Insider threats, whether acting out of malice or negligence, pose a constant risk to all organisations.
With so many cyber security priorities to balance, it isn’t always easy to know where to start. The mistake that many organisations make is to view threats originating from outside as their sole focus. However, with insider threats proving a persistent presence, this can often be a very costly oversight.
This guide seeks to provide clarity on the different types of insider threats you need to be aware of and the controls and processes you can put in place to defend against them.
What are insider threats?
Insider threats in cyber security are threats posed to organisations by current or former employees, contractors, business associates or other partners. These individuals have access to confidential information on the organisation in question, and may misuse access to networks, applications and databases to intentionally or unintentionally cause damage and disruption and/or erase, modify or steal sensitive data.
Information at risk of being compromised by insider threats could include personal information relating to employees and clients, intellectual property, financial records, and details about company security controls. All organisations are at risk of insider breaches, but recent research has indicated that the finance, manufacturing and healthcare sectors can be particularly susceptible.
Kroll’s quarterly Threat Landscape Reports identify insider threats as a constant menace for organisations, responsible for as much as 35% of all unauthorised access incidents.
Types of insider threats
Contrary to popular belief, insider threats aren’t always malicious in nature. Most insider threat definitions encompass any actions from an insider that could negatively impact an organisation, and in many cases these actions are borne out of negligence rather than malice.
Negligent insider threats often take the form of inadvertent employee errors, such as falling for phishing scams or mistakenly compromising file integrity. Ponemon research has suggested that well over half of insider threat related incidents are the result of negligence.
Malicious insider threats include rogue and disgruntled employees or contractors that purposely leak an organisation’s confidential data for financial gain and/or misuse access to systems to inflict damage or disruption. Criminal insiders may work alone, collude with competitors, or be affiliated with ransomware cartels or other adversary groups.
The four common types of insider threats are outlined below:
Second streamers
Defined as current employees or contractors looking to ‘stay and profit’, second streamers misuse confidential information to generate additional income through fraud, external collusion or by selling trade secrets. Cybercriminals are increasingly looking to target employees at large corporations, offering a payment for the sharing of credentials and further payments for every month they remain active.
Disgruntled employees
Disgruntled current or former employees that steal intellectual property or commit intentional sabotage are among the costliest threats to organisations. Gartner’s insider threat statistics suggest almost a third of criminal insiders commit theft for financial gain.
Inadvertent insiders
Inadvertent insiders are individuals who exhibit secure and compliant behaviour but make occasional errors, and often don’t realise their mistakes until it is too late. Cyber security awareness training plays a vital role in tackling this type of insider threat.
Persistent non-responders
Persistent non-responders are employees, often senior executives, that remain continuously unresponsive to cyber security awareness training. These employees often exhibit behaviours that could leave them vulnerable to compromise and are often targeted by social engineering scams such as Business Email Compromise (BEC) attacks.
Insider threat awareness
It’s important to recognise that high-profile employees aren’t the only individuals within a business that are likely to be targeted by cybercriminals. The reality is that employees in many different roles and levels can make attractive targets, and all employees should be educated on these risks. Here are just a few examples:
- An IT Help Desk Engineer is likely to have admin account access which could be used to install remote admin tools to provide persistence
- A cyber security analyst will have an inherent understanding of an organisation’s network and its recent assessment reports, which could help attackers identify blind spots
- A salesperson will have access to client lists and contractual terms and CRM data which could be commercially damaging if they were to be made public
- Research and development staff may have access to trade secrets or proprietary product information which could be useful in the hands of potential competitors
Any information may at first appear to be nonsensitive or nonsecure until you determine what you’re ultimately providing access to. Organisations shouldn’t take any part of their workforce, or their level of access, for granted.
Insider threat examples
A range of insider breaches have hit the headlines in recent years, underscoring the dangers of insider threats to businesses.
Waymo
Perhaps the highest profile of these incidents involved Waymo, the autonomous car division of Google. In May 2016, an employee left the company to found a self-driving truck business, Otto, which was bought within 2 months by Uber. It has been alleged that prior to his departure from Waymo, the individual in question downloaded thousands of confidential files and trade secrets, including blueprints, design files and testing documents. A lawsuit brought by Waymo against Uber was settled part way through a trial, with Waymo receiving a financial settlement valued at around £197 million.
Tesla
Another high-profile incident of recent times involves a disgruntled employee at Tesla, who, it is alleged, abused internal privileges to perform industrial sabotage by making changes to software systems controlling the manufacturing process. This prompted a public legal dispute and claims of whistleblowing, which had a damaging effect on the company’s reputation.
General Electric
In a breach spanning almost ten years, two employees at General Electric stole over 8,000 files with the intention of setting up a rival company to GE using marketing data, pricing information and other trade secrets to gain a competitive advantage. The co-conspirators were finally caught by the FBI in 2019, jailed and forced to pay millions in restitution.
Shopify
In September 2020, two members of support staff at e-commerce company Shopify abused their access rights to steal customer data, including names, addresses and order details, from almost 200 merchants that used the platform, causing a 1.3% drop in Shopify’s stock price.
Punjab National Bank
One of the most financially damaging insider breaches to-date concerns the Punjab National Bank in India. An employee at the bank used the SWIFT interbank communication system to create a sophisticated chain of transactions to fraudulently transfer funds totalling over £1.5 billion.
Morrisons
In a case which reached the Supreme Court in April 2020, UK supermarket chain Morrisons appealed against a judgement finding it vicariously liable for the actions of a malicious insider. The disgruntled internal auditor leaked sensitive information relating to 100,000 employees. This included national insurance numbers, birth dates and banking details.
Coca-Cola
Another insider breach in 2017 involved one of the world’s biggest brands, Coca-Cola. A former employee at one of the company’s subsidiaries was discovered to have stolen a hard drive which contained the personal information of 8,000 employees. This breach caused much public embarrassment for the organisation, but the repercussions could have been much greater had it occurred after May 2018, the enforcement deadline of the GDPR.
Insider threat management
Whilst these insider threats examples can be daunting, organisations can significantly reduce the risk but by taking proactive steps.
Five key safeguards are outlined below:
Closely manage permissions and privileges
Closely managing user account privileges is essential to limit the risk of malicious compromises, whether directly by an employee or indirectly by an outsider that has gained access to an account.
It is recommended that organisations adopt a policy of least privilege – ensuring employees, contractors and agencies only have the minimum set of system privileges required to perform their duties. As employee roles change, it is also important to regularly review permissions, and to ensure that privileges are immediately revoked when employees depart.
Implement a device management policy
In most businesses, staff access company systems from a wide range of locations, and on a host of different devices. This is particularly pertinent with the mass remote working brought on by the COVID-19 pandemic. Many organisations now have BYOD policies, but unsecured devices present a variety of security risks.
Organisations should ensure office networks are segregated, with dedicated WiFi networks for personal devices. All employee devices should also have endpoint security software installed.
Application control is also important, and organisations should create a whitelist of approved apps to ensure employees know which tools are permitted.
Monitor USB usage
Most data exfiltration by an insider is carried out via the use of personal external storage media. Cloud storage can provide much more secure means of storing data than traditional methods, with more robust security logging. Disabling or, at the very least, monitoring USB points on high risk devices is highly recommended.
Provide regular staff training
Human errors are an operational reality and more often than not, people are the weak link in the security chain. However, this doesn’t make training redundant – improving security awareness and educating employees about their data security obligations is a crucial step to reducing risk.
Security awareness training should cover topics such as data protection, phishing prevention and password management.
Conduct proactive monitoring
Proactive network security and endpoint monitoring, using a combination of technologies such as SIEM, XDR and EDR, is one of the most effective ways to identify and respond to insider threats before they cause damage and disruption.
Monitoring starts with the establishment of a baseline of ‘normal’ activity. Behaviour that falls outside this baseline can then be flagged and analysed to ascertain whether it could be malicious.
Invest in UEBA
Many security monitoring tools include User and Entity Behaviour Analytics (UEBA), which can be hugely valuable to combat insider threats. UEBA detects and neutralises known and unknown user-based threats by using advanced machine learning and behavioural profiling techniques to identify anomalous activity such as account compromises and privilege abuse.
Develop an incident response plan
When an insider breach occurs, it’s important to have an incident response plan in place to gather and analyse the necessary data to ascertain which systems were accessed, which users have access to those systems, and what data was exposed. An experienced incident response handler like Kroll should be engaged to ensure that data is handled in a forensically sound manner, and critical evidence is not overlooked.
Managed Detection and Response
For many organisations, an in-house 24/7 security monitoring capability to prevent, detect and respond to insider threats and other malicious activity is unrealistic – the technology, intelligence, and specialist expertise required are simply too expensive.
Kroll Responder, our turnkey Managed Detection and Response service, provides the experienced security professions and latest cloud, network and endpoint detection tools needed to identify, contain and shut down attacks.
By working as an extension of your in-house team, our experts hunt for and respond to threats across your on-premise, cloud, virtual and hybrid environments, 24/7. As the world’s number 1 incident response provider, we conduct over 3,000 incident investigations every year. This unparalleled experience means that in the event of a breach, you can have peace of mind that your business will be left in the best position possible, with minimal disruption and your reputation intact.
Find out more about Kroll Responder MDR