Mitigating Insider Threats

While many organizations are worried about threats from external actors, one consideration that’s often lower on the priority list—and shouldn’t be—is insider threats. An insider threat refers to an individual who has been entrusted with access to or knowledge of an organization’s operational components, personnel, physical assets, networks, systems or technology. These individuals may include current or former employees, vendors, suppliers, investors, business partners or other third-party collaborators. Due to their unique privileges to sensitive information and resources, insider threats have the potential to compromise organizations’ most valuable assets and leave them increasingly vulnerable to various cyberattacks.

According to the 2023 Verizon Data Breach Investigations Report (DBIR), approximately 19% of security incidents are caused by insider threats.

There are three main types of insider threats: Negligent employees, malicious insiders and third-party collaborators.

1. Negligent employees—This type of insider threat consists of uneducated or careless employees who unintentionally expose an organization’s information and assets to unauthorized parties. Negligent employees may lack the experience, awareness or attentiveness necessary to identify possible security exposures, making them more error prone or easily manipulated by cybercriminals’ tactics. These individuals represent the most prevalent type of insider threat. In fact, multinational technology corporation IBM confirmed that human error is a contributing factor in nearly all (95%) of recorded cyber incidents.
   
   
2. Malicious insiders—Unlike negligent employees, malicious insiders’ actions are intentional. These individuals—usually current or former employees—knowingly abuse their knowledge of or access to an organization’s information and assets to participate in harmful activities. Malicious insiders are often motivated to engage in such activities for their own financial or professional gain or to incite “revenge” on the target company for its perceived wrongdoings.
   
   
3. Third-party collaborators—This type of insider threat pertains to individuals who are not formal members of an organization but have still been provided with private details of or some security clearance to certain company data and resources, such as suppliers, vendors or other contractors.

Conducting a risk assessment: A critical step to mitigate insider threats
Before organizations can implement steps to mitigate insider threats, they must first conduct risk assessments to analyze and document the unique insider threat exposures and outline the potential ramifications that may result from insider incidents. Phishing and social engineering training should also include ways to identify and report on potential insider threat activities and incidents.

Critical assets include any protected information or items that if damaged, modified or otherwise diminished in value would no longer be private or properly accessible to the affected organization and, consequently, severely impact the organization’s ability to uphold its essential operations, services and business functions. Critical assets include but are not limited to intellectual property, corporate financial data, source code, personally identifiable information (PII) and authentication credentials.

In addition to identifying critical assets, organizations should assess whether any aspects of their operations carry digital vulnerabilities. Key examples of these vulnerabilities include outdated systems, unpatched software, undivided networks, minimal layers of authentication or access controls, unencrypted data and poor security awareness.

As a rule of thumb, it’s best for organizations to only provide employees and third-party collaborators with access to the systems, networks, data, technology and other organizational resources that are necessary for performing their key job functions. This concept, commonly known as the principle of least privilege (POLP), can help businesses minimize the risk of an insider threat obtaining access to all company information and assets upon exploiting or otherwise compromising their individual account, therefore limiting available resources to leverage in an insider event.

Principle of Least Privilege (POLP) approach
There are several POLP-related policies and procedures that organizations can utilize to promote adequate access controls and reduce the likelihood of insider threats causing widespread damage across critical IT infrastructure, including the following:

• Role-based access controls (RBAC) - With RBAC, all employees and third-party collaborators have well-defined roles and assignments, making it evident which organizational resources they need access to fulfill their responsibilities and complete essential tasks. Each individual’s privileges and limitations should be properly documented and updated as needed to reflect changes in resource needs.
  
  
  • Additionally, to reduce the likelihood of successful wire or EFT fraud incidents, implement a checks-and-balances procedure when changing or updating wire transfer or EFT payment information. This should include requiring a phone call to a known good number for the initiator for the request and having it reviewed by at least two individuals to validate the authenticity of the request before making the change. Beware of email or phone requests coming from unauthenticated sources and make sure that you provide adequate phishing and social engineering training around business email compromise attacks like this.
    
    
• Network safeguards - Network segmentation refers to dividing larger networks into smaller segments (also called subnetworks) through the use of switches and routers, therefore permitting organizations to better monitor and control the flow of traffic between these segments. Such segmentation may also boost network performance and help organizations localize technical issues and security threats. Network segregation entails isolating crucial networks (i.e., those containing sensitive data and resources) from external networks such as the internet. Such segregation allows organizations to leverage additional security protocols and access restrictions within their most critical networks, making it more difficult for insider threats to penetrate these networks laterally.
  
  
• Data Loss Prevention (DLP) – Implementing a data loss prevention tool can help prevent unintended or unauthorized disclosures of data, primarily via email. You may also be able to enforce encryption on sensitive data types such as PII, PHI or other sensitive information using keywords.
  
  
• Data Classification – Alongside DLP, having data classification or data tagging can help identify files that are sensitive in nature, and create an audit trail of who created the file(s), when they were last accessed, and who has access to them. It can also log unauthorized attempts to access the files and goes hand-in-hand with data encryption policies.
  
  
• User and Entity Behavior Analytics (UBA/UEBA) – Having a set of rules that tracks user behaviors may appear to be invasive for some users, but adopting these policies can help identify insider threats as well as threat actor activity. This ties in well with conditional access policies, as you’ll be logging logins occurring at unexpected times, unusual file access, abnormal network traffic for upload/download (don’t forget about netflow analysis!) and many more.

Because confidential company information is commonly targeted during insider events, organizations need to ensure sufficient data safeguards. Potential data safeguards for companies to consider include:

• Data backups - Routinely backing up critical data in separate locations can help organizations maintain access to this information even when insider threats attempt to steal, damage or compromise the original copies. Make sure that all backups require MFA for access, are limited to whom can access them (and have that access logged into your SIEM or UEBA tool) and have immutability enabled.
  
  
• Data encryption - Encryption refers to the process of converting files, records or other information into a scrambled or encoded format, thus rendering the data unusable. The only way to unscramble or decode encrypted data and return it to its original format is by entering a highly confidential security code, also known as an encryption key.

Alliant Cyber helps clients identify, evaluate, remediate, transfer and respond to the cyber risks that matter most to their organization, while driving optimized cyber risk management and insurability outcomes. For more information, please contact a member of the Alliant Cyber team.