How to Detect and Mitigate Insider Risks in Your Organization

The following is an edited extract from Understand the Cyber Attacker Mindset.

The terms insider risk and insider threat are often used interchangeably, and it is worth taking a moment to consider the differences. You may decide to use a different definition for your own organization.

What is an insider risk?

This is the overarching risk that anyone inside the organisation (employee, contractor or partner) can pose, which leads to the unauthorised disclosure of sensitive information or other unintended consequences.

This can often be attributed to poor policy and controls, a lack of education and awareness, or someone making a mistake that leads to the resulting damage and harm. Generally, the risk does not assume malicious intent by the individual.

What is an insider threat?

This is the risk that specific individuals (employee, contractor or partner) can pose, that leads to the unauthorised disclosure of sensitive information, or other unintended consequences that may be considered unethical, harmful or illegal.

This can often be attributed to a deliberate action to circumvent poor policies and controls. Generally, the threat assumes there is a deliberate intent by the individual.

What is the difference?

Irrespective of whether the action was intentional or not, the impact can often be the same if there has been a compromise to the organization’s networks and systems or a data breach. The ability to perform such nefari­ous actions generally points to flaws in policies, processes and the ability to take advantage of such flaws.

Even when considering the will and motivation of an individual to deliberately circumvent a policy, it might not be for malicious purposes. For example, a common issue is when an employee leaves the organization and may take some information with them, such as reports or presentation slides they created, or particularly like and want to reuse. It may not contain sensitive data, but, technically, this is still the intellectual property of their employer and could be considered theft, depending on the policies of the organization.

It gets a little more deceptive when people take lists of customers and their contact details with them, especially when going to a competitor organization. It gets even murkier if the employee argues that these were their customers to begin with, as they were encouraged to bring contacts from their previous employment – so who is in the wrong here?

Of course, if an employee exfiltrates sensitive information, such as busi­ness plans, pricing lists or sensitive research to share or sell to other third parties, this can be considered a deliberate intent to remove information, especially if they are going out of their way to hide their actions, such as renaming or applying passwords to documents.

So, an organization not only needs to consider the intent and motivation of the person that may have access to sensitive information and systems, but whether they have defined the thresholds and consequences when policies or employment contracts may have been violated, as well as any obligations for internal and external reporting to law enforcement or regulators.

There is a layer in between, which is the coerced and manipulated insider and whether there is a deliberate intent to perform a specific action. Examples of a manipulated insider with no malicious intent are those people who have been the target and victim of a phishing email or business email compromise where they have been duped into performing actions. An example of a manipulated insider with malicious intent may be someone who has been paid to perform a specific action. There can often be a level of apathy towards the organization, where the employee does not care whether trust has been breached or may not even consider that the resulting action has a high impact on the organization.

The culture of the organization, how they treat people and how they monitor for cases of delinquent or changing behaviour are important factors in how they perceive and manage insider risks and threats.

Rise of the super malicious insider

DTEX (2022) highlighted how in the last few years 75 per cent of insider-threat investigations originated from within the individual’s home.

It identified a significant increase in industrial espionage incidents and the rise of the ‘super malicious insider’, which is a malicious insider threat with superior technical skills and in-depth knowledge of common insider threat detection techniques. Typically, this person has a deep understanding of the technical environment level of monitoring performed and how to circumvent and bypass system controls. This enables the individual to perform higher levels of espionage, fraud, sabotage and other workplace violations in a more efficient manner. The research identified a noticeable increase in the use of OSINT (open source intelligence) practices to conceal their identity and actions. DTEX identified that:

• The ‘super malicious insider’ accounted for 32 per cent of all malicious incidents.
• 42 per cent of actionable incidents were related to IP and data theft, including industrial espionage related to the theft of trade secrets, source code and active collusion with a foreign nexus.
• Most of the super malicious insiders worked in financial services and critical infrastructure industries.

Challenges with monitoring for insider threats

There is often an assump­tion, rightly or wrongly, that, once employed, someone can be entrusted with access to highly sensitive information right from the outset, even though such trust has not been verified. It also brings into question whether some individuals have deliberately applied to such positions for the sole purpose of getting access to sensitive information and other resources.

There is often a challenge to balance monitoring behaviour in a work environment with monitoring behaviour across all aspects of someone’s life. It brings in issues of privacy and potentially violating someone’s human rights. The irony is that even attackers have exercised their rights to privacy when asked by law enforcement to hand over passwords and encryption keys. It therefore requires knowledge of local laws and regulations to determine what may or may not be allowed and under what circumstances.