Articles from SMP Risks Managed

Insider Threats


by Jason Mortimer

The Insider Threat is the soft underbelly of many organisations.

The Negligent Insider is the root cause of most incidents.

Most incidents are caused by insider negligence. Specifically, the careless employee or contractor was the root cause of almost 64% (2,081 of the 3,269) of incidents reported over a 12-month period in a study with 159 different company participants across many industrial fields (e.g. Financial Services, Energy Providers, National Infrastructure, Commerce etc). The most expensive incidents are due to imposters stealing credentials and were the least reported.

There were a total of 440 incidents involving stolen credentials. Organisational size and industry type affects the cost per incident. Phishing emails containing malware, infected removeable media and ignoring security measures are some of the main ways an individual will put their organisation’s network in jeopardy. Downloading untrusted software or content from the Internet and clicking on untrusted links containing malware are easy prey for those individuals who flaunt the organisation’s policies on computer usage. It is equally as important to harden networks with physical as well as logical measures. Strong password policy and implementation should be engaged as well as robust and enforced acceptable use policies. Reliable hardware firewalls, Sandboxing, a well-monitored IDS and the use of virtual machines can all help in creating a better network environment. Policing the network and monitoring use can go some way to alleviate the threat, but if your security culture is poor and your security measures worked around, then you will become a victim at some point.

Criminal or Malicious Insiders.

Criminal or Malicious insiders, who are trusted employees and have access to critical systems and data, pose a serious threat. Especially if they have elevated access rights and can cover their tracks (i.e remove log event activity to remain undetected). They will steal, disrupt, deface or delete data by any means possible. A disgruntled employee can soon become a malicious insider.

All Insiders.

All insiders can cause financial and reputational damage through the theft or inadvertent access they are exposing, be this financial, sensitive data, or intellectual property. This witting or unwitting abuse of access can pose a destructive cyber threat, if that privileged knowledge provides the platform to facilitate, or launch an attack to disrupt or degrade critical services on a network, to steal from their organisation or wipe data from a network.

Insider Threat is increasing.

Since 2016 the average number of incidents involving employee or contractor negligence has increased by nearly 30%. The average number of credential theft incidents has tripled over the past two years, from 10% to 30%.

Containing Insider Incidents

It takes an average of more than two months to contain an insider incident. It took an average of 73 days to contain the incident in the study. Only 16% of incidents were contained in less than 30 days.

Detecting Insider Activity

Detecting insiders is difficult if your network and systems are not monitored and locked down appropriately. Those with Privileged User Access should be screened more rigourously than Normal Users and regularly have their accesses reviewed. Having unnecessary System Administration Accounts is risky, and allowing any one individual supreme access is dangerous. Administrators should monitor administrators to ensure that log activity is not being deleted deliberately to cover nefarious activity. Administrators should never use their Admin accounts for normal work but should have a normal user account for that. Admin accounts should only be used for specific pieces of work and this should be transparent and traceable at all times.

This isn't an easy task in big organisations with large, complicated networks and multiple system administrators. This is a situation that can't be ignored and has to be acted upon. Cost benefits analysis has to be carried out against the risks to compromise, theft, reputation etc versus the business benefits.

The following methodology can be used for dealing with the Insider Threat, pre and post incident, including discussing areas where costs to recover fully will be required:

Monitoring and surveillance: Activities that enable an organisation to reasonably detect and possibly deter insider incidents or attacks. This includes allocated (overhead) costs of certain enabling technologies that enhance mitigation or early detection.

Investigation: Activities necessary to thoroughly uncover the source, scope, and magnitude of one or more incidents.

Escalation: Activities taken to raise awareness about actual incidents among key stakeholders within the company. The escalation activity also includes the steps taken to organize an initial management response.

Incident response: Activities relating to the formation and engagement of the incident response team including the steps taken to formulate a final management response.

Containment: Activities that focus on stopping or lessening the severity of insider incidents or attacks. These include shutting down vulnerable applications and endpoints.

Lessons Learned: Activities to help the organisation minimise potential future insider-related incidents and attacks. It also includes steps taken to communicate with key stakeholders both within and outside the company, including the preparation of recommendations to minimise potential harm.

Remediation: Activities associated with repairing and remediating the organisation’s systems and core business processes. These include the restoration of damaged information assets and IT infrastructure. In addition to the above process-related activities, organisations often experience external consequences or costs associated with the aftermath of incidents.

Research shows that four general cost activities associated with these external consequences are as follows:

Cost of information loss or theft: Loss or theft of sensitive and confidential information because of an insider attack. Such information includes trade secrets, intellectual properties (including source code), customer information and employee records. This cost category also includes the cost of data breach notification if personal information is wrongfully acquired. (See GDPR related advice).

Cost of business disruption: The economic impact of downtime or unplanned outages that prevent the organisation from meeting its data processing requirements.

Cost of equipment damage: The cost to remediate equipment and other IT assets because of insider attacks to information resources and critical infrastructure.

Lost revenue: The loss of customers (churn) and other stakeholders because of system delays or shutdowns because of an insider attack. To extrapolate this cost, use a shadow costing method that relies on the “lifetime value” of an average customer as defined for each participating organisation.