Some people assume that most cyberattacks come from criminal masterminds. However, in 2020, insider threat actors were responsible for 30% of all data breaches. In terms of data protection, an insider threat can be defined as an employee, team member, or 3rd-party vendor who engages in the deletion, modification, or theft of sensitive or confidential data. Insiders are extremely dangerous to organizations, as they can sabotage security measures, cause financial loss, damage property or brand reputation, and even cause injury or loss of life.
Large corporations have taken considerable measures in the past decade to combat insider threats through prevention and detection techniques. Meanwhile, small-to-midsize organizations have been left vulnerable due to their lack of financial and human resources. It’s critical for small organizations to detect and respond to insider threats, and develop an effective insider threat program. Insider threats are difficult to identify, and data breaches caused by them are “significantly more costly than those by an external threat.”
There are many different types of insiders. They could be a disgruntled employee or even a loyal employee that does not fully understand the implications of bad cybersecurity habits. For example, an inadvertent insider may end up sabotaging the company by mistakenly sharing confidential data or other sensitive information with an unauthorized person. When businesses are busy focusing on the bottom-line, it can be easy to miss the cues and signals of an insider.
Ways to identify insider threat
Recognizing insider threats aren’t black and white. The following items can be indicators of insider threats but do not, in themselves, indicate the presence of an insider.
- A disgruntled employee can be one of the best indicators of an insider threat. When an employee becomes disgruntled, they are more likely to cause harm to the organization through damage to property or brand reputation, theft of information, and anything else that could hurt the operation or employees of a company.
- Another indicator of an insider threat is an employee’s sudden lack of interest in work. If an employee becomes disinterested and disengaged at the workplace, they might begin to be careless with their job duties. For example, if an employee's job is to work directly with customer or company data, they may potentially expose that data, even if it’s not on purpose.
- If an employee spends unexplainable late nights at the office, working with company and customer data, it can greatly increase their opportunity to steal, manipulate, or destroy that data. It’s a good idea to question employees who work late with little to show for it, or those who are overly secretive about their projects.
- An unexplainable increase in wealth by an employee could be a sign of a successful insider. Data has become increasingly important to companies and thus, important to criminals. Selling company data is an easy way for an insider to make extra cash.
- Pay attention to employees accessing records that they have no need for. If an employee asks for a report containing private information or otherwise sensitive data, they should be challenged for a need to know.
- Employees who skip cybersecurity awareness training also pose a risk. These employees are less apt to effectively protect company data as they are unaware of the most up-to-date cybersecurity controls and policies enforced by the organization. Cybersecurity awareness is more than just a check-the-box activity, it could be the only line of defense between an employee and an inadvertent insider.
Insider threats on the cyber side
Cybersecurity controls can be implemented to prevent, deter, or reduce the risk and impact of an insider threat. In this section, we will list controls that can be combined with an existing cybersecurity plan to combat insider threats. These controls are broken into two sections, Technical Controls and Administrative Controls.
Administrative Controls
- Strong policy enforcement is a key administrative control. By requiring all employees and vendors to follow an organization’s technology policies, the risk for insider threats is reduced. Some policies that are important to implement for an insider threat program are an Insider Threat Policy (ITP), Acceptable Use Policy (AUP), and Bring Your Own Device Policy (BYOD). For example, by enforcing a policy that prohibits the use of foreign USB drives or devices on company premises, insiders are less likely to steal data in that manner. Policies can discourage malicious behavior, and technical measures can then help enforce policy adherence.
- Job rotation is a practice that prevents any one person in an organization from having too much control or being a single point of failure. In the context of insider threats, job rotation can prevent disaster from occurring by ensuring that more than one person is in charge of the most critical systems. One way to implement job rotation is by determining intervals at which employees are required to take a vacation, to audit the work environment and potentially prevent malicious activity. This can ensure that an insider will never have all the control or knowledge of a specific area of a company and be held accountable.
- The principle of least privilege is another means of reducing the risk of insider threat. To implement, all people working in an organization must be provided only with access to data and resources that they need, and no more than that. This reduces the risk of employees viewing data that they shouldn't access, manipulating data, or leaking data as a method of corporate espionage. For example, the sales team employees do not need unescorted access to the server room and the server administrators do not need access to the database of Personal Health information (PHI).
- Another control to manage insider threat risk is the requirement of background checks for all new hires. Does your potential employee have a history of criminal convictions? Were those convictions for theft? Is there indication that this employee can not be trusted with customer data, company secrets, and access to systems? If the answer to any of these questions is “yes,” it may be a good idea to limit or restrict access to sensitive company or customer data until the employee can be trusted.
- Regular (monthly/bi-monthly) performance assessments are a great tool used to lead a team. They can improve positive feelings toward an organization. Regular assessments can be conducted to ensure that the team climate is healthy and that there is a clear line of communication with management for gripes, complaints, and concerns. This can cut down on the potential for disgruntled employees who could become insider threats.
Technical Controls
- According to Imperva, “[Data Loss Prevention Tools] DLP is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data.” Therefore, it is one of the best ways to detect and stop insider threats. DLP technologies are mechanisms that keep users from inserting a thumb drive into a work computer. However, they can also be placed on network devices or endpoints to protect data in motion (through email) and data at rest (in storage).
- Identity and access management (IAM) practices provide what is known in the IT industry as authentication, authorization, and accounting (AAA). AAA technologies are typically set up to verify who is accessing a network and what they are accessing, ensuring that users stay in ‘their own lane.’ This can be used to prohibit disgruntled ex-employees from accessing a network. It can also detect insider threats by alerting if an employee is attempting to access data that they shouldn’t be, such as personal identifiable information (PII).
- User behavior analytics (UBA) is arguably the best detection mechanism for insider threats. It is used to spot anomalies in user behavior and can automate alerts based on detections. Consider how suspicious you would be if you found out that one of your employees logged in from another country during off hours. In this situation, UBA could be used to generate an alert for the security team to investigate.
- Time of day restrictions are used to restrict access to work resources during specific time periods. This control limits the amount of time that an insider threat would have access to company resources and sensitive data. For example, if employees do not need to access work resources after 6PM Monday-Friday, consider implementing a time of day restriction.
Insider threats can come from people we would least expect them to come from. They can also be extremely difficult to identify. However, administrative and technical controls can be put in place to prevent and detect them. By staying vigilant, organizations can mitigate insider threat risk, stay protected from financial loss, and keep their brand reputation strong. A determined insider threat will try anything to cause harm to an organization, but the idea here is: don’t make it easy for them.