In a threat landscape dominated by news of the latest ransomware attack, or unpatched vulnerability, it is understandable that IT teams focus a great deal of their efforts on hardening defences against external threats. And while this is certainly justified, and most definitely required, it is essential that a comprehensive security program also considers the threat from within.
Insider threats can take many forms though most commonly, the perception is that they are perpetrated by jilted employees who are keen on retribution for the wrongs they have suffered. This is one aspect of the threat as disgruntled employees with the right privileges can certainly wreak havoc.
Many people reveal much about their lives on social media
But insider threats are not only made possible by malicious motivations – often, but it is also nothing more than negligence that results in employees unwittingly placing their organisations in the crosshairs of cyber criminals. Understanding the different kinds of insider threats is the essential first step in preparing to defend against them.
Not all disgruntled employees have the skills to be a threat, but they can be co-opted by external threat actors and enabled to cause damage such as launching a ransomware attack. In a survey of 100 IT and security executives on how hackers were approaching employees, undertaken by Pulse and Hitachi ID in late 2021 and early 2022, 65% reported that they themselves, or one of their employees, had been approached to help launch a ransomware attack. That figure has risen substantially over recent surveys, likely because of the changed working environment created by the pandemic.
Those expressing dissatisfaction with their employer or work environment make easy targets for criminals
The State of Network Security 2021 report by Barracuda found that 81% of respondents said their organisation had been the victim of a security breach once in the last year. Indeed, companies with staff working predominantly from home had a significantly higher network security breach rate 85%, compared to companies with staff working predominantly in the office 65%. A full 74% of those surveyed said their organisation has been the victim of at least one ransomware attack in the last year.
Today, many people reveal much about their lives and their feelings on social media. Those expressing dissatisfaction with their employer or work environment make easy targets for criminals to co-opt into their activities and provide with the tools needed to mount an attack.
Resentment is not the only motivation for an insider attack: ambition can also be a motivator
Resentment is not the only motivation for an insider attack: ambition can also be a motivator. An employee might steal information or inflict damage to harm another employee in the hope it will advance their own career.
And the motivation could be as simple as money: industrial espionage. An employee could steal proprietary information to sell to another company or do so at the behest of a competitor.
Any insider who fails to follow security protocols and practices can become a threat. There are many reasons why they might do so: deliberate negligence many security protocols are seen as standing in the way of getting work done; occasional inadvertent lapses; inadequate training.
Compromised insiders are those who have unwittingly enabled an attack, most often by falling for a phishing exercise, and then either downloaded malware or revealed their log-on credentials.
An employee might steal information or inflict damage to harm another employee in the hope it will advance their own career
Once an attacker has compromised an insider, they can take their time to exploit the access gained. They can add the compromised device to a botnet and then use it to mount a DDoS attack or use it to mine cryptocurrency.
However, they most frequently use this compromised device to explore the corporate network behind it, moving laterally to other devices and other accounts, gathering more credentials until they gain sufficient access to steal valuable data, launch a ransom attack or sabotage critical systems.
How to combat insider threats
There are many steps organisations can take to counter insider threats, either stopping them at source, or detecting and blocking those that do breach cyber defences.
Keep employees happy
It will never be possible to keep ever employ happy all the time, but should be the aim of every organisation, regardless of security issues. This means having first rate HR practices to ensure promotions and pay rise decisions are fair and reasonable. It means having clear and honest communications from leaders to subordinates at every level of the organisation. Every employee that does not become disgruntled is one less potential threat.
HR and IT must work together
IT is rarely in a position to identify a disgruntled employee, until that employ vents their displeasure on the IT systems. HR is much better placed. Therefore, HR and IT should meet regularly so IT can be briefed on any employees they need to keep an eye on, perhaps even implementing more restrictive access requirements. HR should routinely tell IT about any employees who have transgressed and been disciplined or passed over for a promotion.
While IT cannot detect employee displeasure, it can detect activity that might precede an insider attack, for example, an employee logging in or entering the premises at abnormal times or accessing data not relevant to their role. It should then identify these individuals to HR for further monitoring.
Training is paramount
Security awareness training has progressed by leaps and bounds in recent years in parallel with the rise in phishing and other deceptions. Once it was a case of getting employees to watch a video and sit some sort of test once or twice a year.
Today’s security awareness programs are much more sophisticated. They simulate phishing attempts to determine employees’ susceptibility and identify those most needing training. They include focussed and personised training that targets the weaknesses identified in those employees.
Aside from these approaches, gamification has become a popular tool to build and maintain a high level of cyber vigilance among staff. Organisations stage monthly or quarterly games where simulated phishing emails are sent to staff and prizes are awarded to those who detect and report them. Such exercises can motivate the most cynical employees and help to maintain a high level of threat awareness across the workforce.
An employee could steal proprietary information to sell to another company or do so at the behest of a competitor
The adage trust but verify is widely used but makes no sense: it really means don’t trust, verify instead. The bar for trusting has been progressively raised: from simple passwords to single sign-on SSO, role-based permissions, and multi-factor authentication MFA, but ultimately these are all trust-based access controls. Once the applicant has passed these hurdles, they are trusted: trusted with access to sensitive information and vital applications.
If an attacker has managed to gain access to the required credentials, they are free to wreak havoc. Or if a legitimate user is compromised after they have passed the access hurdles, they become a danger.
There is no way to eliminate insider threats completely, but the steps outlined above will greatly reduce their incidence and enable an organisation to a much better job of detecting and countering.
IT is rarely in a position to identify a disgruntled employee, until that employ vents on IT systems, while HR is much better placed to recognise this.