In recent years, insider threats haven’t been heavily discussed in cybersecurity because we’ve had lots of other, more pressing issues to worry about. For example, ransomware seems to dominate the concerns of CISOs and other leaders in organizations (and rightfully so, given its impact). Yet, the insider threat is still there, and given the new paradigm shift of remote work, it is time for leaders to revisit its impact.
What is an Insider Threat?
First, it’s important to define what we mean by an insider. An insider is someone that works within an organization as an employee, contractor or vendor. This person is typically trusted to carry out their daily duties and may have access to sensitive information or systems due to the privileges that they have been assigned. Keep in mind an insider could be anyone that works in the organization. This ranges from your office's janitor or cleaning staff up to the CEO. Defining the threat an insider may pose relates to how they may use their access or information to create a type of attack. It is also important to understand that not all insider threats are malicious. Some insider attacks are unintentional, meaning mistakes or carelessness can be a threat. For example, if a sysadmin sends out a security update to the entire organization that causes everyone’s PCs to crash.
What Types of Attacks Can an Insider Threat Cause?
The list of potential attacks caused by an insider is extensive and challenging for an organization to understand. However, here are three of the most common types that can cause significant damage:
- Theft: Probably the easiest to understand, this is where an insider steals either physical property or proprietary information through their access or daily duties. For example, a malicious call center employee who has access to sensitive customer information steals this data and either sells it or uses it for their own purposes. This type of threat could also lead to the theft of intellectual property or trade secrets.
- Intentional sabotage: This is typically someone who has a vendetta against the organization or could be considered a disgruntled employee. For example, an IT administrator with privileged access who is about to get fired places a logic bomb (i.e., malware) on the network. This will allow them to delete critical data to the organization weeks after their employment is terminated.
- Unintentional or accidental: Insider threats can also be unintentional or accidental. For example, an employee may unknowingly click on a phishing email that spreads ransomware through the organization, or a developer accidentally deploys insecure code to a production website, which leads to the organization being compromised.
How to Prevent Insider Threats?
Creating a mitigation strategy within your organization to prevent insider threats should be part of any robust cybersecurity program. Here are three tips that provide the basis for any solid insider threat mitigation strategy:
- Know who your employees, contractors and vendors are: Your first step is to understand who your staff are, what they do, and what type of access they have. This also speaks to the organization’s culture. Do you have a supportive and protective culture that would support an insider threat mitigation program, or are you potentially creating insider threats through a negative and unsupportive company culture?
- Know your critical assets and where they are located: Next, you need to conduct an asset inventory and identify your critical assets. Critical assets may be anything from a customer database, intellectual property, or the CEO’s email. Once these assets are identified, determine if you have the right access controls, monitoring and training around your critical assets.
- Continually assess your organization’s risk, monitor, and engage: Prioritize and conduct frequent risk assessments and deploy robust network monitoring and logging. Finally, you need to engage your staff about insider threats through security awareness training, identify staff that may be prone to becoming an insider threat, and monitor or coach these individuals about insider threats if necessary.