From a disgruntled employee looking to destroy IP, or an opportunist looking to make money by selling data, all the way to a security-naïve worker that might unwittingly let criminals into your network without knowing it, there are dozens of factors that can influence the kind of insider threat you may well face.
Understanding the threat is one of the most difficult parts of managing and mitigating the risk, so I’ve identified five insider threat profiles to show the complexity of the problem.
Dave was a bright employee who simply felt he wasn’t listened to enough. As a lead programmer, he identified a key vulnerability in your company’s software, but the company didn’t think it would become a serious problem and pushed forward with the software’s release.
Frustration turned to anger, and after trying time and time again to get the company’s attention, Dave took it upon himself to destroy the software just to prove a point. This kind of situation is more common that usually thought: broken promises, the undervaluing of an employee’s opinion, and not heeding sensible advice can often result in those on the frontline of development to lash out against the company.
In order to detect situations like Dave’s, the first line of defense is often looking out for the human signs of an unhappy employee. If this fails, then companies need to turn to technology to look for behavior on the network that is out of the ordinary.
Is Dave accessing files that usually he wouldn’t? Is he logging on to the network at strange hours of the day, or managing large file transactions all at once? It’s also important to note that your data needs to be monitored at all time: while at rest, while it’s moving, and data in use for policy violations.
Depending on the level of violation from Dave, consequences may vary from a verbal warning and closer monitoring, through to dismissal or legal action. Having an insider threat policy in place will help to classify the threat, assess the damage and administer the necessary sanctions. Most importantly though, you want to be able to detect disgruntled employees before they can cause such harm.
Sandra the spy
Sandra is just not making enough money in her current job. Confiding in some friends one night in the pub, Sandra is approached by a competitor, who offers her a substantial reward if she can obtain some crucial data about the project that she is about to launch. One night, she downloads the necessary data onto a memory stick, goes back to the pub, and delivers the data to the competitor.
Employees not being happy with the money that they are making is a fact of working life. All it takes is a competitor with fewer morals to offer them a deal that is impossible to resist – or in some scenarios, to plant the spy at a much earlier date within your organization.
Corporate espionage is not an easy thing to detect; the whole point of a spy is to remain under the radar. In order to uncover this kind of behavior, you’ll need technical controls – the more advanced the better. Endpoint monitoring means that if a user connects a USB drive to the network, you will know about it and be able to determine the data which has been removed or copied. Most of these solutions will include some sort of USB prevention.
Depending on your line of work, Sandra’s actions could be a policy violation, criminal misconduct or even treason (in the case of government officials). Therefore, you’ll need robust cybersecurity to be in place, human resources to gather information and run proceedings, and may even need a legal team and law enforcement on standby. If industrial espionage has indeed taken place, forensic analysis of the systems could provide vital information as to what exactly has happened.
Caroline is an exemplary employee. She is a vital gear in making sure that the company works properly, but with so much on her plate, she can sometimes be a bit scattered. After all, who has time to remember different passwords for all of the systems she needs to access or double check every link she clicks when programmers, developers and account managers need to be whipped into shape?
Unfortunately, her opportunistic office neighbor is well aware of the fact that she doesn’t often lock her workstation, and that she has all her passwords on a sticky note on her desk. Now they hold all of Caroline’s information, and can choose to do what they want with it.
Caroline is certainly not a malicious actor, nor does she want to cause her organization and harm. She is simply one of many, many people that often take security shortcuts, which can often lead to letting the bad guys into the network.
To help Caroline, both educational and technical controls are equally important. With the technical side of things, it is less about detecting Caroline’s own activities, but more instead about people who may take advantage of her carelessness.
Caroline’s mistakes should be handled through an educational approach, rather than a disciplinary one. Show her what she is doing wrong and ensure that she’s clear about how to avoid making simple, but potentially very damaging, security mistakes going forward.
By implementing some fundamental best practices and a security-aware culture you will help to improve the education of your workforce and catch these cases of careless mistakes before they become problems.
Quentin is a security engineer, and a very popular one at that. He’s proved capable dealing with multiple projects, keeping a large portfolio of clients happy, and handling huge amounts of data. Thing is, he’s had his head turned. With a brand-new position secured (and a nice bump in salary), Quentin decides to copy his client information from the network into his personal cloud storage.
Everyone has a time in their career where they decide to make a change – and often this leads them to pastures new in a different organization. When faced with the impending loss of an employee, organizations need to be aware of those that have access to customer data, intellectual property and vulnerable technical data.
It’s hard to detect when one of your best people are looking to jump ship but when they do, that is the time to act. No matter how much you trust and respect them, it’s important to monitor their network behavior to make sure nothing important is leaving with them.
If you detect that something is amiss, you need to be able to revoke any privileges that Quentin has before any more damage can be caused. Deleting their accounts outright may well tip them off that you know something is amiss, but removing permissions on particular file repositories can help stem the bleeding before you approach them for further investigation.
Frank is a customer rep, and he has had enough. Day in, day out he is blamed in his position for every issue a customer has faced while on the phone, and he doesn’t make enough money to justify it. HoweverHow he’s been monitoring some nefarious websites, and thinks he has come up with a plan to make his working life just that little more tolerable.
By collecting the information from the customers that he speaks to, there is a lucrative trade in selling this personally identifiable information (PPII) on the dark web as a CSV file. Frank may well have always had this plan in mind, or been turned to doing this through circumstance. Regardless, he isn’t particularly difficult to detect, as long as you have the right technology in place.
Dealing with a fraudster will almost certainly require outside help. If someone in your organization has stolen and sold customer PII, they are a criminal, so your best bet is to let the authorities handle the situation once you’ve provided them with adequate proof.
It’s vital to follow procedure and act swiftly in these situations, as the best-case scenario is that data is being sold on the black market – the worst is that you could face a class-action suit for data mismanagement.
The insider threat is complex
Through all of these profiles, it’s clear that the insider threat poses significant risk to organizations and is very complex. If you are going to adequately protect against this, you need to have a robust understanding of the different types of threats you are going to face, and the motivations and situations that give rise to these.
With this understanding, and the right tools in place, your business stands a far greater chance of mitigating these threats and keeping your business-critical data safe.