When it comes to cybersecurity, we often focus our attention on how to protect an organisation from external threats. However, discounting insider threats can be a costly mistake, both financially and reputationally
Originating from individuals with authorised access and privileged knowledge, insider threats adversely impact an organisation’s people, facilities, information, and systems. But what do insider threats look like in the age of remote work, AI and social media? And how can organisations adequately protect themselves from the potential threat within?
From nation-state to innocent mistakes: The face of insider threats
The make-up of an insider threat is vastly variable. There is no one-size-fits-all when it comes to an insider threat, so it can be hard to spot them and know what their intentions are. Ultimately, the aim of a malicious insider is to blend in, to go undetected, and, with granted privileged access to sensitive data, they often do.
On one hand, an insider threat could look like an employee (ex or current) acting intentionally to harm an organisation for personal, professional, or financial gain, or seeking retribution for personal grievances. Their actions could involve exfiltrating sensitive data or stealing intellectual property.
One example of this is the 2016 case of a former Google employee downloading thousands of highly sensitive company files onto his personal laptop (pertaining to Google’s self-driving car project) and handing them over to his new employer, Uber.
On the more extreme end of the spectrum, there’s the threat posed by hostile actors and/or organised crime groups. Direct infiltration into an organisation by external threat actors, through recruitment or the supply chain, is one option. But threat actors often seek to identify ‘collusive’ insiders vulnerable to financial temptation, or use coercion to gain access and influence over insiders for malicious ends.
Equally, an insider threat may occur because of a simple act of negligence, or lack of security awareness, that could lead to a data breach. This could happen because of poor security training provision or mishandled data. Falling into this category is the risk of third parties who may misuse or mishandle the privileged access they have been granted to an organisation’s facilities, networks, systems or personnel.
The evolution of insider threats: From new technology to remote work
Ultimately, the risk posed by insider threats is evolving in part due to emerging technologies, like AI, and post-pandemic remote working. Attack surfaces are becoming larger, employees are no longer tied to on-prem networks and social engineering tactics are becoming ever increasingly more sophisticated and harder to discern.
When it comes to remote working, employees frequently do not adhere to the same stringent security standards as those on-site. Work devices may be misused (or, rather, used to access non-work-related content) and personal networks are not secure, highlighting a lack of control for security teams. There’s always a risk of complacency when it comes to employee security, however it becomes harder to spot risky behaviours when they’re not unfolding in an environment that’s easy to control.
For example, at home, an employee may become overly trusting of their housemates (family or otherwise) and leave their laptop open and unlocked when not working. Or, if working in a third space, an employee’s laptop may become privy to wandering eyes. In our better nature to trust those around us, it may feel unlikely that such a seemingly innocuous action may present significant risk, however there is indeed some quantifiable risk present – and that shouldn’t be ignored.
Additionally, social media provides a breeding ground for insider threat reconnaissance. On a slightly less formal platform, we may overshare personal details about ourselves, from our ‘likes’ to images and information about our loved ones. On professional platforms, we often expound details of our day jobs (where there is always a risk of accidentally disclosing sensitive information). This creates a perfect storm for attackers to socially engineer their way into an organisation. Threat actors may use social media to gather intelligence, ultimately allowing them to launch targeted spear phishing attacks by exploiting the trust and relationships built with those within online communities.
Equally, the rise of new technologies presents significant risk. Many organisations cannot keep up with the pace of evolution and innovation in this space, especially regarding security risk. Specifically, AI and deepfake technologies are posing new challenges for security leaders, with sophisticated impersonation attempts of key personnel that may go undetected by traditional authentication methods. Earlier this year, for example, one Hong Kong company claimed to have suffered a $25 million loss because of attackers using deepfake technology to impersonate the company’s CFO via a video call.
The persistent threat of insider threats (resulting in data breaches, unauthorised access or persistence on systems), whether through deliberate actions, negligence or lack of awareness, emphasises the critical need for organisations to implement strong cybersecurity measures. Therefore proactive prevention, detection and mitigation strategies are essential to combat the threats posed by insiders.
Three ways to mitigate risk from insider threats
Develop explicit policies that outline expectations from employees: In collaboration with HR, security and legal teams, business leaders should strive to explicitly outline policies that vet and monitor employees and manage incident response to promote transparency and accountability. By outlining expectations, leaders can avoid responsibility grey-areas and mitigate risk.
Focus on creating a strong security culture: Empower employees with the education and awareness to notice and report on unusual activity. Offer employees refresher courses and/or specialised seminars that evolve with the threat landscape and are tailored to individuals. Educate employees on how insider threats may present themselves, why they may occur, and how to mitigate the risk of them. Finally, train supervisors and managers on their personal responsibilities regarding insider threat and how to hold their teams to the same standards.
Establish comprehensive (and transparent) governance frameworks: Make sure people know what’s expected of them – and keep compliant. One way to do this is by leveraging already established frameworks to highlight best practices and enhance overall security. Frameworks provided by the National Protective Security Authority (NPSA) and Industry Personnel Security Assurance (IPSA) are handy benchmarks for reference.
Understanding the danger of insider threats
Fundamentally, it’s important to understand the risk of insider threats, by empowering leaders with knowledge on what they may look like and what may motivate them, especially in a time when things move quickly, and attack surfaces are drastically expanding. By being proactive in approach and mitigating unnecessary risk by using policy and training, organisations can be safer in the face of insider threat risks.