I randomly sampled a couple of employees on what jumps out at them, when the phrase, ‘insider threat’ is used. I got an interesting mix of responses. Phrases repeatedly used, include, disgruntled employee, unhappy worker, dissatisfied operator, knowledgeable, privileged or tech-savvy user etc. “We trust our employees”, one respondent said. “We have conducted a risk assessment, and discovered that only about 2% of our workforce are dissatisfied or disgruntled, therefore we believe ‘insider threat’ presents a low risk to our business,” another said.
While most respondents understood the concept of ‘insider threat’ and the risks it presents to an organisation, I realised that most respondents felt the major source of insider threats within an organisation, came from disgruntled or unhappy employees, with malicious intentions. Insider threats resulting from accidental or inadvertent errors were highlighted by only a few respondents.
An insider within the context of an organisation includes regular employees, former employees, contractors and temporary staff, competitors, partners, business associates, malicious or disgruntled employees, etc. The threats insiders pose to a business may either be deliberate or accidental, and the motivation of the attacks range from financial gains to revenge, ideology, desire for recognition, loyalty to friends, family and country, etc. There is usually a misconception that most insider threats have to be malicious in nature and carried out by a disgruntled employee with privileged access.
A survey conducted and contained in The 2015 Insider Threat Spotlight Report brings to our attention that less than 50 percent of organizations have appropriate controls to prevent insider attacks, while 62 percent of the survey respondents say that insider attacks are far more difficult to detect and prevent than external attacks.
Many organisations face data loss breaches, not necessarily because of malicious insider attacks, but because of inadvertent or unintentional activities from careless users and bad security practices within the organisation. Organisations should recognise that their workforce are their front line of defence and the weakest link in the chain. Therefore, user groups such as privileged users, contractors/temporary workers, IT administrators and staff, and executive management, who may present a higher insider threat risk should be monitored closely and properly managed.
While it is great to have preventive controls such as company policies, security awareness trainings and education, background checks, mandatory vacations, encryption, logical access controls etc., it is also important that organisations are able to timely detect insider threat breaches, and recover from a successful insider attack. Monitoring of key applications, systems, resources and user activities, Intrusion Detection System (IDS), Data Loss Prevention (DLP) tools etc. are some detective controls that may be combined with preventive or deterrent controls. An illustration of where a combination of controls may be useful is when, for example, the HR department of an organisation conducts an initial background screening on a new hire before employment, and gets no red-flags. At some point during the course of the new hire’s employment, he/she feels aggrieved, and deliberately decides to abuse their access to systems within the organisation. In this scenario, background screening alone is insufficient to detect any malicious intent the employee may develop during the course of employment.
Another area that could increase the risk of insider threat to an organisation is bad security practices by employees within an organisation. With an increased number of devices used by employees to access sensitive information, large sensitive data being transmitted over networks, more and more collaboration and communication apps, cloud storage and file-sharing applications in use, contractors/temporary staff and partners accessing a company’s network etc., the need for a security strategy, good governance, and policies within an organisation cannot be over-emphasized. People are no doubt the soft underbelly of any organisation and adequate awareness/training of your workforce, can to a great extent reduce the risk of inadvertent insider threats.
I came up with the list below, which is by no mean exhaustive on poor security practices within organisations that may open the door for an insider attack.
- Poor management practices, governance and strategies with regards to data protection;
- Absence of policies or standards that govern secure use of company data;
- Lack or inadequate security awareness trainings and education of employees, especially those with privileged access to systems and resources;
- Poor security culture within organisations;
- Lack or poor use of auditing functions on key business systems, processes, applications and resources;
- Insufficient data protection strategies and solutions;
- Lack of means to timely detect and respond to insider attacks;
- Third parties given more privileged access to corporate systems than they require;
- Poor password and user access management, which may include lack of or untimely revocation of access rights of former employees to business systems and applications, excessive user permissions to systems;
- Lack of controls for mobile devices, file-sharing applications, cloud storage solutions and websites used by the workforce.
An interesting quote says, ‘Amateurs hack systems, professionals hack people’. With malicious or inadvertent insiders who have access to internal corporate systems, who needs sophisticated attack tools?