You might think that you’re taking all security measures to protect your company, but have you ever considered that the danger might come from within? Insider threat is a very serious menace, as many big organizations have discovered on their own.
What Is Insider Threat – A Definition
The term insider threat refers to the malicious threats that organizations face from employees, former employees, business associates or contractors. These people have access to inside information related to the company’s data, computer systems, security practice, so any fraud, theft or sabotage from their part would hover over the organization’s security.
The malicious insiders’ cybercrimes can include espionage, unauthorized disclosure of information, information technology sabotage, loss or degradation of the organization’s resources.
According to the FBI, the malicious insiders’ motivations can be personal or organizational:
Personal Factors
[…]
Greed or Financial Need: A belief that money can fix anything. Excessive debt or overwhelming expenses.
Anger/Revenge: Disgruntlement to the point of wanting to retaliate against the organization.
Problems at work: A lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff. […]
Ego/Self-image: An “above the rules” attitude, or desire to repair wounds to their self-esteem. Vulnerability to flattery or the promise of a better job. Often coupled with Anger/Revenge or Adventure/Thrill. […]
Compulsive and destructive behaviour: Drug or alcohol abuse, or other addictive behaviours.
Family problems: Marital conflicts or separation from loved ones.
Organizational Factors
[…]
The availability and ease of acquiring proprietary, classified, or other protected materials. Providing access privileges to those who do not need it.
Proprietary or classified information is not labelled as such or is incorrectly labelled.
The ease that someone may exit the facility (or network system) with proprietary, classified or other protected materials.
Undefined policies regarding working from home on projects of a sensitive or proprietary nature. […]
Employees are not trained on how to properly protect proprietary information.
What Is Insider Threat – Forms and Clues
When it comes to the usual suspects, the press usually points out two types of insider threat: malicious insiders/turncoats and negligent insiders/pawns. The classification of Jeremy Goldstein from Security-Intelligence seems more accurate, as he identifies four types of insider threat:
Pawn
As Goldstein notes, “Pawns are employees who are manipulated into performing malicious activities, often unintentionally, through spear phishing or social engineering. Whether it’s an unwitting employee downloading malware to their workstation or a user disclosing credentials to a third party pretending to be a help desk employee, this vector is one of the broader targets for attackers seeking to cause harm to the organization.”
Goof
Goofs usually don’t have malicious intentions, “but take deliberately and potentially harmful actions. Goofs are ignorant or arrogant users who believe they are exempt from security policies, whether it be out of convenience or incompetence.“
Collaborator
Collaborators are a type of insider threat that use their privileges to steal data or disrupt the normal business operations, in cooperation with third parties. These third parties may be represented by competitors or even by nation-states.
Lone wolf
Lone wolves are people that act maliciously and independently, without any sort of external influence: “Lone wolves are especially dangerous when they have elevated levels of privilege, such as system administrators or DB admins”.
FBI also offers information on what could be the clues that point to an insider threat:
Without need or authorization, takes proprietary or another material home via documents, thumb drives, computer disks, or e-mail. Inappropriately seeks or obtains proprietary or classified information on subjects not related to their work duties.
Interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors.
Unnecessarily copies material, especially if it is proprietary or classified.
Remotely accesses the computer network while on vacation, sick leave, or at other odd times. […]
Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted. […]
Overwhelmed by life crises or career disappointments.
What Is Insider Threat – Real Life Examples
Sage
The accounting and HR software company Sage confronted a data breach caused by an insider in 2016. The data of up to 280 of their UK customers was compromised, data which included salary and bank account details.
It was discovered that an employee deliberately stole data with the presumed intent of fraud. The suspect was later on arrested by the London Police at Heathrow Airport.
Chicago Public Schools
In 2018, a former Chicago Public Schools employee stole personal information from 70,000 employees of CPS and volunteers. The man was a temporary IT-worker who got fired. The data he stole included names, phone numbers, addresses, birth dates, criminal histories, even information regarding the associations of individuals with the Department of Children and Family Services.
Microsoft
At the end of December 2019, a Microsoft customer support database with 250 million entries, accumulated over 14 years, became publicly accessible. The database, that included emails, IP addresses, geographical locations and notes of the Microsoft support agents, was publicly available for about a month.
The Microsoft data breach happened because, at the beginning of December 2019, the employees misconfigured the security rules of a new version of Azure and the access to the database wasn’t protected with a password or two-factor authentication.
The leaked data didn’t contain any personally identifiable information and Microsoft secured the database as soon as they discovered it and notified the affected users, so the company didn’t suffer any fines or penalties.
Marriott
In January 2020, hackers got access to a third-party application that contained 5.2 million records of Marriott guests. The records included contact information, loyalty account details, personal preferences.
How was this possible? Hackers compromised the credentials of two Marriott employees and managed to log into the third-party application. The suspicious activity was not observed for two months.
The incident was more serious than it was in Microsoft’s case because the stolen data included personally identifiable information. Marriott may face (again) severe penalties.
In July 2020, Twitter also suffered a data breach: hackers got access to 130 private and corporate Twitter accounts that had at least a million followers each. 45 of these accounts were used for the promotion of a Bitcoin scam. Among the notable individuals and companies whose accounts were compromised we mention Barack Obama, Bill Gates, Elon Musk, Apple, Uber.
The incident happened due to a series of spear-phishing attacks. Hackers gathered information on some Twitter employees that worked from home, contacted them and introduced themselves as IT administrators asking for user credentials. The compromised accounts allowed them access to administrative tools, which made possible the reset of the famous users’ accounts.
Twitter users that fell for the scam transferred at least $180.000 in Bitcoin. The incident caused Twitter’s stock price to fall by 4%.
You can find some more examples of how other companies dealt with insider threat in one of our previous articles.
What Is Insider Threat – Mitigation
Insider threat can cause serious damage to any company but, fortunately, there are various ways through which you can mitigate it:
Protect your critical assets
These assets can be physical, like facilities or people, or logical, like systems or technologies and, of course, customer data. You can achieve this by adopting a good defense in depth strategy and by making sure you prepare an incident response plan.
When it comes to technology and network, we can also help you. Our offer includes solutions for:
Email communications are the first entry point into an organization’s systems.
MailSentry
is the next-level mail protection system which secures all your
incoming and outgoing comunications
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters which protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise (BEC);
Offer valid only for companies.
Enforce Policies
Organizational policies prevent misunderstandings. Make sure that everyone reads the documents and knows exactly what are your security procedures, and their rights in relation to intellectual property. Back up these policies with training.
Monitor and Investigate Any Suspicious or Unusual Activity
You should check any abnormal activity, however harmless it may seem. Remember what the FBI said about copying materials, accessing the systems from unknown locations or at odd hours etc.
Don’t Forget About the Post-Employment Process
You might not be interested in what your former employees will do next, but you will surely be affected if they decide to go rogue. As MHA Consulting says, “You should always ensure that your employee separation process is well documented. Be sure to include the notification and removal process for physical, network and application access. No matter the reason for the termination, remove access as soon as the individual is no longer with the organization. You should do this within the same day.”
What Is Insider Threat – Wrapping Up
Whether they know it or not, people are the weakest link in your network security. Whether they intend it or not, they might cause serious problems for any company. Stay vigilant and keep in mind that mitigating insider threat is an essential part of any cybersecurity strategy.
If you’re interested in preventing cyberattacks and not responding to them, please remember that Heimdal™ Security always has your back and also that our team is here to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!