It’s easy to look outward at threats pertaining to your business, but what about those that exist within? Insider threats are increasingly having a negative impact on Australian businesses, so it pays to ensure you’re giving them the proper consideration they require.
What is an insider threat?
From an IT perspective, an insider threat is any cyber security threat that occurs due to the actions (intentional or accidental) of internal resources – your people, for example, current or past employees or contractors, essentially anyone with access to your systems.
The compromised employee
These employees generally tend to be completely innocent and unaware of the fact that they’ve compromised the security of your business, but they’re also the most common type of insider threat. For this reason, they are often the biggest concern for CISOs. They often won’t be aware of the fact that they’re compromised, and you likely won’t either. Accidental clicks on a phishing email can easily bring down a business without the user ever intending on causing harm.
The malicious insider
A malicious insider is anyone that has legitimate access to your systems and/or data and uses that access in a way that harms your business. Most commonly, this is done as revenge, for financial gain or coercion or the sake of ego. Malicious attacks can be harder to spot than those caused by a compromised employee as the malicious attacker may be better equipped to cover up after themselves.
This kind of attack can cause damage to the reputation of your business, cause your system to work ineffectually, be a way to access IP for sale or to install malware for future use.
Indicators of insider attacks:
There are a few key indicators when it comes to recognising potential insider threats. Not all of these are a definite sign that an incident will occur, but they are a good guide in terms of what kind of activity may be a sign of trouble ahead, especially if an employee falls into one of the below categories:
- Employee leaving the business: this can be the termination of employment instigated by either party.
- An unhappy employee: they might be picking fights with their colleagues, disagreeing with company policy or just be noticeably less enthusiastic about their work.
- Odd work hours: it’s becoming more common for Australian workplaces to allow (and sometimes even encourage) flexible working, but if there is one employee that consistently stays back in the office hours after the rest of the team have left for the day, this might be a sign that something is up.
How do you detect insider threats?
It feels like the right thing to do, to trust your employees implicitly. But doing so can cause irreparable damage to your business, or at the very least, some serious embarrassment. Sage, an accounting and HR software company in the UK, suffered an attack when an employee tried to steal the data from almost 300 of their clients. She was able to do so by using unauthorised access to steal information including bank account details.
Another example of an insider wreaking havoc is the Capital One data breach case in the US last week, which was orchestrated by one of their engineers. The employee exposed 140,000 Social Security numbers and around 80,000 linked bank account numbers after she was able to exploit a flaw in an application firewall.
Along with being aware of the potential indicators listed above, this could have been prevented by restricting employee access levels across the business and setting measures in place that alert your IT team if an unauthorised employee accesses parts of the system that are not within their normal business process. The more visibility there is across employee and contractor activity, the better placed your business will be to build out an alert system that flags any unusual activity before it becomes a business-limiting issue.
Our team of cyber security experts are always here to help you create your own processes for insider threat protection.
If you liked this article, you may also like:
The challenges of running a modern Security Operations Centre
The IT manager’s survival guide for the future: our top five tips
Action plan: what to do when your devices are lost or stolen