Fighting insider threats is tricky but essential work
Business executives are worried about accidental internal staff error (71%) almost as much as they are worried about external threats (75%). But which of the two is a bigger threat to a company?
External vs insider threats
External threats can cause great damage to an organization and are carried out by malicious groups or individuals that generally need to find ways to access a network by using various techniques. This can include leveraging vulnerabilities, deploying phishing or social engineering attacks, bribing and blackmailing.
Spotting insider threats can be more challenging for a simple reason: insiders already have legitimate access – whether limited or full – to an organization’s network, systems, or other assets.
The complexity of insider threats
“Identifying insider threats is not a binary process. Insiders can be malicious, lack the skills to do their jobs properly, or be victims of coercion. Thus, it is important to understand the different types of insider threats and the vectors that are most applicable to your organization,” Mandiant researchers recently noted.
These types can be:
- Malicious insiders – those that steal or corrupt data motivated by personal gain, a desire for revenge, or to provide advantage to a competitor
- Unintentional insiders – those that unintentionally reveal data whether by accident or due to insufficient training
- Compromised insiders – those that act maliciously as a result of blackmail or extortion
- Negligent insiders – those whose mistakes cause data breaches or other incidents
Malicious insiders are very straightforward and their motivational drive is clear. The other three types of insiders are somewhat more complex.
Unintentional and negligent insiders can pose an insider threat by not being adequately instructed or trained, and even by not having enough knowledge about the technology they are using and about the implementation of necessary protections.
One such incident occurred when Microsoft employees exposed the company system’s login credentials by uploading them to GitHub.
Compromised insiders, when faced with blackmail or extortion, may give in to the threats for fear of being shamed or laid off.
Third-party partners, such as contractors and vendors, can also be an insider threat as they often have some access permissions to an organization’s systems and networks to perform their job.
In a third party compromise that happened in 2019, a former Amazon Web Service (AWS) engineer leveraged a vulnerability to hack Capital One (which at the time used AWS cloud services) and access over 100 million customer’s credit card applications and accounts.
The challenge for organizations is that they must place trust in their employees without knowing wether they will turn malicious or simply make an honest yet devastating mistake.
Preventing insider threats
Organization must take certain steps to protect themselves from insider threats.
First of all, they have to make sure the employees are properly and continuously trained with the goal to boost their cybersecurity awareness. Employees need to feel empowered and motivated to actively protect their organization. This can be done with understanding and empathy as well as by ensuring the right knowledge is transferred.
Organizations need to continuously monitor and audit their systems to make sure they are alerted about activities and suspicious behavior. Using access control solutions is also a good practice, as they prevent unauthorized users from accessing specific company resources, as well allow tracking who has accessed particular resources and when.
When an employee leaves an organization, the offboarding process has to be meticulous. Organizations must be sure the former employee no longer has access to company assets. Organizations should also implement solutions that can automatically wipe sensitive data from employee’s own devices following a lay off or a resignation.
To help organizations better understand insider threats and build an appropriate protection plan, CISA has published an Insider Threat Mitigation Guide, which can guide you through the process of building an insider threat mitigation program and help you detect, identify, assess and manage insider threats.