Typically, most businesses are concerned about external adversaries maliciously accessing confidential data and systems. However, businesses often neglect to safeguard against their own employees who are threats to the business. This concept is known as insider threats. An insider threat is any employee, vendor, contractor or person within a business that has authorised access to sensitive data or IT systems, that misuses that access in a way that negatively impacts the business. In this article, we will discuss the types of insider threats, how to detect an insider threat and how to defend against them.
Malicious insiders are individuals that intentionally misuse their access to data or IT systems for their personal or financial gain. An example of a malicious insider that was currently in employment was a Russian Nuclear Scientist who abused their access to a supercomputer to mine Bitcoin. However, malicious insiders can also be ex-employees who still have access to data and IT systems, or exfiltrate data before they leave. This was the case when an ex-Google employee saved thousands of confidential files before leaving the company, or when an ex-employee of a financial firm attempted to sell 100GB of customer data for $4,000 online.
Not all insider threats have malicious intent, as such as is the case for accidental insiders. Accidental insiders are individuals who unknowingly increase cyber risk or harm the business. An example of an accidental insider was when an HR employee within the NHS accidentally sent an email to a team of senior executives. The email included the mental health information and surgery information of 24 NHS employees.
Similar to accidental insiders, negligent insiders do not intentionally harm the business but do so through negligence or carelessness. This may be through the use of shadow IT or avoiding updates or security patches, which can lead to a cyberattack. An example of this was when a Boeing employee shared an Excel spreadsheet with his wife, so she could help solve formatting issues. This spreadsheet contained the personal information of 36,000 employees.
One of the key challenges in defending against insider threats is how businesses can detect an insider threat. As these individuals have legitimate access to data and IT systems, basic forms of detection are not viable.
Therefore, in order to accurately detect insider threats, businesses require a comprehensive Security Information and Event Management (SIEM) platform or User and Entity Behaviour (UEBA) solution. These solutions solve this challenge as they collect information about the behaviour of individual employees and create a baseline model of normal behaviour. Therefore, if the employee deviates from this behaviour and accesses abnormal data or starts saving confidential information, the activity will be flagged. After this, the business’s IT department or third-party IT provider can look into the behaviour and assess if they are an insider threat.
Whilst detecting an active insider threat can help with remediation, it can also be too late if the employee has already exfiltrated data or shared confidential information. To defend against malicious insider threats, businesses need to identify where all their sensitive information resides and determine who has access to this data. Most businesses allow employees to access more sensitive information than is required in their role. This can be solved through the Zero Trust principle of least privilege. This principle states that employees should only be given privileges required to complete their job, and nothing more. This defends against malicious insider threats as it means that employees cannot access or exfiltrate data.
As many insider threats only abuse access after they have left the company, businesses should ensure that after an employee leaves, their access to any company data or IT systems is revoked. If the employee has additional login credentials to systems, such as administrator or root credentials, these passwords should be changed.
Whilst the above recommendations can also defend against accidental and negligent insiders. In order to defend against these insider threats, businesses need to develop a strong security culture and give employees the education and tools they need to ensure they do not become a risk to the business. This can be accomplished through cybersecurity awareness training and regularly tests or quizzes to ensure that employees retain the knowledge. If a business can create a strong security culture, employees are less likely to become accidental or negligent insiders.
Many businesses struggle to implement the necessary safeguards to both detect and defend against insider threats. If your business is looking to start taking insider threats seriously, contact us today and we can help with the deployment of security solutions, as well as running cybersecurity awareness training.