Understanding and addressing how your insiders work today
Insider threats can wreak untold havoc on an organisation. It’s critical that security leaders prepare strategies for the three main insider risks
A healthy dose of paranoia is understandable and often even necessary in cybersecurity, but in the case of insider threats – where the risk lies within the organisation like a Trojan horse – leaders must strive to avoid internalising a frenzied monomania that views every employee as a menace. After all, “it is more shameful to distrust our friends than to be deceived by them,” said Confucius.
But the unfortunate truth is that improperly managed staff can cause an eye-watering amount of damage, whether due to negligence, because they’ve been targeted, or malice. A Ponemon report conducted on behalf of Proofpoint claimed insider threats caused as a result of compromised insiders almost doubled since 2020, when much of the world was working remotely due to the pandemic, and the average annual remediation cost for insider-led incidents caused by careless or negligent users was a staggering $6.6m. This is all complicated by the emergence of a hybrid work world, where the traditional understanding of perimeter defence no longer applies and ‘bring your own device’ was flipped on its head – with staff bringing their work into their homes and therefore all the devices in them.
Reputational damage, sensitive data, downtime, ransomware, and worse – these are all potential outcomes from unchecked insider risk. But there are three core kinds of insider threat leaders need to address, because the strategies to manage them can drastically differ.
Careless users
Over half of all insider threats are due to negligence, and so were completely avoidable. While important, training can go only so far, and organisations can’t expect every employee to be a security expert on top of their ordinary workload. What’s needed is to shape the fundamental make-up of an organisation into one that’s security-aware.
“Tackling insider threat isn’t easy – these are, after all, people that were employed to be trusted and do a job,” explains Dr Jason R C Nurse, associate professor in cybersecurity, University of Kent, and author of Smart Insiders: Exploring the Threat from Insiders using the Internet-of-Things. “Promoting a healthy security culture first involves raising awareness of what ‘good’ security behaviour looks like, and making the security-related expectations from employers crystal clear.”
That means everyone should know what is, and is not, acceptable. Businesses should endeavour to create a culture of reporting anything that appears to be strange – not paranoid, but vigilant. “Any reports should be treated in confidence, but also, those who receive reports should cautiously investigate without unwarranted accusations or actions,” Nurse says.
The perimeter “no longer exists,” says Lena Smart, chief information security officer at database provider MongoDB. If every employee is working from a different kitchen table or home office, with varying setups and network accessibility, there’s “no such thing as a one-way path for network traffic”.
“All your entry points can just as easily become attack vectors, so everyone needs to be involved and accountable,” she says.
Achieving this accountability means eliminating blame culture and creating spaces for reporting where people are not afraid to flag potential issues. For example, Smart suggests, leaders could appoint ‘security champions’ who become ambassadors for cybersecurity in their own departments – someone empathetic who understands the day-to-day workloads of their colleagues, and can act as a conduit to the IT security team if issues arise.
Similarly, internal whistleblowing hotlines can be a lifeline for flagging urgent problems with security staff. But these must be created without any negative connotations, and employees should understand that it’s always in the best interests of the business that problems are reported – even if they think the worst-case scenario has just occurred.
Malicious employees
Whether for financial reasons or from feeling wronged, a committed employee can cause a lot of damage. For example, in 2020, a ConocoPhillips employee created fraudulent invoices to trick the oil giant into paying a friend’s business more than $3m. The actions were part of a larger embezzlement scheme that totalled nearly $7.3m. Businesses need monitoring capabilities to nip malicious insider threats in the bud wherever possible. However, it’s far from desirable if staff feel under surveillance at all times. A culture of fear and suspicion will not encourage people to come forward when there are genuine threats that need flagging, and employee wellbeing can suffer. What’s more, overstepping the mark regarding privacy could lead to workplace grievances, as well as legal or reputational damage for the company in charge.
“As with all things, there’s a balance,” says Nurse. “Organisations want to protect themselves and their assets, while employees want to work without an employer infringing their privacy.”
Organisations want to protect themselves and their assets, while employees want to work without an employer infringing their privacy
One potential way forward to achieve this balance is for employers to be completely transparent about what they record and why. They should be up-front with employees how data is used, potentially in aggregate or anonymously unless otherwise necessary, advises Nurse, to keep the organisation secure: “Anything else may breed distrust which may further harm the relationships between employer and employee.”
Compromised insiders
One of the most effective paths for attackers is to target employee credentials and then exfiltrate data by stealth. In 2021, the United Nations confirmed that the intergovernmental organisation had suffered a data breach of sensitive information. The method: buying a UN employee’s username and password from the dark web.
Anyone can log onto dark web marketplaces and take their pick from as many as 15 billion passwords that are up for sale. Whatever the strength of a password, if it’s leaked once, it’s leaked forever, and all attackers need are for one set of keys to work to gain access to networks.
These kind of insider threats need protecting, and robust security policies and training are among the best methods for prevention.
“From a technical perspective, one of the simplest ways to protect company credentials is by ensuring staff do not reuse the same password, or not to use a password at all,” says Jake Rogers, CISO at digital assets manager, Copper.co. “Most people will only have two or three password combinations and rely on using the same password over and over, making an attacker’s job fairly straightforward and incredibly lucrative.”
Counter-measures might include biometric passwords and two-factor authentication via mobile devices, rather than relying on users to manage their own set of text-based passwords.
Supply chain attacks, where a partner or secondary organisation to the primary target is earmarked by hackers, heap on further complexity. Managing your own organisation can be enough of a handful let alone worrying about the security protocols of partner businesses.
But worry about them you must: one solution could be that businesses set up strong security relationships with their supply chain partners, suggests Dr Nurse, putting in place robust controls, security-related service agreements, and continuous checks on partner access.
“Again, there is a balance to be maintained here,” Nurse adds. “Partners need to be aware this is occurring and why: the aim is not to express distrust to the extent it impacts the business relationship, but instead to raise the bar for security across the entire supply chain.”