Cyber Talk: Insider Threat

What is an insider threat?

Every organisation possesses a level of established resources that can be associated with certain value. Regardless of how well the organisation is secured on the exterior, there will always be the possibility of an internal threat that creates a risk of compromise. An insider is anyone given authorised access to an organisations knowledge or resources, including designs, networks, information, data, infrastructure, and equipment. There is an overwhelming majority of organisations with internal resources that are usually not secured, this leaves an exploitable domain that would threaten the operation of the business. An insider threat can be defined as anyone with the potential to put assets or processes at risk, either intentionally or unintentionally. The following behaviours are common manifestations of real-world threats:

  • Sabotage
  • Attacks on confidentiality
  • Espionage
  • Workplace violence
  • Terrorism
  • Corruption
  • Loss of reputation

The three most common insider threats include:

  • Malicious insider: According to ACSC, a malicious insider can be "employees, former employees, contractors or business associates who have legitimate access to your systems and data, but use that access to destroy data, steal data or sabotage your systems (willingly)." Malicious insiders may be motivated by various factors, including grudge against an employer, financial gain, ideological motivations, coercion, or corruption through the participation of transnational organised crime.
  • An imposter: A said 'employee' or partner, who is theoretically an outsider, who gains access to the organisations network to sabotage or steal confidential information.
  • Careless insider: A careless employee who unintentionally breaches confidentiality without real incentive.

Figure 1 – Risky behaviour

How to detect an Insider Threat?

There are multiple indications of an insider threat at work. For instance, if there are a substantial number of employees in the organisation with no established user-access system, and circumstances also consisting of unsatisfied workers, the business will more than likely experience an insider attack. Some of these threat indicators may include:

  • Increase volume of data movement on the network
  • Accessing data at unusual times
  • Accessing unrelated resources
  • Accepting tasks overenthusiastically
  • Installation of unknown applications over the internet

How to respond to an Insider Attack?

Recovery from an attack depends on the severity of the damage dealt. If the damage is a technical attack on the system, for example, a dos attack or a malware installation, then contacting an expert to resolve the problem would most likely help salvage the situation. However, if the target was the organisations data, consequently little to nothing could be done to recover from the attack. Prevention is better than cure. The next section will show methods of mitigation that would better equip a company against such threats.

How to protect against an Insider Attack?

The ACSC lists multiple ways to protect against an insider attack. In this article, we will name a few.

  1. Prioritise the external backup of data – The idea here is to move all the valuable information within an organisation and back it up to either the cloud or an offline storage drive.
  2. Access Control – Re-evaluate system access levels and assign access controls accordingly. The greatest threat to an organisation is data transparency.
    • Do not be afraid to revoke access to certain domains while reorganising information so that employees only get access to what is necessary to fulfil their tasks.
    • Always give employees unique login details. This helps to eliminate the possibility of future conflict and suspicion.
    • Deactivate access of past employees. Change any passwords associated with the user.
  3. Promote positive culture – The best way to counter an angry employee with a grudge is to avoid producing an angry employee with a grudge. Always aim to work towards improving employee satisfaction, an effective way is to apply tactics that help break down communication barriers.
  4. Education and training – Educate staff on security issues and risks to help beat negligence.
  5. Protect critical assets – Formulate a chart categorising assets value and criticality. Manage the access to these critical assets utilising a zero-trust architecture.

Summary

Threats can be found everywhere, ranging from threats on busy streets to threats at home. Keeping on top of security is always important to maximise your peace of mind. That is why being aware of insider threats is crucial for future operations and asset retention. For more tailored security advice, please feel free to contact our team.