What is an insider threat?

Author: Adam Jarman

Date: 14th May 2020

Put simply an insider threat is a threat to your organisation that originates from current or ex-employees. This can also include contractors and service providers. The threat doesn’t necessarily have to be malicious at all, in fact the greatest risk comes from negligence and or accidental behaviour.

What are the motives?

There are many reasons why someone may launch an attack on your assets, and this may largely depend upon which sector your organisation operates within. The main motives usually boil down to one or some of following;

Financial

This is perhaps the most obvious motivation. An inside threat will look to conduct attacks upon your organisation in order to obtain some sort of financial reward. Consider also that the attacker could be trying to inhibit your organisations earning potential.

Ideology

An insider threat may possess any number of ideals that would motivate them to launch an attack against your organisation. Terrorism, state-sponsored attacks, animal rights and hacktivism are some to name but a few.

Coercion

Staff in financial difficulty can be easy targets to organised criminals looking to exploit their position inside of an organisation. This is one of the reasons why vetting and financial background checks on people in trusted and positions of power is very important.

Ego

Put simply the pure thrill of conducting such activities may be enough.

An ideal environment

During the COVID-19 pandemic many organisations have adopted working from home conditions. This means that employees will have less interaction with management and colleagues and the organisation will of course have less visibility over its staff. This is a perfect environment for the criminal insider to operate. With no eyes over their shoulders there is of course a significantly reduced chance of them being caught. Additionally, it is also the perfect environment for an attacker to launch social engineering attacks on your employees. It has been reported that phishing emails are up over 600% https://www.linkedin.com/posts/cyberfort_charity-phishingemail-remoteworking-activity-6651394034927456256-h4r_ . Without the knowledge of how to spot or report a suspected phishing email the risk of a successful attack by this means is no doubt exacerbated.

How to best mitigate against these threats?

Whilst certainly not an exhaustive list having some or all of the below controls in place will certainly go towards minimising the risk and impact of an insider threat upon your organisation.

Staff Education and Awareness programmes

Knowledge is power. Employees who are aware of the threats to your organisation and the impacts such threats might have are far more likely to identify suspicious behaviour early on and how to report it. Whilst this may not be the most convenient time to launch a new educational and awareness programme it is an ideal time to send out small and informative reminders of what to be looking out for.

Network Segmentation

Segment your network, especially critical systems, functions and resources. This way, if one system is breached it will not allow the attacker to expand further.

Least Privilege

This is the principle of giving users on your network no more access to your systems than is needed to carry out their function. Users with high privilege accounts should be reviewed on a regular basis to check if such access is still necessary. Access to your network should be immediately disabled to those staff who have left the organisation for any reason.

Monitoring and Logging

Ensure the review and collection of logs which capture user activities upon your network and systems. This will act as a deterrent to those who might otherwise consider malicious activities on your network and ensure that if a breach does occur you are able to efficiently identify whom and what the threat is and of course how to stop it. Ensure the regular review of audit logs relating to high privilege accounts such as administrator accounts. Policies should also be in place that Administrator accounts should not be used to conduct day to day functions.

Conclusion

Insider threats are probably one of the most difficult risks to manage. It is important to remember that whilst it will not always be possible to prevent such attacks from occurring the use of the controls suggested above will place your organisation in a good position to halt any attacks at an early stage and minimise the impact upon the confidentiality integrity and availability of your assets, information and reputation.