Detecting and Countering Inside Cyber Security Threats
Dangers from within
Typically security measures put in place to detect and counter cyber attacks focus on outside threats. While the faceless enemy from outside your organisation is undoubtedly a risk, the danger can just as easily come from within – but not from an anonymous attacker, from an employee that you know or trust. According to a 2019 data breach report, 34% of data breaches involved insiders. Though companies are more at risk from outside threats, internal cyber security needs to be taken just as seriously: it only takes one insider attack to cause devastating damage to your company.
What Is an Insider Cyber Security Threat?
An insider threat is a security risk initiated by an employee, former employee, business associate, or contractor from within an organisation. It usually involves a person who has privileged account access or access to sensitive data within the company’s network. Either intentionally or accidentally, they will compromise this access through inappropriate use. In some areas such as finance, government, and healthcare, insider threats are more frequent. However, any enterprise can become compromised if prevention measures aren't in place.
Internal vs. External Cyber Security Threats
An external outside threat comes from outside the targeted organisation. They can be carried out by numerous types of malicious actors for financial gain, steal company secrets, or for political or social reasons, as with hacktivists. Some hackers will even carry out an attack for an intellectual challenge or to impress their peers. Techniques used to compromise external security or cause harm include distributed denial-of-service attacks (DDoS), drive-by attacks, password attacks, eavesdropping attacks, and more. Cyber crimes become more sophisticated by the day, and all enterprises need to be vigilant and have measures to prevent them.
As previously mentioned, external cyber threats are more widespread than threats from within. However, in some ways, building a strong security perimeter around our networks and systems to detect and prevent attacks is more straightforward than spotting a potential insider threat.
If we use the analogy of a castle under siege, often it is easy to see where the walls are being breached or where the attack is coming from. If the walls are strong and the soldiers are protecting it, it will be challenging to get into the castle. On the other hand, it only takes one rogue person inside the walls to poison the well or open the gates from the inside. Most often, this type of threat would go undetected. It only takes one insider to allow the outside forces to storm the gates!
So coming back to modern times, insider security threats are in many cases carried out by employees who you might have known for years and who you would least expect to damage your business in any way. This more personal element to insider threats makes it more difficult to detect.
Some companies tend to bury their heads in the sand when it comes to insider threats. They might believe it will undermine their employees’ trust, so they are slow to implement adequate security measures. It will often be too late before an enterprise discovers the significant damage that a malicious or negligent insider can do to their business. At the same time, enterprises still need to have happy, satisfied workers who feel valued and trusted. Disgruntled workers can easily become insider threats.
While it is not possible to entirely mitigate all insider threats, some things can be done to make them less likely, which we will discuss shortly.
So which is worse: an external or insider cyber attack? This would depend on several different factors, including the type and level of attack, the industry, and the information that was stolen.
Types of Insider Cyber Threats
Negligent or accidental Insider - As well as being one of the most common insider threats, a careless employee is also one of the hardest to detect. Humans are prone to errors: none of us are perfect. We might get distracted or be juggling tasks and make a mistake. For instance, an employee might be running late and inadvertently doesn’t log off their computer when leaving the office. Another example could be an employee leaking data by losing a USB drive containing sensitive data.
An employee who has been working for a company for several years with no issues could innocently make a mistake that could prove expensive. These types of isolated errors can and will happen, no matter how strong security measures are. If an employee has been repeatedly negligent, they need to be given additional security training.
Third-Party Users - Typically, these are contractors that have temporary access to a network. This might just be for a few hours or working on a business project for several months. Just as with a regular employee, a third-party user could compromise the network security through negligence or be a malicious actor.
Increased Security Risks from New Ways of Working
The internet has changed how and where we work and with modern technology, we can work from anywhere. Some forward-looking companies now have a bring your own device (BYOD) policy that allows staff to use their own personal laptops, mobile phones, or tablets for work purposes. Adopting new ways of working offers both organizations and workers more flexibility, as well as many other benefits. However, on the flip side, it can leave businesses more vulnerable to cyber attacks.
Remote working isn't something new: the internet has enabled staff to work outside the traditional office environment for some time. However, it has become much more widespread due to the 2020 pandemic, with many businesses having no recourse but to have their staff working from home.
Many organisations were taken by surprise by the events that unfolded and were unprepared for the dramatic change. When mandatory stay-at-home requirements were enforced, many remote employees carried out their daily tasks on personal devices with the most basic security.
In addition to more employees working from home, cybercriminals took advantage of the coronavirus with a massive spike in cyber threats. This included many reported phishing emails pretending to be from the World Health Organization.
The finding from a survey carried out by anti-malware software providers Malwarebytes claims that 20% of businesses have experienced security breaches resulting from remote employees’ actions since the start of the lockdown. Also, it was found that 44% of organizations that responded to the survey did not provide cyber security training to their remote employees on the possible threats that home workers could face.
Remote workers should be at least schooled in the basics, such as ensuring that their Wi-Fi Router’s default password is changed, ensuring anti-virus and other software is regularly updated. They should understand the dangers of phishing and how it works.
Working from home can make even the most diligent employee less security conscious, with many computer devices being shared with family members or available to other users in the household. Employees should understand that the same security standards apply when at home or in the workplace.
Bring Your Own Device (BYOD)
Bring your own device (BYOD) allows workers to use their own personal devices to connect and access the network and systems of the organisations they work for. This is a great benefit for small businesses who save on purchasing equipment, and studies show that it is good for employee morale. The obvious downsides are the higher risks to security and the challenges for IT departments to deal with a wide range of different devices.
By far, the most significant security risk associated with BYOD is data breaches caused by devices being lost or stolen. If sensitive information is stored on the device, a non-negotiable policy should be established that remote wipe will be used to delete all data.
Before introducing BOYD into your workplace, a well-defined security policy should be in place to ensure compliance and protect both the organisation and those employed by it.
Insider Threat Examples
The increasing number of cyber threats is growing exponentially to organisations big and small and sometimes to the level of compromising national security. Here are a few of the more famous examples:
Probably the most notorious insider attack came from Edward Snowden, the whistleblower who stole and leaked highly classified information from the NSA. At the time, Snowden wasn't even an employee but a contractor hired by Dell and then Booz Allen Hamilton. Without a doubt, Snowden matches the malicious insider archetype, driven by what he believed were noble reasons, whether you see him as a hero or a traitor.
Target, the national retail brand, suffered a massive data breach in which around 110 million of their customer's financial and personal information were compromised. The hack was carried out using a phishing email that duped an employee of a third-party vendor allowing the cybercriminals to access Target's network.
A recent social engineering attack involved workers employed by Twitter being manipulated by a gang of teenage cybercriminals. The bitcoin scam involved compromised Twitter accounts from some of the most famous people in America, including Joe Biden, Kayne West, and Elon Musk. While it only netted the Bitcoin equivalent of $120,000 and just 394 people fell for the same, it immediately knocked 4% off Twitter's share value and put a dent in their reputation. Twitter commented, the “coordinated social engineering attack” was executed by people who “successfully targeted some of our employees with access to internal systems and tools.”
How to Recognise Insider Threats
As we have discovered, insider threats are not as clear-cut to identify as those from outside. Indicators of potential threats from a worker with malicious intent could be that they access the network at unusual times or from unusual places or work late or early without authorisation.
They may also show signs of dissatisfaction with their job or be going through financial hardships though it is more likely that they will cover this up if planning malicious action.
It might be that someone is struggling with a personal issue such as alcohol addiction or that they might be having problems outside of work that is making them distracted and more prone to an accidental threat, and they might require some sort of counselling to help them.
Best Practices for Countering Insider Threats
The best place to start with countering cyber threats from within is with the HR department: stringent background checks on people you may potentially recruit could stop the threat in its tracks before even becoming a risk. Some other best practices you can put in place to mitigate risk include:
- Enforce a least privilege policy
- Have a BYOD policy
- Regular security awareness training for all staff on basic security hygiene
- Implement network security monitoring
- Third-party contractors should be given temporary accounts with expiry dates
- Conduct regular vulnerability scans and penetration tests
- Implement strict password policies
- Strive to improve worker satisfaction
Lastly, a backup and disaster recovery plan should be in place so that your organisation can react quickly in the case of the threat being successful.
Protect against insider and external threats with Bulletproof’s powerful managed SIEM service. Proactive 24/7 managed protection from our security experts.Learn more
Our experts are the ones to trust when it comes to your cyber security
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.