what data is visible and accessible, and, finally, being in a position to respond to incidents and effectively address and mitigate the risks.
This article was written in collaboration with our JUMPSEC Cyber Strategy and Transformation team.
To understand the insider threat your organisation faces and how you can build robust cyber security programmes to address the risk, please reach out to for an impartial, informal conversation.