Insider Threats: How to Stop the Most Common and Damaging Security Risk You Face

Insider Threats: How to Stop the Most Common and Damaging Security Risk You Face

Since each insider threat is very different, preventing them is challenging.

Insider threats continue to make news. In the fall of 2018, a senior scientist from Genentech was indicted for stealing trade secrets to give to a rival firm in Taiwan and later that year, Legacy Health announced it had suffered a data breach exposing the medical records of 38,000 patients were taken via a phishing attack against one of its employees.

While we may be distracted by ransomware or cryptojacking, insider threats are a much bigger issue. And while they have gone on for years, there are ways to mitigate risk and respond.

What is an insider threat?

An insider threat is malicious activity against an organization that comes from people within. The usual suspects are employees or contractors with access to an organization’s network, applications or databases.

Are insider threats always theft?

Actions that could negatively impact an organization falls into the insider threat category. These include sabotage, fraud, and espionage. Typically, insiders carry out their plans via abuse of access rights – both physical and online.

The types of insiders who are threats

Organizations that are looking to stop insider threats need to understand the three different types of insiders and their motives. Since they are each very different, preventing them is also different.

Malicious Insider –an employee or contractor who knowingly looks to steal information or disrupt operations.

This type of individual typically has two motives: stealing information to sell or advancing their career. These attacks may involve theft of intellectual property, where they would give it to a competing organization to hurt their own. Or they are looking for a way to punish or embarrass their employer.

Negligent Insider – an employee who does not follow proper IT procedures is considered a negligent insider.

This may be as simple as someone who leaves their computer without logging out or anyone who does not change default passwords.

Compromised Insider – an employee whose computer has been infected with malware is the most common example.

These employees are typically infected via phishing scams or by clicking on links that cause surreptitious malware downloads. Compromised devices can be used as a “home base” for cybercriminals. From there they can scan file shares, escalate privileges and more.

How are employees compromised

Here’s how an employee can become a compromised insider:

Phishing – a cybercrime in which a target individual is contacted via email or text message by someone posing as a legitimate institution in order to lure the individual into providing sensitive data.

Malware infection – a cybercrime when a machine is infected with malicious software – malware – infiltrates your computer. The goal of the malware in the case of a compromised insider is to steal sensitive information or user credentials.

Credential theft – a cybercrime aimed at stealing the username and password – the credentials – of a targeted individual. Credential theft can be done in a variety of ways. Phishing and malware infection, mentioned above, are common.

Pass-the-hash – a more advanced form of credential theft where the hashed – encrypted or digested – authentication credential is intercepted from one computer and used to gain access to other computers on the network.

Detecting insider threats

Being proactive and observing user behavior may allow organizations to catch potential malicious insiders before they disrupt operations.

Risk signs include

  • Employee’s interest in matters outside their duties
  • Working odd hours without authorization
  • Excessive negative commentary about the organization
  • Individuals who exhibit signs of drug or alcohol abuse, financial difficulties, gambling, and poor mental health

HR and IT security teams should be vigilant in the wake of significant organizational events, such as a layoff or if an employee believes they are going to receive a promotion and do not. Most important is coordination between HR and IT security around these events.

IT security should observe how users are behaving online in any of the above scenarios. Employees and contractors may exhibit online behaviors that tip off the security team. In the case of compromised users, there will likely be unusual access patterns that can be spotted.

How to prepare for insider threats

There are many things an organization can do to combat insider threats including:

Train Your Employees. Conduct regular anti-phishing training. The most effective technique is for the organization to send phishing emails to its users and focus training on those users who do not recognize the email as a phishing attempt. Organizations should also train employees to spot risky behavior among their peers and report it to HR or IT security.

Coordinate IT Security and HR. There is no shortage of stories about IT security teams that were blindsided by layoffs. Coordination between the CISO and head of HR can help prepare IT security. HR can advise IT security about certain employees that were passed over for promotion or not given a raise and put them on a watch list.

Build a Threat Hunting Team. Rather than reacting to incidents after they are discovered, threat hunting takes a proactive approach. Dedicated individuals on the IT security team look for telltale signs, such as those listed above, to head off disruption before it occurs.

Employ User Behavioral Analytics. User Behavior Analytics (UBA), also known as User and Entity Behavior Analytics (UEBA), is the tracking, collecting, and analyzing of user and machine data. Using various analytical techniques, UBA determines normal from anomalous behaviors. This is typically done by collecting data over a period of time to understand what normal user behavior looks like, then flagging behavior that does not fit that pattern. UBA can often spot unusual online behaviors – credential abuse, unusual access patterns, large data uploads – that are telltale signs of insider threats. UBA can spot these unusual behaviors among compromised insiders long before criminals have gained access to critical systems.

By better understanding the different types of insiders and the behaviors they exhibit, organizations can be better prepared to fight these threats. A combination of training, organizational alignment, and technology is the right approach.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3