Insider threat is there, whether you like it or not
By Dr. Rob van der Staaij CISSP CISA CISM CRISC CEH CPT
Innopay Cybersecurity Lead
Unlike many organizations think or would like to think, insider risk is prevalent. Insiders are considered responsible for nearly 30 percent of cybercrime breaches (source: PwC). Insiders are snooping around in your databases, rummaging through your printed documents and accessing other employees’ email. They also use advanced methods to commit their crimes, most of the times with the intent to converting it to cash somewhere. When the threat actor is already inside your defence perimeter, they can be a big challenge to detect. These kinds of incidents can take months or even years to discover.
Three examples of insider attacks:
- A financial specialist at a hedge fund organization managed to steal the trading algorithms of the company, despite very tight security controls. He managed to bypass those controls by using two virtual machines and eventually sending the information to his personal email account;
- Three employees at a law firm transferred thousands of confidential documents from their firm to their Dropbox accounts before quitting and moving to another firm;
- A programmer of a software company inserted a line of code into the software causing the platform on which it was running to crash, thus fuelling his own side business. The software company had to call him to solve the problem.
Insider threat poses higher risk than external attacks
Employees need access to the digital information of the organization to be able to perform their jobs. This information includes sensitive information such as financial data, intellectual property, customer data and strategic plans. That is the very reason why insider threat poses a much higher severity of risk on organizations than external attacks. Yet, the latter category of threats usually gets more attention. In addition, an insider attack is often much harder to detect than an external attack, since insiders are more familiar with the computer systems of the organization than external attackers. Not only do they know the way, but insiders are also better able to cover their tracks.
Insider threat can roughly be categorized into three different types:
- Negligence can be defined as conduct or performance of duty that is below the standards of behaviour and code of conduct established by the culture and policy of the organization, which may result in harm to the organization or its stakeholders;
- Theft or fraud can be explained as modifying or stealing sensitive or confidential information for personal gain. Often, the information is sold to criminals, a competitive organization or even a foreign government. Such adversary parties may also introduce a henchman into the victim organization for the objective of espionage. Insiders are even being actively recruited by cybercriminals using the dark web as the playing field;
- Sabotage can be described as deliberately destroying, damaging, or obstructing an organization’s data, computer systems, or equipment, for a variety of reasons such as for gaining political, industrial or military advantage, or simply because of revenge.
Precise numbers or percentages of insider attacks are difficult to measure or to obtain. One of the reasons is that this type of attack more than once goes unnoticed. Also, for obvious reasons organizations are not very willing to spread it around when they are the victim of an attack by an employee.
Insider threat can be minimised, but not avoided
Unfortunately, there is no single safeguard or so-called panacea to prevent insider attacks. Rather, a conglomerate of controls and measures, which may appear very different in nature, is needed to avert or thwart this highly undesirable and risky phenomenon. Common frameworks, such as ISO 27001, only provide general guidelines for implementing security controls. Here are the top five main controls:
- One of the controls includes the screening and background checks of employees. This does not always reveal the desired outcome and is bound to strict rules such as privacy regulations. Even so, organizations should always know whom they are dealing with;
- Access control is one of the most adequate controls if implemented correctly. It requires both organizational discipline and advanced technology in the area of identity and access management. First and foremost, authorizations should be based on the principles of need-to-know and least privilege. Segregation of duties should be technically enforced wherever possible;
- Monitoring is a very useful means to recognise suspicious activity. It includes the reviewing of log files and the real-time monitoring of applications, systems and network traffic. Privileged account management is a focus area that concentrates on the management and monitoring of accounts with far-reaching access rights, such as administrative accounts;
- Encryption is highly effective against tampering with confidential information. The implementation of a comprehensive cryptographic environment requires specialist knowledge and expertise and includes many aspects such as the management of digital certificates, the application of cryptosystems and key management;
- Perhaps the most important facet of combating insider threat is culture. A risk-aware culture favours an organizational environment, in which internal risk will be less likely to occur. Senior management should encourage the creation of a risk-aware culture by setting direction and communicating transparently about internal threats. Furthermore, management should emphasize compliance and reward behaviour that is effective to managing internal risk. Of course, senior management itself should visibly exercise due care and due diligence. Awareness training is indispensable in creating the right culture.
How safe are your crown jewels?
Organizations should understand the exact threats they face. This will depend on the value of the digital information that is owned or controlled by the organization. The more valuable the information, the more motivated the malicious insider will be. The potential impact can be huge. Violations of the GDPR could lead to fines of up to € 20 million or 4% of global annual turnover.
What are your crown jewels and how well are they protected?