Insider Threats and Reducing Risk

According to the 2020 Cost Of Insider Threats Global Report study presented by Ponemon Institute and sponsored by ObserveIT and Proofpoint, insider threat related incidents are averaging a 12-month cost of $11.45M for those organisations polled. You might be thinking that you’re just a small business and you know that known of your employees would be party to a cyber attack, you may want to reconsider.

What is an Insider Threat?

An insider threat isn’t just an employee who wishes to do damage to their company. An insider threat can also be defined as a careless employee, or contractor, as well as any form of credential theft. More generally, an insider threat is any threat that is performed by anyone associated with your organizations who may have inside information (non-public information) regarding your organization’s policies, security practices, data, systems, and even people.

Types Of Insider Threats’ 1

An insider threat goes beyond intentionally taking advantage of access that was legitimately given. Insider threats are broken down into the following three categories:

Negligent InsidersMalicious InsidersInfiltrators
Current or former employees, contractors, or business partners who unknowingly or carelessly make errors, and disregard policies. Current or former employees, contractors or business partners who knowingly disregard policies. and attempt to inflict harm to an organization using the information and access they have available to them. External threat actors who obtain legitimate access to an organization.

Negligent and malicious insiders are more common than infiltrators, however, infiltrators are apt to do much more damage.

Reducing The Risk Of Insider Threats

Insider threats are a risk that your organization can reduce without necessarily spending additional money on security controls. The one commonality between the different categories of insider threats, is people. There are a number of administrative and technical security controls that you can implement today.

Employee Hiring/Termination and Awareness Procedures

  • Have appropriate employee screening during the hiring process for persons who handle sensitive or proprietary data, such as background and credit checks.
  • Processes and procedures for employee termination and offboarding including roles and responsibilities for those involved.
  • Raise awareness to the various types of insider threats to both new and tenured employees.

Access Control

  • Having an appropriate access control strategy documented and reviewed annually, is essential for any information security program, but can also reduce the risk of experiencing an insider threat.
  • Principle of Least Privilege states that each user should only have access to the accounts and services that they need to do their jobs, day-to-day.
  • Separation of Duties is an important concept that encourages the act of access separations based on duties. An example of this is a Desktop Support Analyst having two corporate accounts (joe.analyst & joe.analyst-admin), one account for standard use and the other for elevated/administrator needs.

Device Management

  • Policies and procedures for the appropriate use of company devices and BYOD devices.
  • Ensure that employee devices are keeping logs if audits are needed.
  • Endpoint monitoring or data loss prevention (DLP) technical controls can detect and prevent various insider threat actions.

Third-Party Risk Management

  • Third-party vendors, consultants and clients must not only follow any outlined security policies within your organization, but should also have policies and procedures of their own surrounding insider threats.

1 https://en.wikipedia.org/wiki/Insider_threat