Articles
Insider Threats: Types, Misconceptions, and Recommendations for Mitigation Efforts
Boeing. DuPont. Google. Tesla. Yahoo. What do these companies all have in common? They have all been impacted by insider threats. According to a 2022 report by Ponemon, an institution specializing in studies on data protection and security, the frequency of insider threat incidents has grown exponentially in the past few years, increasing over more than forty percent. Insider threats are a significant issue for organizations regardless of their size. Teams within an organization must understand the different types of insider threats and the actions that can be taken to mitigate them.
Three Types of Insider Threats
There are three insider threat types: intentional/malicious, complacent, and unintentional. The intentional or malicious actor is one type of insider threat. These are individuals who may engage in acts of sabotage (actions intended to cause harm to the company and may result in financial downturn, the malfunction or interference with information systems, or damage to the reputation of the company). Malicious insiders may also commit fraud (the modification of critical systems, accounts, and/or protected information, sharing and alteration of credentials) and intellectual property theft by stealing confidential, protected data from their organization and selling that data to another party.
Intellectual property may include a copyrighted or trademarked product. An insider who divulges trade secrets can cost an organization great economic loss. Trade secrets such as design specifications, research studies, business strategies, vendor inventories and plans differ from intellectual property in that they encompass information that is specific and often known only to the organization and is often given a higher layer of protection within a data classification and lifecycle management system. Laws and penalties involving the disclosure of trade secrets also vary by state.
While intentional or malicious insiders can cause significant damage, the most common type of insider threat is those who are unintentional (ignorant) or complacent. The complacent insider is an individual who may carry out tasks with little understanding or motivation to revisit organizational policies and guidelines. They may be cognizant of organizational procedures and choose to ignore them. The unintentional insider may inadvertently pose a risk to an organization due to a failure to perform his/her responsibilities with security in mind.
Misconceptions
One misconception that is raised in discussion about insider threats is the notion that an insider must have great technical prowess. It is commonly presumed that insiders are those who already have a background in system administration or computer science, can navigate in a manner to clear their digital footprint, and in some cases, have the skills to operate as a malware author. This presumption, however, is false. A number of individuals are capable of executing on insider actions through conventional and detectable means, e.g. using a personal flash drive to copy sensitive files, using a personal email account to transfer company data, or uploading this data to a cloud platform.
Another misconception or rather bias that is widespread in conversations about insider threats is the belief that insiders in the U.S. are generally expats or those with foreign sponsorship working in the U.S. An organization must not allow their biases to overwhelm their sensibilities by assuming that Americans will feel such a sense of devotion to their homeland that they will not be enticed to engage in insider actions. U.S. insiders may act with or without incentives and the interference of a foreign competitor. Threats posed by foreign competitors like China and Russia have resulted in professionals from those countries, who are sponsored to migrate to the U.S. and work in an industry of interest, facing greater scrutiny in the past decade. However, organizations must act in a manner to protect U.S. assets from all threats-foreign and domestic.
Mitigating Insider Threats
A combination of detection and preventative security measures are necessary to address insider threats. Many organizations fail by demonstrating security measures which skew on one side or in instances where they only have put measures in place to analyze data following an incident. The actions below are recommended to mitigate risks associated with insider threats and establish a culture which prioritizes risk awareness.
The organization should establish an Information Security Program that addresses not only implementing detection solutions (e.g. employing anti-virus protection across endpoints, and a firewall solution) but also the monitoring of user activity. A policy requiring the display of a banner on all company devices a user may access should be in place to inform users that any accounts or devices they may access that are managed by the organization are subject to monitoring. A UAM
(User Activity Monitoring) or UBA (User Behavior Analytics) capability combined with a SIEM (Security Information and Event Management) system can be used for this purpose. Monitoring should extend beyond access actions such as user sign-in and sign-out. It should also include the disabling and/or modification of admin services (e.g. logging and security and configuration management functions) and attempted installations of unauthorized software packages. A tracking and reporting process may also be established to notify sysadmin and management team members of suspicious deletion, copying, and replacement actions.
Training is necessary to educate all users about human risks, e.g. social engineering attacks and unacceptable employee behavior. Social engineering training should address security practices to recognize scams and phishing emails and may be accompanied by a test. Should a staff member fail the test, they may be prompted to re-take the training until they pass. There should also be training to address physical security and situational awareness. This is an area that many training programs lack and the repercussions of an attack on an organization’s premises- either resulting in harm to employees or to company assets is too great to ignore. Clear policy that addresses the acceptable use of company equipment and the ramifications for improper use should also be periodically reviewed. An organizational process should be written and enforced to address response and reporting activities when a staff member witnesses a suspicious activity that may indicate an insider threat.
HR and IT must integrate a managed system to appropriately respond to insider behavior. They must identify the timeframe allotted for a staff member to exit the organization (both on the staff member’s own accord and in circumstance wherein termination is immediate) and determine the timeframe wherein access (systemwide and to the physical facility) shall be disabled. A notification process must also be implemented to alert other staff of an employee’s departure. And, an exit interview should be conducted when feasible.
Screening Techniques
Some organizations are quite wary of insider risks and may use a screening process prior to onboarding as a means to eliminate individuals with qualities that deviate from qualities identified in a common population of candidates. A screening process may be implemented as one type of safeguard. Such screening may include not only background checks, but candidate searches across social media platforms for appropriate posts, reference checks, and personality inventories. Personality inventories however are controversial in that they are used to profile candidates, categorizing them based on their learning style and qualities such as approachability, openness, communication preferences, cognitive traits, etc. While personality inventories are one tool that can be used to identify potential indicators of gaps in company fit or insider-like qualities, it often excludes talent. It is important to note that there is no one-size-fits-all profile for malicious, complacent, or unintentional insiders and personality inventories should not be used on their own to rule our or identify insider-like traits.
Additional Consideration for Investigation Sources
Public data about an individual is important as it could be used to assess relevant intelligence sources and evaluate insider threat risks. This may include data that is posted by a disgruntled employee on a personal social media page. Deep and dark web investigations into criminal activities may also return significant results to trace the inappropriate distribution of company data and potential acts of espionage.
Engaging with a Potential Insider
When engaging with a potential insider, it is important that the parties involved who initiate the conversation, such as the IT Manager and HR Executive are careful not to jump to conclusions. Responses that have loaded, character-based language and judgments should be left to forensic psychologists and professional investigators. Incorporating that type of language into a discussion could add great insult to the staff member on the receiving end and they may in turn feel empowered to seek out vengeance. HR and IT staff involved in insider investigation and interviewing processes must rely upon the facts presented and the measured risks to the organization to communicate and make a reasonable decision. After evaluating the incident variables, e.g. the incident cause, severity and criminality, resulting cost to the organization, likelihood of re-occurrence, and the employee’s performance to date, an informed decision can be made to terminate the employee or establish further training designed to aid all staff in understanding practices essential for their roles and to minimize risks to the organization.
If you suspect an insider threat or have uncovered one in your organization, Contact Vestige today to assist with mitigation and cybersecurity services.