top of page
Server Room

Insider Threats and Enterprise Security

Author: George Kaduru

April 2021

1.0. INTRODUCTION

Owning and running a business, organisation, or company is a lot of work. It is even more so now because evolution in ICT and process automation have escalated a previously low-level risk; cyber risk. One of these risk factors is Insider Threats.

You may wonder if this is really a thing, or even a risk to be cautious of and unfortunately, our answer to you is YES. Individuals from inside an organization, inside your organisation, such as current or former employees, partners, and vendors, may pose a threat to the security of your business. These individuals have the ability to use their access to networks and assets to reveal, alter, or remove confidential information, intentionally or unintentionally. Human beings are arguably one of the most dangerous security risk factors. Therefore anyone with insider knowledge and or access to your organisation’s confidential data, IT, or network resources is a potential insider threat.

2.0. INSIDER THREAT STATISTICS

Insider threat have been the cause of a lot of security breaches in organisations and businesses, both big and small. Let us take a look at some numbers and facts behind this.

a. In the last two years, insider risks have reportedly risen by 47%, either as a result of a malicious close associate, employee, or accidental errors. Yes, accidental errors. Between 2018 and 2020, it increased from 3,200 to 4,700 incidents per year and because of these rapidly increasing numbers, approximately 60% of organizations now experience more than 30 incidents of insider attacks a year. Shocking!

In the same report, insiders were blamed for 23% of insider-related cyber attacks. User credential fraud was responsible for 14% of insider-related incidents. Each insider-related incident costs an average of $755,760 per company (look at the costs again please).

b. According to a Global Threat Report from last year, more than 30 insider-related attacks occurred in 60% of organizations in 2020, with 62 percent of the incidents being due to negligence. Another study in 2019 – the Varonis Data Risk Study – also showed that every employee has access to about 17% of an organization’s sensitive files.

c. Just 1 in 5 IT professionals consider insider threats to be a security issue, according to a 2020 study on cybersecurity insider threat statistics. Just 39% of businesses have a team of cybersecurity specialists that have a thorough understanding of information protection and can properly assess cyber danger and enforce preventative measures. This explains why internal security breaches in companies are so common; employees, employers, and even some IT personnel regularly fail to follow security protocols, consciously or not.

We could go on and on exploring these facts but you get the point already. Shall we look at the various types of Insider threats then, before diving deeper with some real-life examples of the kind of impact these threats have.

3.0. TYPES OF INSIDER THREATS

In cybersecurity, there are two distinct types of insider threats; the Malicious Insider and the Negligent Insider.

a. Malicious Insider Threat

As the name implies, a malicious insider can be likned to the popular hero turned-villain-scenes that are popular in movies. They knowingly and intentionally steal or alter company data, or breach the organization’s network seeking to do harm. Most malicious insiders are former employees who were laid off and seek to do harm to their previous employers. At other times, malicious insiders are those that have the authorization, credentials and access to company valuables and abuse them for fun or for financial gain.

b. Negligent Insider Threat

To be negligent is to fail to do a thing you are responsible for, which can lead to adverse consequences. This pretty much sounds like the entirety of the human population, right? We all have been negligent before and sometimes still are. However, negleting your cyber safety is a gamble that is not only detrimental to you, but everyone else around you and beyond; moreso when you are part of a business or an organization. This risk factor is even more dangerous than the first, because negligent insiders are normal employees whose mistakes are exploited by bad actors, leading to compromise of data. The employee therefore becomes an unwitting participant in a security incident, whether it's a missing laptop, emailing a confidential document to the wrong individual, or opening a malicious email attachment.

Here are some real life examples to help put our explanations of insider threats into better perspective:

i. The employee who profited from selling company data
In 2017, a Bupa employee used an internal customer relationship management system to access customer data, copy it, remove it from the database. And then tried to sell it on the Dark Web (talk about sinister!). The breach affected 547,000 customers and in 2018, after an investigation by the Information Commisioner’s Office (ICO), Bupa was fined £175,000.

ii. The employee who was a victim of a phishing scam
A phishing email was sent to a senior staff member at the Australian National University. What happened after? A total 700 megabytes of data were taken. This information included names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account information, and student academic records for both staff and students. An outright robbery.

iii. For a competitive advantage, this employee brought company data to a new employer
This incident involved Google and Uber. A lead engineer at Google's self-driving car project – Waymo - left the company in 2015 to launch his own self-driving truck company; Otto. Before leaving however, he stole some trade secrets, a whole lot of them. And he did it by directly uploading 14,000 files from Google Servers to his desktop, (the guts he had). After a few months, Otto was acquired by Uber, and Google executives discovered the leak. He of course pleaded guilty to the charge.

iv. The employee who sent company data to a personal email
Majority of employees often email company data to themselves to work on over the weekend ( which is quite unsafe by-the-way). In this case however, a Boeing employee shared a spreadsheet with his wife in the hopes that she could assist with formatting issues. Although this may seem innocuous, it was not. Because employee ID records, places of birth, and accounting department codes were all leaked, exposing the personal details of 36,000 employees, and all in the name of love.

     

4.0. DETECTION, PREVENTION AND RESPONSE 4.1. DETECTION

By now you’re probably asking; how can I detect an insider threat in my organisation? Can it be detected before anything can happen? And our answer to you is the same as in the first section of this article, yes it can. Whether digitally or in person, there are some common behaviors that indicate an active insider threat. For CISOs, security architects, and their teams to track, identify, and stop possible insider attacks, these indicators are critical. They are broken down into digital and behavioural warning signs:

Digital Warning Signs

  1. Obtaining or downloading large volumes of data

  2. Sending confidential information outside the company

  3. Using any of company unlicensed storage devices (e.g., USB drives or floppy disks)

  4. Having access to information that isn't part of their particular behavioral profile

  5. Multiple requests for access to resources not associated with their job function

  6. Copying files from confidential directories, data hoarding

  7. Crawling the network and looking for classified information

Behavioural Warning Signs

  1. Having a negative attitude toward coworkers

  2. Trying to get around security

  3. Breaking of corporate policies

  4. Frequently in the office during off-hours

Although human behavioral alerts may be an indicator of potential problems, the most effective way to identify insider threats is through digital forensics and analytics. User Behavior and Security Analytics aid in the detection of insider threats by analyzing and alerting when a user behaves suspiciously or differently than normal. Isn't technology great!

4.2. PREVENTION

In ancient times when wars between countries were very prevalent, every country/state had a defense plan in place to counteract whatever attacks that may occur. This was a smart strategy and it still is. Every business should have in place, an Insider Threat Defense Plan (ITDP); it may vary per company but below are a series of steps - a template, if you will - to follow that you can work on to implement it in your business:

  1. Keep an eye on the main data sources' operation, files, and emails.

  2. Be sure where your confidential files are stored at all times

Iii. Determine who has access to the information and who should continue to have access

to it.

  1. Maintain a paradigm of least privilege in your infrastructure.

  2. Use security analytics to detect unusual activity.

  3. Instill a data protection mentality in the staff.
     

4.3. RESPONSE

Prepare for the worst, pray for the best; that’s how the saying goes. Meaning we can still be heros even when compromised because not only do ITDPs exist, Insider Threat Response Plans (ITRP) are also a thing! ITRPs are just as important as ITDPs as they serve to respond to potential data breaches. In the event of a potential breach, it is important to:

  1. Determine which users and files are affected.

  2. Disable the whoever appears to be compromised or malicious.

  3. Check the seriousness and threat-level of the attack.

  4. Notify relevant parties.

  5. If required, restore data that has been deleted (another reason why backups are

important).

  1. Access privileges of ALL compromised users should be revoked.

  2. Purge any and all malware that was used in the attack.

viii. Re-enable any security controls that have been bypassed. Author: George Kaduru

5.0. CONCLUSION

Protecting your business or organization from the inside out is not rocket science, it merely requires a healthy dose of cyber hygeine. Not so much of a big deal eh? We’re glad you have it all under control now.

REFERENCES

https://www.tessian.com/blog/insider-threats-types-and-real-world-examples/

https://techjury.net/blog/insider-threat-statistics/#gref

https://www.varonis.com/blog/insider-threats/

https://www.mdpi.com/2079-9292/9/9/1460/htm

Stay in the Know

Subscribe to our newsletter

Cyber Compound

For any questions please email

info@cybercompound.com

© 2024 by Cyber Compound.

bottom of page