Inside Threats - Detection and Remediation in Cyber Security

Dangers from within

Typically security measures put in place to detect and counter cyber attacks focus on outside threats. While the faceless enemy from outside your organisation is undoubtedly a risk, the danger can just as easily come from within – but not from an anonymous attacker, from an employee that you know or trust. According to a 2019 data breach report, 34% of data breaches involved insiders. Though companies are more at risk from outside threats, internal cyber security needs to be taken just as seriously: it only takes one insider attack to cause devastating damage to your company.

What Is an Insider Cyber Security Threat?

An insider threat is a security risk initiated by an employee, former employee, business associate, or contractor from within an organisation. It usually involves a person who has privileged account access or access to sensitive data within the company’s network. Either intentionally or accidentally, they will compromise this access through inappropriate use. In some areas such as finance, government, and healthcare, insider threats are more frequent. However, any enterprise can become compromised if prevention measures aren't in place.

Internal vs. External Cyber Security Threats

An external outside threat comes from outside the targeted organisation. They can be carried out by numerous types of malicious actors for financial gain, steal company secrets, or for political or social reasons, as with hacktivists. Some hackers will even carry out an attack for an intellectual challenge or to impress their peers. Techniques used to compromise external security or cause harm include distributed denial-of-service attacks (DDoS), drive-by attacks, password attacks, eavesdropping attacks, and more. Cyber crimes become more sophisticated by the day, and all enterprises need to be vigilant and have measures to prevent them.

As previously mentioned, external cyber threats are more widespread than threats from within. However, in some ways, building a strong security perimeter around our networks and systems to detect and prevent attacks is more straightforward than spotting a potential insider threat.

If we use the analogy of a castle under siege, often it is easy to see where the walls are being breached or where the attack is coming from. If the walls are strong and the soldiers are protecting it, it will be challenging to get into the castle. On the other hand, it only takes one rogue person inside the walls to poison the well or open the gates from the inside. Most often, this type of threat would go undetected. It only takes one insider to allow the outside forces to storm the gates!

So coming back to modern times, insider security threats are in many cases carried out by employees who you might have known for years and who you would least expect to damage your business in any way. This more personal element to insider threats makes it more difficult to detect.

Some companies tend to bury their heads in the sand when it comes to insider threats. They might believe it will undermine their employees’ trust, so they are slow to implement adequate security measures. It will often be too late before an enterprise discovers the significant damage that a malicious or negligent insider can do to their business. At the same time, enterprises still need to have happy, satisfied workers who feel valued and trusted. Disgruntled workers can easily become insider threats.

While it is not possible to entirely mitigate all insider threats, some things can be done to make them less likely, which we will discuss shortly.

So which is worse: an external or insider cyber attack? This would depend on several different factors, including the type and level of attack, the industry, and the information that was stolen.

Types of Insider Cyber Threats

Insider threats can be broadly divided into two kinds, either malicious or negligent; these can be then further split into distinct types of insiders with divergent motives for committing a cyber attack on an organization.

Malicious Insider – Be it an employee, ex-employee, ex-business partner, or contractor, a malicious insider is likely to be motivated either by greed or revenge. A financially motivated malicious insider might steal and sell information or access company finances that they can extract to their own personal account. A malicious insider motivated by revenge could be an employee who has been recently fired or has a grudge because another employee was promoted over them. They might find ways to sabotage the company by causing disruption or even be opportunistic and sell information to a rival competitor getting both revenge and financial remuneration. Malicious insiders have the advantage of familiarity with the organisation and will have the time and knowledge available to exploit any vulnerabilities.

Negligent or accidental Insider – As well as being one of the most common insider threats, a careless employee is also one of the hardest to detect. Humans are prone to errors: none of us are perfect. We might get distracted or be juggling tasks and make a mistake. For instance, an employee might be running late and inadvertently forget to log off their computer when leaving the office. Another example could be an employee leaking data by losing a USB drive containing sensitive data.

An employee who has been working for a company for several years with no issues could innocently make a mistake that could prove expensive. These types of isolated errors can and will happen, no matter how strong security measures are. If an employee has been repeatedly negligent, they need to be given additional security training.

Still, the threat can be significantly reduced by instilling a strong security culture in your organisation, raising employee security awareness, and training staff in managing cyber security risks from the offset.

Compromised Insider – This type of threat could be classed as a subset of ‘negligent’. An example would be an employee who has fallen for a phishing scam and has clicked on an insecure link and compromised the company network with malware.

Colluding Insider – If someone who has insider access collaborates with an external party to pose a security threat to an organisation, the combination of exterior and insider threat increases the danger two-fold. Using the dark web to hire employees to go rogue is becoming more commonplace for today’s cyber criminals. An employee could also be bribed into colluding with a cyber criminal though this is even less common.

Moles and Insider Spies – Espionage is the driver for this type of insider. They could be someone posing as an employee or contractor or an existing employee looking to steal intellectual property. An employee who is leaving a business to start work with a competitor could be a risk to information security, for instance.

Third-Party Users – Typically, these are contractors that have temporary access to a network. This might just be for a few hours or working on a business project for several months. Just as with a regular employee, a third-party user could compromise the network security through negligence or be a malicious actor.

Increased Security Risks from New Ways of Working

The internet has changed how and where we work and with modern technology, we can work from anywhere. Some forward-looking companies now have a bring your own device (BYOD) policy that allows staff to use their own personal laptops, mobile phones, or tablets for work purposes. Adopting new ways of working offers both organizations and workers more flexibility, as well as many other benefits. However, on the flip side, it can leave businesses more vulnerable to cyber attacks.

Remote Work

Remote working isn't something new: the internet has enabled staff to work outside the traditional office environment for some time. However, it has become much more widespread due to the 2020 pandemic, with many businesses having no recourse but to have their staff working from home.

Many organisations were taken by surprise by the events that unfolded and were unprepared for the dramatic change. When mandatory stay-at-home requirements were enforced, many remote employees carried out their daily tasks on personal devices with the most basic security.

In addition to more employees working from home, cybercriminals took advantage of the coronavirus with a massive spike in cyber threats. This included many reported phishing emails pretending to be from the World Health Organization.

The finding from a survey carried out by anti-malware software providers Malwarebytes claims that 20% of businesses have experienced security breaches resulting from remote employees’ actions since the start of the lockdown. Also, it was found that 44% of organizations that responded to the survey did not provide cyber security training to their remote employees on the possible threats that home workers could face.

Remote workers should be at least schooled in the basics, such as ensuring that their Wi-Fi Router’s default password is changed, ensuring anti-virus and other software is regularly updated. They should understand the dangers of phishing and how it works.

Working from home can make even the most diligent employee less security conscious, with many computer devices being shared with family members or available to other users in the household. Employees should understand that the same security standards apply when at home or in the workplace.

Bring Your Own Device (BYOD)

Bring your own device (BYOD) allows workers to use their own personal devices to connect and access the network and systems of the organisations they work for. This is a great benefit for small businesses who save on purchasing equipment, and studies show that it is good for employee morale. The obvious downsides are the higher risks to security and the challenges for IT departments to deal with a wide range of different devices.

By far, the most significant security risk associated with BYOD is data breaches caused by devices being lost or stolen. If sensitive information is stored on the device, a non-negotiable policy should be established that remote wipe will be used to delete all data.

Before introducing BOYD into your workplace, a well-defined security policy should be in place to ensure compliance and protect both the organisation and those employed by it.

Insider Threat Examples

The increasing number of cyber threats is growing exponentially to organisations big and small and sometimes to the level of compromising national security. Here are a few of the more famous examples:

Probably the most notorious insider attack came from Edward Snowden, the whistleblower who stole and leaked highly classified information from the NSA. At the time, Snowden wasn't even an employee but a contractor hired by Dell and then Booz Allen Hamilton. Without a doubt, Snowden matches the malicious insider archetype, driven by what he believed were noble reasons, whether you see him as a hero or a traitor.

Target, the national retail brand, suffered a massive data breach in which around 110 million of their customer's financial and personal information were compromised. The hack was carried out using a phishing email that duped an employee of a third-party vendor allowing the cybercriminals to access Target's network.

A recent social engineering attack involved workers employed by Twitter being manipulated by a gang of teenage cybercriminals. The bitcoin scam involved compromised Twitter accounts from some of the most famous people in America, including Joe Biden, Kayne West, and Elon Musk. While it only netted the Bitcoin equivalent of $120,000 and just 394 people fell for the same, it immediately knocked 4% off Twitter's share value and put a dent in their reputation. Twitter commented, the “coordinated social engineering attack” was executed by people who “successfully targeted some of our employees with access to internal systems and tools.”

How to Recognise Insider Threats

As we have discovered, insider threats are not as clear-cut to identify as those from outside. Indicators of potential threats from a worker with malicious intent could be that they access the network at unusual times or from unusual places or work late or early without authorisation.

They may also show signs of dissatisfaction with their job or be going through financial hardships though it is more likely that they will cover this up if planning malicious action.

It might be that someone is struggling with a personal issue such as alcohol addiction or that they might be having problems outside of work that is making them distracted and more prone to an accidental threat, and they might require some sort of counselling to help them.

Best Practices for Countering Insider Threats

The best place to start with countering cyber threats from within is with the HR department: stringent background checks on people you may potentially recruit could stop the threat in its tracks before even becoming a risk. Some other best practices you can put in place to mitigate risk include:

• Enforce a least privilege policy
• Have a BYOD policy
• Regular security awareness training for all staff on basic security hygiene
• Implement network security monitoring
• Third-party contractors should be given temporary accounts with expiry dates
• Conduct regular vulnerability scans and penetration tests
• Implement strict password policies
• Strive to improve worker satisfaction

Lastly, a backup and disaster recovery plan should be in place so that your organisation can react quickly in the case of the threat being successful.