The phrase ‘Cyber Threats’ usually brings to mind suspicious people in hoodies typing away sinisterly, or maybe that sinking feeling you get when you wake up and find that your Really Clever Password wasn’t quite as clever as you thought it was. These are reasonable things to imagine, and a lot of effort goes into creating and marketing products and services that protect you from them or in general, threats that originate from outside your organisation. There is, however, another angle that you should be looking at; a threat from inside your organisation, better known as an Insider Threat.

This might be the first time you’re hearing about insider threats, so I’m going to try and predict the questions going through your head and answer them as we go along.

Question 1: What's an insider threat?

An insider threat occurs when a cybersecurity event is initiated as a result of the actions of an individual within an organisation. This individual may be a current or former employee with access to business data or business functions. Their misuse of this access for actions that may threaten the business classifies them as an insider threat.

Question 2: How do I know that something is an insider threat?

Data exfiltration - If an employee is sending a large amount of data outside of corporate networks for no discernible reason, they may be sending sensitive files or other confidential information to a competitor or another outside party.

No indicators of compromise - If you suspect that a data breach has occurred or find your data out there on the internet rather than safe inside your database but can’t find any signs of an attack on your network, it may be that the attack originated from within your organisation.

Privileged account access - If the attack or incident could only have taken place with access to a high level account such as a system administrator’s and there are no indicators that any accounts were brute forced or hacked into, someone with direct access to that account may have used their privileges to initiate the event.

Unusual user activity - If your records show an employee logging into their accounts outside of their active hours or accessing resources that they would not need to do their jobs, they might be trying to cover their tracks or looking for information that they shouldn’t be seeing.

Question 3: Is everyone inside my company a threat?

No! While there are some situations where it’s appropriate to see everyone as a threat, insider threats usually come in three main varieties;

Unintentional

Not every breach happens because of an active effort to cause damage to the organisation. Misspelling an email address and sending a document to the wrong person, accidentally inviting the wrong person to a meeting, or even trying to store company data on an external data storage service to work from home; these can all cause a data breach with no ill intentions on the part of the initiator.

Intentional

The other side of that coin is that some breaches will happen because of an active effort to cause damage to the organisation. This could be sending sensitive documents to competitors, leaking product release details to the press or damaging the company's brand by taking control of social media accounts.

3rd parties

Third party threats may also be classified as insider threats in some instances. For example, if an employee clicks on a phishing link and has their account details stolen, the attacker can take control of their account and work from within the organisation without being detected by boundary firewalls as the account is officially recognised.

Question 4: What kind of damage can they cause?

Loss of sensitive information

The most obvious damage that an insider could cause is to share confidential information with outsiders, who may range from the press to your direct competitors. Most other damages will be as a result of this happening.

Loss of your competitive edge

Having your information released to competitors will result in the loss of any competitive edge that you enjoy, especially if you're in an industry where you depend on your internal technical research or specialised products to differentiate yourself from your competitors.

Damage to your brand image

Depending on the type of information that is leaked, as well as how high profile the leak becomes, the public perception of your organisation will take a hit. This may cause your customers to lose faith in your ability to keep their information and their business interests safe.

Higher potential for system takeovers

Taking down or taking over a system will always be easier if the individual who does so already has detailed knowledge of the system, or even high-level access to it. For example, a single rogue administrator may be able to take complete control of your organisation's infrastructure and even lock you out of it altogether.

Question 5: How can I stop them?

Strong policies - Specifying exactly what is and isn’t allowed in relation to handling company data and resources will help your users understand how they can use them, and will lessen the chance of accidents exposing the organisation to risk. Detailed policies that address issues such as access control will add another level of protection to your critical assets, as well as communicating these policies through regular internal memos or staff posts.

User training - Recognising that your people aren’t the weakest link but the most important piece of the puzzle is key to dealing with insider threats. Educating them on what does and does not constitute a breach or a ‘threat’ adds another level of defence to your organisation, as well as promoting a security aware culture within the organisation.

Monitoring - Especially in the case of insider threats, monitoring your systems and your network for danger signs can stop an event from happening and catch the tell tale signs of one in progress. This applies best to outbound traffic and monitoring and analysing user behaviour for any unprecedented changes.

Insider Threats may seem like a daunting problem to tackle, but Meta Defence Labs can help you mitigate them. We offer a range of services including tailor made insider threat training through staff awareness programs and simulations, which can be backed up by policies that aim to protect your assets through a combination of regulations and advice. Get in touch for a free consultation today to find out more about our approach to handling insider threats!

Author: Kavan Ranaraja