Cross Identity

Official Blog

Insider Threats – The Complete Guide to Recognizing and Dealing with them

Insider threat - The complete guide

Insider threats are the perfect way to execute a crime. They are from within the organization, under your nose, while staying close to the one they are betraying. This is in no way a new paradigm of things; betrayals have been a common notion in history. The infamous saga of Julius Cesar. A disgruntled roman senator who stabbed his friend for the sake of politics. Although this is a story of epic magnitude, and many of the insider threat stories are sometimes as simple as clicking on the wrong email, some parallels can be drawn to show how the fallacies in human behavior can do so much damage.

The IBM 2018 X-Force Threat Intelligence Index stated how insider threats are a cause for 60% of attacks. This type of cyber attack is on the rise now, more than ever, and shows no sign of slowing down. The report says there is a 5% year-over-year increase in insider threats. This is because of how simple it is to carry out and how easily it takes advantage of the lack of security measures in organizations today. When you think of hacking, you’d assume it involves some highly advanced code to impair a company’s network or releasing a virus into someone’s computer. Although such attacks are rampant, the good old-fashioned stealing is still a very viable option for an insider with an intent.

But, you cannot only assume that every employee or every insider breach was because an employee has been rubbing his/her hands and plotting against you—because some times it is because of a very flawed nature of humans—being careless. Either they execute a task without a malicious intention, or a bad actor took advantage of their negligence.

Insider threats are a topic that you must deal with sensitivity, smartly. You don’t want your employees feeling like they are under scrutiny all the time, neither should you allow any of them to take advantage of your trust blatantly. There is a fine line with executing stringent measures for security with the right technology and awareness, and merely implementing rules and regulations out of fear.

Let’s discuss what this fine line is, what are the types of insider threats, how you can recognize them, and what can you do to address them.

The 5 types of insider threats:

Broadly, insider threats can be classified as those with an intention and those without one. The ones with an intention willingly compromise data either for monetary benefits or out of a personal grudge. The ones without an intention are victims of cybercrime like the organization itself. Unknowingly they aid the hacker or leak information. Among these, there are several differentiators:

1. The insider without a clue

Who is it?

This is the insider who had no clue what he/she has done. Their typical day would involve interacting with the internet with no stringent security measures in place.

How is it carried out?

Phished out: One day, as they go about their mailing routines, they come across an email that looks like it is from their bank. In the email, your employee is asked for some personal information for an emergency bank formality with a deadline of a few hours. Hurryingly, (innocently and stupidly) the employee enters the information, without a second thought, owing to the deadline. The hacker now gets hold of sensitive information, putting the employee’s accesses, and eventually, the entire organizational network at risk.

Facebook and Google fell victims to fake invoice phishing scams, costing them $100 million, according to a report.

Passwords, who?: Humans are forgetful. Losing laptops and personal devices are not unheard of, but what next? How easy is it for a hacker to go from finding a laptop to hacking it?

An employee loses a laptop with sensitive information that is not encrypted. This puts the employee as well as the ones whose information is in it at risk. Or there is a break-in at your workplace, and these devices are stolen, or other devices like an unencrypted USB drive is stolen.

These are very real possibilities, and for Fresenius Medical Care of North America, this happened five times over, according to a report. They were breached due to such careless incidents in a single year.

Why does this happen, and what can you do?

The primary reason this insider creates opportunities for bad actors is negligence due to lack of awareness. They do not know of the security problems caused by carelessness. Habits such as storing highly sensitive information in an unencrypted personal device, storing passwords on books and insecure excel files, and others are among them.

This calls for regular security training sessions, and not the ones for the sake of formality. You have to make it interesting enough for them to take it seriously. There will always be the employees who could care less about the many rules and regulations, and what’s at stake. To them, explain the real-world incidents that could not only cause damage to your business but also to their assets. That ought to get their interests piqued if nothing else.

As much as you’d like to believe that you can dust off your hands after a session, it doesn’t end there. You have to take it a step further and implement policies of lease privilege, where everyone in the organization has access to only what they need, and nothing more nor anything less. So if their account is ever compromised, you’ll know that the damage is still in control, buying you time to tackle the situation.

2. The insider looking to make more

Who is it?

The tale of the malicious insiders who simply have malicious intent. These are the ones who take advantage of the access at hand for monetary benefits either by merely selling out your data or conducting full-blown corporate espionage.

How is it carried out?

Competitor snitch: Consider insiders who are in sales. Your employee wants to pursue newer opportunities and wants something to help them ramp up their growth level in the future. A simple solution would be to take all the possible sales leads and run with it. Unless you track who has made unreasonable downloads, then you probably just gifted your competitor with business opportunities.

Situational need: Employees go through the ups and downs of life like everyone else. Some of these personal situations may lead them to act differently. Either they have a lot of debt to cover, they bought a new house hoping to get a raise soon but did not or they splurged on a lot of things and now do not know how to make it up. Unless the company cares enough to notice these things, addresses the big changes in an employee’s life, the lack of communication can lead to an employee scheming against the company for money.

Malicious scheming: These are insiders who plot and scheme to no end. Slowly downloading sensitive information and selling it to others, downloading new projects and send it to a competitor, are among them.

An AMSC employee sold their engineering material to their competitor Sinovel for $20,000. The company received justice only after a 6-year long fight, which costed them their revenue, stocks, and a lot of jobs.

Why does this happen and what can you do?

This happens due to the lack of awareness from the employer’s end as to whom they are hiring. It is essential to carry out thorough background checks before hiring an employee.

Another major reason is the lack of tracking of the employee data. Monitoring does not necessarily mean invading your employee’s privacy but rather notice behavioral changes, notice how they deal with your network, are there any abnormalities? Are they accessing sensitive files? Are they logging in at odd hours? Are they requesting access to data they don’t need?

Tracking these changes can make a difference between you staying secure and getting hacked. Regular certification of accesses is a step in this direction. Regularly monitor what are the current accesses with your employee, which accesses can stay and which are to be revoked. These campaigns must be a mandatory practice.

A risk engine that can generate reports daily, recognize anomalies with accesses, and assign a risk score to accesses is another need of the hour. These engines not only provide data but step-up authentication when risk scores are high and even suspend the access altogether when the access is to a sensitive file.

3. The insider that got away

Who is it?

These are the insiders who land your business in trouble after leaving. They put down their papers and start their mission to collect your data.

How is it carried out?

Disgruntled employee: In a typical organization with several employees, there are bound to be differences of opinion and different kinds of people. Sometimes these tend to get out of hand. Consider the tension between an employee and his/her manager. If the employee is unable to get their tasks right and the manager fails to covey this without offending them, this leads to an argument. The manager fires the employee on accounts of this behavior. This employee now has several reasons to take this personally and might even want to inflict damage. They can take advantage of their current accesses and sell vital information, or ruin several aspects of your organizational network out of spite.

An employee in Canadian Pacific Railway (CPR) was fired for insubordination, according to a report. He chose to resign before he could be let go, and in the process, he deleted some critical files, removed admin accounts, changed passwords, and cleaned out his hard drive. He was eventually caught, but these changes did deter the company for a bit.

Too privileged for their own good: Privileged accounts in an organization are those who have access to sensitive files, admin-level access, essentially accesses that can make or break your company. Surprisingly, these accesses are the ones that do not have enough stringent regulations. An employee with privileged access, whose accesses aren’t monitored, has full potential to go rogue.

Google’s self-driving car project, Wyamo, is a classic example. An employee with privileged access downloaded their trade secrets of intellectual property and joined Otto, which was later acquired by Uber. However, this was later proved, and a mutual agreement was signed with Uber not to use this information.

Why does this happen, and what can you do?

Employees are the heart of an organization. Certain sensitive situations must be dealt with maturity to ensure employees don’t leave begrudgingly. Before employees leave an organization, a thorough check of their accesses must be done. Their activities during their last days with the organizations must also be monitored vigilantly.
Most importantly, privileged access management must be a mandatory practice. Solutions like MFA, governance, and risk management should be a holistic solution to handle privileged accesses.

4. The insider hero

Who is it?

This is an insider whose intentions include a bigger picture, beyond monetary benefits. This insider has a purpose to right a wrong or for the benefit of his/her nation.

How is it carried out?

One for the people: Many times, corporates, government agencies come under scrutiny for poorly handling the data of users. Although there are regulations and policies in place to keep this under check, sometimes they get away with it. So what should an employee do knowing the full extent of this reality?
Edward Snowden, a National Security Agency (NSA) analyst, is one such employee, faced with a similar dilemma. He discovered that NSA and CIA were collecting personal information and conducting mass surveillance activities on American and foreign citizens, which was against the federal law. He decided to act on his morals and revealed the documents of this operation. Whether this whistleblower should be called a hero or a betrayer is still a debate.

The patriotic insider: Employees in an organization are given privileged accesses based on the trust factor owing to their role. But, what happens if someone is trusted beyond security measures? They can violate it for their benefit under your nose, and steal crucial information.
The story of Jiaqiang Xu is one such example. He was hired by IBM and would develop source code. He was among the few people with access to work on the proprietary software. This made him a privileged user, and eventually, he took advantage of this.
He built a copy of this software, as he had unlimited access to the code. Having gotten hold of this copy, he then quit his job and sold this copy. His intention, however, was to help his own financial circumstance and his home country as well.

Why does this happen, and what can you do?

This is a controversial scenario. When it comes to someone violating privileged access, it is a matter of implementing policies like Just in time approach for PAM. When it comes to revealing the wrongdoings in an organization, the ways to handle it are subjective. Every organization must adhere to the laws and abide by them. Personal Information of citizens should be handled in line with the rules. This would avoid someone revealing insider information altogether. Regulations like GDPR, HIPPA, HITECH, CPA are all pertaining to different vectors of countries and industries. Following them can avoid all the unwarranted publicity, the hefty fines, loss of brand reputation, and mainly the customer’s trust.

5. The insider who is not really an insider

Who is it?

The insiders who are in your organizations aren’t the only ones capable of an insider threat. Third-party employees are a huge risk too.

How is it carried out?

Contractors, supple chain vendors, and others: Third parties also have access to the sensitive information in your organization. If your security is top-notch, you provide access only to the right people, your employees are well trained, but, your third-party vendor barely has a security policy, then it can completely nullify your efforts.
Anthem, a health insurance company, ramped their security after a cyber attack, but due to their third-party vendor’s negligence, they had a breach. An employee sent an email consisting of patient information to his email address. Although the third-party informed the patients immediately, it was still a breach of trust.

Why does this happen, and what can you do?

Third-party vendors can be the backdoor entry to your security. While choosing vendors, organizations must be thorough. Every vendor must be bound by a contract which states their dedication to security as well.
Regular auditing of third-party vendors is a must. You might be compliant, but every other contractor with access to your data must be compliant as well. If ever there is a breach, the responsibility is on you too.

Evolve with the changing landscape of cybersecurity

Today, it is no longer enough that you secure yourself from external threats with a firewall. With decreasing data access control on cloud, multiple devices, IoT, 5G, and the growing technology, you can never be too secure.

The only way to deal with insider threats is to holistically manage risk. This can only happen by implementing intelligent solutions, backed up by a zero-trust policy. Identity and access management is the solution to protect from threats, above and beyond, as well as close to home.

Trust the technology to trust your employees.

Related Posts

Leave a comment