Whether acting out of malice or negligence, insider threats pose a significant risk to all organisations.
With so many different cyber threats targeting businesses, it isn’t always easy to know which to prioritise. The mistake that many organisations make is to focus purely on threats originating from outside. However, with the volume and severity of breaches caused by insider attacks rising, this can often be a very costly oversight.
This guide seeks to provide clarity on the different types of insider threats you need to be aware of and the controls and processes that can be used to defend against them.
What are insider threats?
Insider threats in cyber security are threats posed to organisations by current or former employees, contractors or partners. These individuals may misuse access to networks, applications and databases to wittingly or unwittingly cause damage and disruption and/or erase, modify or steal sensitive data.
Information at risk of being compromised by insider threats could include personal information relating to employees and customers, intellectual property, financial records, and details about company security controls. All organisations are at risk of insider breaches, but recent research has indicated that the finance, manufacturing and healthcare sectors can be particularly susceptible.
Types of insider threats
Contrary to popular belief, insider threats aren’t always malicious in nature. Most insider threat definitions encompass any action from an insider that could negatively impact an organisation, and in many cases these actions are borne out of negligence rather than malice.
Negligent insider threats often take the form of inadvertent employee errors, such as falling for phishing scams or accidentally deleting files. Ponemon research has suggested that 63% of insider threat related incidents in 2017 were the result of negligence.
Malicious insider threats include rogue and disgruntled employees or contractors that purposely leak an organisation’s confidential data for financial gain and/or misuse access to systems to inflict damage or disruption. Criminal insiders may work alone, collude with competitors, or be affiliated with organised hacking groups.
The four common types of insider threats are outlined below:
Defined as current employees looking to ‘stay and profit’, second streamers misuse confidential information to generate additional income through fraud, external collusion or by selling trade secrets. A recent study by the University of Surrey has revealed that almost a third of dark web activity relates to the trading of corporate data.
Disgruntled current or former employees that steal intellectual property or commit intentional sabotage are among the costliest threats to organisations. Gartner’s insider threat statistics suggest almost a third of criminal insiders commit theft for financial gain.
Inadvertent insiders are individuals who exhibit secure and compliant behaviour but make occasional errors, and often don’t realise their mistakes until it is too late.
Persistent non-responders are employees, often senior executives, that remain continuously unresponsive to security awareness training. These employees often exhibit behaviours that could leave them vulnerable to compromise and are often targeted by social engineering scams such as Business Email Compromise (BEC) attacks.
Insider threat examples
A range of insider breaches have hit the headlines in recent years, underscoring the dangers of insider threats to businesses.
Perhaps the highest profile of these incidents involved Waymo, the autonomous car division of Google. In May 2016, an employee left the company to found a self-driving truck business, Otto, which was bought within 2 months by Uber. It has been alleged that prior to his departure from Waymo, the individual in question downloaded thousands of confidential files and trade secrets, including blueprints, design files and testing documents. A lawsuit brought by Wanyo against Uber was settled part way through a trial, with Wanyo receiving a financial settlement valued at around £197 million.
Another high-profile incident of recent times involves a disgruntled employee at Tesla, who, it is alleged, abused internal privileges to perform industrial sabotage by making changes to software systems controlling the manufacturing process. This prompted a public legal dispute and claims of whistleblowing, which had a damaging effect on the company’s reputation.
Punjab National Bank
One of the most financially damaging insider breaches to-date concerns the Punjab National Bank in India. An employee at the bank used the SWIFT interbank communication system to create a sophisticated chain of transactions to fraudulently transfer funds totalling over £1.5 billion.
In a 2017 case, which is now destined for the Supreme Court, UK supermarket chain Morrisons was found vicariously liable for the actions of a malicious insider. The disgruntled internal auditor leaked sensitive information relating to 100,000 employees. This included national insurance numbers, birth dates and banking details.
Another insider breach in 2017 involved one of the world’s biggest brands, Coca-Cola. A former employee at one of the company’s subsidiaries was discovered to have stolen a hard drive which contained the personal information of 8,000 employees. This breach caused much public embarrassment for the organisation, but the repercussions could have been much greater had it occurred after May 2018, the enforcement deadline of the GDPR.
Insider threat management
Reading horror stories about insider threats can be daunting but by taking proactive steps, organisations can significantly reduce the risk.
Five key safeguards are outlined below:
Closely manage permissions and privileges
Closely managing user account privileges is essential to limit the risk of malicious compromises, whether directly by an employee or indirectly by an outsider that has gained access to an account.
It is recommended that organisations adopt a policy of least privilege – ensuring employees, contractors and agencies only have the minimum set of system privileges required to perform their duties. As employee roles change, it is also important to regularly review permissions, and to ensure that privileges are immediately revoked when employees depart.
Implement a device management policy
In most businesses, staff access company systems from a wide range of locations, and on a host of different devices. Many organisations now have BYOD policies, but unsecured devices present a variety of security risks.
Organisations should ensure networks are segregated, with dedicated WiFi networks for personal devices. All employee devices should also have endpoint security software installed.
Application control is also important, and organisations should create a whitelist of approved apps to ensure employees know which tools are permitted. Disabling or, at the very least, monitoring USB points on high risk devices is also highly recommended.
Provide regular staff training
Human errors are an operational reality and more often than not, people are the weak link in the security chain. However, this doesn’t make training redundant – improving security awareness and educating employees about their security obligations is a crucial step to reducing risk.
Security awareness training should cover topics such as data protection, phishing prevention and password management.
Conduct proactive monitoring
Proactive network and endpoint monitoring, using a combination of technologies such as SIEM, IDS and EDR, is one of the most effective ways to identify and respond to insider threats before they cause damage and disruption.
Monitoring starts with the establishment of a baseline of ‘normal’ activity. Behaviour that falls outside this baseline can then be flagged and analysed to ascertain whether it could be malicious.
Many of the latest monitoring tools include User and Entity Behaviour Analytics (UEBA), which can be hugely valuable to combat insider threats. UEBA detects and neutralises known and unknown user-based threats by using advanced machine learning and behavioural profiling techniques to identify anomalous activity such as account compromises and privilege abuse.
Managed Detection and Response
For many organisations, an in-house 24/7 security monitoring capability to prevent, detect and respond to insider threats and other malicious activity is unrealistic – the technology, intelligence, and specialist expertise required are simply too expensive.
For a cost-effective subscription, ThreatDetect™, Redscan’s Managed Detection and Response service, provides the experienced security professions and latest SIEM, UEBA and endpoint tools needed to identify, contain and shut down attacks.
By working as an extension of your in-house team, our cyberoffensive experts hunt for threats across your on-premise, cloud, virtual and hybrid environments, and provide the support needed to protect critical assets to enterprise-grade standards.