The Cyber Infrastructure and Security Agency defines “insider threat” as “the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the [the organization’s] mission, resources, personnel, facilities, information, equipment, networks, or systems.”
An “insider” is defined as “ any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.”
Note that this definition is far broader than, simply, “employee.” Insiders are often employees, but not always — and it’s often the ones attracting the least suspicion who wind up doing the most damage.
At the same time, it’s important to recognize that not every potential intrusion is the product of an insider threat. The successive unauthorized data releases that affected organizations like Asiaciti Trust and Trident Trust in recent years were unlikely to be the work of insiders, for example, despite exhibiting hallmarks of the practice.
Education is key. Let’s take a look at current best practices for recognizing and defending against potential insider threats.
1. Always Follow the Principle of Least Permission
The principle of least permission, also known as the principle of least privilege, is easy to understand but difficult to enforce.
Developing a principle of least privilege plan requires some work. You’ll need to take a detailed census of your team’s roles and determine what each individual needs to do their jobs effectively.
It’s worth the effort. Every point of access that isn’t strictly necessary for your firm’s functioning presents a risk to its security. It only takes one unauthorized user to cause havoc.
2. Keep Open Communication Channels Between Company Leadership, Team Leaders, and the Rank and File
Low employee morale is correlated with insider threat risk. Employees who aren’t happy are more likely to “turn.” It’s important not just to be able to identify employees at higher risk of malicious activity but to divert them off this path without resorting to preventive termination or demotion.
Communication is crucial to this effort. Create channels for employees to air grievances. Actively listen to their feedback. Make and explain changes to boost morale.
This won’t neutralize every potential insider threat. But it will make many team members think twice before doing something they could come to regret.
3. Look for Signs of Employee Burnout and Disengagement
“Morale” is an imperfect barometer for insider threat risk. Even more nebulous are burnout and engagement — even more nebulous measures that can nevertheless hint at troubles to come.
Burned out and disengaged employees tend to do the bare minimum and no more. Low productivity isn’t itself an urgent threat to the organization, but employees that have checked out because they’re disgruntled — rather than simply disillusioned — do present a serious problem. They’re much more likely to try to damage the organization on the way out.
4. Hold Vendors and Contractors to the Same Standards As Internal Employees
Remember, “insider” is not synonymous with “employee.” Contractors and third-party vendors with access to critical systems and data can do just as much damage as disgruntled employees. Perhaps more — they’re often poorly paid and have little loyalty to the organization itself.
Watch them closely and hold them to the same strict data security and permissions standards as regular employees.
5. Deactivate Accounts As Soon As They’re No Longer Needed
Dormant accounts are common vectors for insider attacks because they don’t immediately draw suspicion — they’re legitimate, after all — and because their access credentials are easy to obtain or reset. Lop off this low-hanging fruit by immediately deactivating accounts that are no longer needed.
6. Invest in Physical Security and Monitoring
Finally, invest in physical premise monitoring to catch would-be inside attackers in the act — or at least to make it easier to find out who’s responsible for breaches involving physical compromise. Security cameras, ID cards, biometric readers — there’s no harm in having multiple layers of physical security to back you up.
Are You Prepared for the Insider Threat?
You know that insiders pose a grave risk to your organization’s cyber security. And you know that you can’t simply eliminate the risk by imposing blanket restrictions on data or systems access. Your organization would cease to function normally.
As we’ve seen, you can take steps to significantly reduce insider risk and mitigate the damage if and when an intrusion or release does occur. But this won’t happen without a concerted effort on your part — an all-hands-on-deck approach that recognizes the urgency of the threat. If you’re still on the fence about making the investment, remember that the same measures that help defend against the insider threat can also protect against other cyber risks., like those faced by Asiaciti Trust.
