Insider threat refers to the risks posed to an organisation’s cybersecurity and sensitive information by individuals who have authorised access to the organisation’s systems, premises, or data. These individuals, who are often employees, trusted third parties, or contractors, can intentionally and unintentionally misuse their access privileges to compromise the availability, integrity, and confidentiality of data and systems, leading to potential security breaches, data leaks, or other harmful consequences.
In the ever-evolving cybersecurity landscape, organisations often focus on defending against external threats, such as hackers and malware. While these threats are undoubtedly significant, it’s crucial not to underestimate the danger that lurks within an organisation itself – insider threats.
The Anatomy of an Insider Threat
Insider threats can be broadly categorised into two main types: malicious and non-malicious (accidental or negligent) threats.
Malicious Insider Threats: These are cases where individuals within an organisation intentionally engage in harmful activities. This could include employees, contractors, or partners who intentionally steal data, sabotage systems, or engage in other harmful actions for personal gain or out of resentment.
Non-Malicious Insider Threats: Negligent employees, often unintentionally, cause security breaches. These individuals inadvertently pose a threat due to their actions, but without any malicious intent. Actions may include making mistakes, such as accidentally clicking on phishing emails or mishandling sensitive information, or simply being unaware of cybersecurity best practices.
Both types of threats can be damaging to an organisation’s security and operations, and require different approaches for prevention and mitigation. It’s important for organisations to address both malicious and non-malicious insider threats through a combination of security policies, training, and technology solutions.
Examples of Insider Threat
In 2020, hackers successfully breached X (formerly known as Twitter), gaining access to 130 private and corporate X accounts, which had over a million followers each. These hackers exploited this access by using 45 of the compromised accounts to promote a Bitcoin scam. Victims include Elon Musk, Barack Obama, Bill Gates, Jeff Bezos, and well-known companies like Uber and Apple.
The attackers posed as Twitter IT administrators and requested user credentials from Twitter employees who were working from home. Once they obtained these credentials, the attackers gained access to administrator tools which they used to reset the accounts of high-profile X (formerly known as Twitter) users, and tweet scam messages. While the employees in this case had no malicious intentions, the consequences of the breach were significant. X (formerly known as Twitter) users transferred the equivalent of at least $180,000 in Bitcoin to scam accounts. Coinbase, a cryptocurrency exchange company blocked transfers of another $280,000. After this incident, X’s stock prices fell by 4%.
Insider threat may sometimes be malicious, with employees sometimes deliberately stealing information with the purpose of selling it to a competitor. In May of 2022, a research scientist at Yahoo stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job. Weeks after the incident, Yahoo realised that Sang had stolen data and sent him a cease-and-desist letter before bringing three charges against him, including intellectual property theft.
Motivations Behind Insider Threats
Understanding the motivations behind insider threats is crucial for prevention and detection. Some common motivations include:
- Financial Gain: Malicious insiders may steal sensitive data or sell company secrets for personal profit.
- Revenge: Disgruntled employees may seek revenge against their employers by causing harm or disclosing confidential information.
- Ideology: Some insiders may be motivated by political or ideological beliefs to harm their organisation.
- Personal Recognition: Employees seeking recognition or promotion may engage in insider threats to gain attention.
- Carelessness: Negligent insiders may inadvertently compromise security through careless actions or ignorance.
Preventing Insider Threats
The aforementioned real-life examples illustrate the devastating consequences of insider threats. To mitigate this risk, organisations should implement robust cybersecurity measures:
- Employee Training: Regularly educate employees about cybersecurity best practices, emphasising the importance of strong passwords, recognising phishing attempts, and reporting suspicious activities.
- Access Control: Implement strict access controls to limit the information and systems employees can access, ensuring that privileges are granted on a need-to-know basis. ISO 27001:2022 recommends that asset owners must review users’ access rights regularly during individual changes (onboarding, role changes, and exits) and during broader audits of system access. We recommend that organisations review access rights every 6 months, or at least once a year.
- Monitoring and Detection: Employ advanced monitoring and detection systems that can identify abnormal behaviour, such as unauthorised access or data exfiltration.
- Incident Response: Develop a comprehensive incident response plan that includes protocols for addressing insider threats. Rehearse and update this plan regularly.
- Data Encryption: Encrypt sensitive data both in transit and at rest to protect it from potential insider threats, even if they gain unauthorised access.
- Whistleblower Programs: Establish confidential channels for employees to report insider threats or suspicious activities without fear of retaliation.
- Data Loss Prevention (DLP): Implement DLP solutions to monitor and control the movement of sensitive data within and outside the organisation, and enforce encryption and data classification policies to protect sensitive information.
- Secure Remote Access: Ensure secure remote access solutions, including Virtual Private Networks (VPNs) and Multi-Factor Authentication (MFA), to prevent unauthorised access.
Insider threats represent a clear and present danger to organisations of all sizes and industries. As technology continues to advance, it’s imperative that companies prioritise cybersecurity best practices, foster a culture of vigilance among employees, and invest in cutting-edge solutions to detect and prevent insider threats.
Tivarri is both ISO 27001 (the main information security standard) and Cyber Essentials certified. Our solutions—Cranberry Cloud and Cranberry Desktop—are configured to ensure that your critical digital information is protected from both internal and external threats.
We deploy a variety of cybersecurity services including multi-factor authentication, email security, web filtering, anti-virus, conditional access policies, end-to-end encryption, mobile device management, to keep your business safe. In addition to deploying the best-in-class technology, we can provide a training service that educates your employees on the steps required to ensure that your business is fully protected from insider threats. Email us at [email protected] for more information.