Breach, Threat Intelligence, Data Security, Threat Management

Insider threat fundamentals and mitigation techniques

The famous insider case where two General Electric employees were convicted and sent to prison for stealing trade secrets serves as a reminder of what can happen. Today’s columnist, David Balaban of Privacy-PC, offers insights on how to spot potential insider threats.

Employees may intentionally or unwittingly expose the business to serious security risks. Security manages need to stay on top of insider threats and learn prevention best practices.

While it’s important to secure a digital infrastructure against external adversaries, a lot of the risks occur on the inside. Offensive activity may stem from current personnel, former employees, partners, and third-party contractors. Since these people have access to a good deal of business-critical information, any deviation from corporate policies or deliberate foul play on their end turns the organization into low-hanging fruit for cyber predators and competitors.

Data leaks, privacy violations, unauthorized payments, and interference with the proper functioning of enterprise security solutions are a few common examples of the impact perpetrated by insiders. Obviously, any such incident can turn into a disaster for the company.

What are these individuals driven by? The FBI splits the factors and motives into personal and organizational. The former type spans financial gain, vengeance of disgruntled staff, pursuit of adventure, susceptibility to blackmail, or a desire to satisfy one’s ego. Various addictions and family problems can become catalysts for misconduct like that as well.

Organizational factors are mostly fueled by a lack of employee training on how to handle classified data, inefficient telework policies, and weak countermeasures for exiting the facility with proprietary materials. These slip-ups tend to underlie more serious long-term consequences for the target, such as the theft of intellectual property to help a business rival gain a competitive advantage.

Usual suspects and red flags

Generally speaking, insider threats are a two-pronged phenomenon. They can emanate from people who knowingly undermine the digital and financial well-being of an organization or from negligent employees who do not necessarily mean to cause harm. However, this categorization does not reflect all shades of the issue. Let us get a little more in-depth to explain the big picture.

Staff members who do not follow safe online practices may unknowingly precipitate a situation that plays into an attacker’s hands. They may fall for a phishing scam and disclose their corporate authentication details, download malware disguised as a harmless app, open a booby-trapped email attachment, or send a wire transfer requested by a malefactor impersonating their boss.

There are also rebellious users who hate to go with the flow and love breaking the rules. A person like that will likely turn a blind eye to the fact of their participation in someone’s evil plot, sincerely believing that they are doing something for fun or out of curiosity.

There are also spies working for nation-states who piggyback on their broad access to corporate assets. They aim to amass proprietary data and sabotage the organization from within. These individuals operate in the interest of a third-party, such as an intelligence agency or a competitor or nation-state threat actor seeking to ruin your business.

Lastly, insider threats are often caused by solo offenders who are not in cahoots with a third-party. These perpetrators quietly harvest sensitive corporate data and look for ways to monetize or otherwise mishandle it at a later point. There’s high risk if such a person works on the IT team and has elevated privileges in the network.

Regardless of the scenario, the giveaways are fairly easy to identify. Security pros should become suspicious if any of the following happens: an employee copies confidential files without a specific need; accesses the network remotely during vacation or in off-hours; installs suspicious software on their work computer; purchases things they normally cannot afford; or gets curious about business areas beyond their regular duties.

Thwarting insider threats

To prevent insiders from harming the business, whether on purpose or because of seemingly trivial blunders, security teams should harden the security of the company’ physical and digital corporate assets. First things first, enforce standard operating procedures (SOPs) to ensure employees know and comply with enterprise policies, especially those regarding intellectual property.

Monitor anomalous events, such as the transfers of data beyond employees’ access privileges, unusual attempts to access corporate IT systems remotely, or installation of suspicious apps on company-issued devices. Also, leverage internet security software to detect malware in real-time and enable URL filtering to block credential phishing sites and other dubious resources. Pinpoint and fix network security imperfections using trusted vulnerability management tools.

Err on the side of caution by implementing least privilege so that users cannot access more data than they need for their work. When firing staff, immediately revoke their access to corporate facilities and the computer network. Finally, keep in mind that IT systems are as strong as their weakest link, and human beings are quite often the weakest link.

David Balaban, owner,

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.