Managing the insider threat
There is much talk in the cyber security world about what is termed the insider threat. To those not in the know however, the term can be misleading and conveys different things to different people.
The ‘Insider Threat’ is simply someone who works within your company or organisation who has access to your systems and your data, combined with the recognition that there is a risk or a threat associated with that access.
The insider threat is made up of four groups of people:
- The Malicious Insider
- The Flight Risk
- The Unwitting Insider
- The Un-Trusted Insider
The Malicious Insider
The risk posed from a ‘Malicious Insider’ is, compared to the others, quite minimal. It’s the person who wants to do something bad with your data, your clients or your company assets. The reality is that thankfully, there are relatively few of these people around.
The Flight Risk
The ‘Flight Risk’ is the employee who has secured a job with a competitor or who may want to set up their own business in competition with yours, and in doing so use your data or your intellectual property in this new business venture to give them a head start – at your expense.
The Unwitting Insider
The ‘Unwitting Insider’ is the biggest risk. It is, for example, the person who mistakenly cc’s your entire client list to everybody else on that list, instead of bcc’ing them.
Or it’s the employee who finds a USB stick in a communal area and decides to plug it in to their desktop machine, in a kind act to find out who it belongs to and in the process of so doing, they inadvertently infect your systems with what was either a ‘planted’ device or simply an infected one.
The Un-Trusted Insider
The ‘Un-Trusted Insider’ might be the IT person you ‘let go’ last month, but because you were being nice, you allowed them to finish out the working week before restricting or terminating their access, during which time they created a backdoor into your systems, using false credentials, or they changed the system settings, deleting your backups. Or they planted malicious software in your systems, with a time delay, set to activate a few weeks after they have left and after everyone has forgotten about them.
So, how do we deal with the insider threat?
Fundamentally, it’s about:
- Building security into the entire employment life-cycle.
- Pre-employment screening, on boarding, introduction and socialisation.
- Recognising changes in employees’ personal circumstances.
- Emphasising the importance of culture, reporting and communications.
Insider Threat Management incorporates performance management, supervision and staff appraisals. It’s about having exit strategies and procedures to deal with termination of employment (a termination checklist, for example).
Managing the supply chain
A recent survey (Cyber Readiness Report 2019) by insurer Hiscox identified that supply chain incidents are now commonplace, with nearly two-thirds of firms (65%) having experienced cyber-related issues in their supply chain in the past year.
This means Insider Threat Management is also about the integrity of your suppliers, contractors and other third parties, making sure that they treat your data, or your client’s data, the way you or perhaps more importantly, your clients would expect it to be treated.
One of the biggest factors in mitigating the insider threat is by methodically treating all employees with fairness and transparency, working to avoid any form of ‘disgruntlement’ in the workforce.
The disgruntled employee is ‘home-grown’. They don’t join a company being disgruntled, and they don’t become disgruntled overnight. They are made, over a period of time, and they can be identified.
Everyone knows an employee who is unhappy at work or struggling with personal issues. Someone looking for another job. We all know who the bad managers are. These are some of the warning signs for a potential insider risk. It doesn’t mean to say that any of these people will become a threat. It just means that there is an increased risk of threat. Your ability to manage this risk is about having visibility of the risk.
An integrated approach
You need to be able to profile user behaviour and map it against the vulnerabilities in your organisation. This visibility also includes knowledge of your employees’ well-being, gained through a welfare support programme combined with a whistleblowing facility.
When this is all integrated within a properly structured and recognised security and business resilience or continuity framework such as ISO27001 and ISO22301, combined with risk profiling, user awareness, and organisational mapping, you are then able to work out the ‘context’ of that behaviour. And it is context that is the key to managing your insider threat.
Put simply… you need to know what your employees are doing with your data and why.
CEO & Founder ESID Consulting,
Specialising in Insider Threat, Cyber & Information Security.