Whether acting out of malice or negligence, insider threats pose a significant risk to all organisations.
With so many different cyber threats targeting businesses like yours, it isn’t always easy to know which to prioritise. The mistake that many organisations make is to focus purely on threats originating from outside. However, with the number and severity of breaches caused by insider attacks continuing to rise, this can often be a very costly oversight.
This guide seeks to provide clarity on the different types of insider threats you need to be aware of and the controls and processes that can be used to defend against them.
What are insider threats?
Insider threats in cyber security are threats posed to organisations by current or former employees, contractors, business associates or other partners. These individuals have inside information on the organisation in question, and may misuse access to networks, applications and databases to wittingly or unwittingly cause damage and disruption and/or erase, modify or steal sensitive data.
Information at risk of being compromised by insider threats could include personal information relating to employees and customers, intellectual property, financial records, and details about company security controls. All organisations are at risk of insider breaches, but recent research has indicated that the finance, manufacturing and healthcare sectors can be particularly susceptible.
According to Kroll’s 2019/2020 Global Fraud and Risk Report, incidents caused by insider threats account for 66% of those reported by organisations.
Types of insider threats
Contrary to popular belief, insider threats aren’t always malicious in nature. Most insider threat definitions encompass any action from an insider that could negatively impact an organisation, and in many cases these actions are borne out of negligence rather than malice.
Negligent insider threats often take the form of inadvertent employee errors, such as falling for phishing scams or accidentally deleting files. Ponemon research has suggested that 63% of insider threat related incidents in 2017 were the result of negligence.
Malicious insider threats include rogue and disgruntled employees or contractors that purposely leak an organisation’s confidential data for financial gain and/or misuse access to systems to inflict damage or disruption. Criminal insiders may work alone, collude with competitors, or be affiliated with organised hacking groups.
The four common types of insider threats are outlined below:
Defined as current employees looking to ‘stay and profit’, second streamers misuse confidential information to generate additional income through fraud, external collusion or by selling trade secrets. Research from our Threat Intelligence team has revealed that cybercriminals are increasingly looking to target employees at large corporations, offering a payment for the sharing of credentials and further payments for every month they remain active.
Disgruntled current or former employees that steal intellectual property or commit intentional sabotage are among the costliest threats to organisations. Gartner’s insider threat statistics suggest almost a third of criminal insiders commit theft for financial gain.
Inadvertent insiders are individuals who exhibit secure and compliant behaviour but make occasional errors, and often don’t realise their mistakes until it is too late.
Persistent non-responders are employees, often senior executives, that remain continuously unresponsive to cyber security awareness training. These employees often exhibit behaviours that could leave them vulnerable to compromise and are often targeted by social engineering scams such as Business Email Compromise (BEC) attacks.
Insider threat examples
A range of insider breaches have hit the headlines in recent years, underscoring the dangers of insider threats to businesses.
Perhaps the highest profile of these incidents involved Waymo, the autonomous car division of Google. In May 2016, an employee left the company to found a self-driving truck business, Otto, which was bought within 2 months by Uber. It has been alleged that prior to his departure from Waymo, the individual in question downloaded thousands of confidential files and trade secrets, including blueprints, design files and testing documents. A lawsuit brought by Waymo against Uber was settled part way through a trial, with Waymo receiving a financial settlement valued at around £197 million.
Another high-profile incident of recent times involves a disgruntled employee at Tesla, who, it is alleged, abused internal privileges to perform industrial sabotage by making changes to software systems controlling the manufacturing process. This prompted a public legal dispute and claims of whistleblowing, which had a damaging effect on the company’s reputation.
In September 2020, two members of support staff at e-commerce company Shopify abused their access rights to steal customer data, including names, addresses and order details, from almost 200 merchants that used the platform, causing a 1.3% drop in Shopify’s stock price.
Punjab National Bank
One of the most financially damaging insider breaches to-date concerns the Punjab National Bank in India. An employee at the bank used the SWIFT interbank communication system to create a sophisticated chain of transactions to fraudulently transfer funds totalling over £1.5 billion.
In a case which reached the Supreme Court in April 2020, UK supermarket chain Morrisons appealed against a judgement finding it vicariously liable for the actions of a malicious insider. The disgruntled internal auditor leaked sensitive information relating to 100,000 employees. This included national insurance numbers, birth dates and banking details.
Another insider breach in 2017 involved one of the world’s biggest brands, Coca-Cola. A former employee at one of the company’s subsidiaries was discovered to have stolen a hard drive which contained the personal information of 8,000 employees. This breach caused much public embarrassment for the organisation, but the repercussions could have been much greater had it occurred after May 2018, the enforcement deadline of the GDPR.
Insider threat management
Reading horror stories about insider threats can be daunting but by taking proactive steps, organisations can significantly reduce the risk.
Five key safeguards are outlined below:
Closely manage permissions and privileges
Closely managing user account privileges is essential to limit the risk of malicious compromises, whether directly by an employee or indirectly by an outsider that has gained access to an account.
It is recommended that organisations adopt a policy of least privilege – ensuring employees, contractors and agencies only have the minimum set of system privileges required to perform their duties. As employee roles change, it is also important to regularly review permissions, and to ensure that privileges are immediately revoked when employees depart.
Implement a device management policy
In most businesses, staff access company systems from a wide range of locations, and on a host of different devices. This is particularly pertinent with the mass remote working brought on by the COVID-19 pandemic. Many organisations now have BYOD policies, but unsecured devices present a variety of security risks.
Organisations should ensure office networks are segregated, with dedicated WiFi networks for personal devices. All employee devices should also have endpoint security software installed.
Application control is also important, and organisations should create a whitelist of approved apps to ensure employees know which tools are permitted. Disabling or, at the very least, monitoring USB points on high risk devices is also highly recommended.
Provide regular staff training
Human errors are an operational reality and more often than not, people are the weak link in the security chain. However, this doesn’t make training redundant – improving security awareness and educating employees about their data security obligations is a crucial step to reducing risk.
Security awareness training should cover topics such as data protection, phishing prevention and password management.
Conduct proactive monitoring
Proactive network security and endpoint monitoring, using a combination of technologies such as SIEM, IDS and EDR, is one of the most effective ways to identify and respond to insider threats before they cause damage and disruption.
Monitoring starts with the establishment of a baseline of ‘normal’ activity. Behaviour that falls outside this baseline can then be flagged and analysed to ascertain whether it could be malicious.
Invest in UEBA
Many of the latest monitoring tools include User and Entity Behaviour Analytics (UEBA), which can be hugely valuable to combat insider threats. UEBA detects and neutralises known and unknown user-based threats by using advanced machine learning and behavioural profiling techniques to identify anomalous activity such as account compromises and privilege abuse.
Develop an incident response plan
When an insider breach occurs, it’s important to have processes in place to gather and analyse the necessary data to ascertain which systems were accessed, which users have access to those systems, and what data was exposed. An experienced incident response handler like Kroll should be engaged to ensure that data is handled in a forensically sound manner, and critical evidence is
Managed Detection and Response
For many organisations, an in-house 24/7 security monitoring capability to prevent, detect and respond to insider threats and other malicious activity is unrealistic – the technology, intelligence, and specialist expertise required are simply too expensive.
For a cost-effective subscription, ThreatDetect™, Redscan’s Managed Detection and Response service, provides the experienced security professions and latest SIEM, UEBA and endpoint tools needed to identify, contain and shut down attacks.
By working as an extension of your in-house team, our cyberoffensive experts hunt for and respond to threats across your on-premise, cloud, virtual and hybrid environments, 24/7. Kroll’s unparalleled frontline incident response and forensics experience means that in the event of a breach, you can have peace of mind that your business will be left in the best position possible, with minimal disruption and your reputation intact.