Insider Threats: Identification, Detection and Protection

Insider threats are any vulnerabilities that exist as a byproduct of human factors originating from within an organization. According to many authorities on the subject, including the U.S. Government’s Cybersecurity and infrastructure Security Agency, these threats are best defined as the potential for an insider to abuse their access to information, people, and networks in a way that might bring serious harm to the company, its staff, or its stakeholders.

Threat types are multifaceted.

Insider threats take many forms. Yet despite the seemingly countless examples of security breaches possible from among the rank and file, most instances fall neatly within one of three categories.

Intentional Actors

Intentional actors are those who work within a company and actively seek to disrupt it. Many of these individuals develop ill will against their employers over matters related to pay, lack of recognition, denial of benefits, or similar issues. An intentional actor’s motivation is hardly ever random and is often traceable back to a single upset or small list of grievances. These individuals are highly susceptible to outside influence, which could drive them toward vindictive activities, such as corporate espionage. A famous example is the 1997 Kodak case, during which a former employee was convicted of having stolen several million dollars’ worth of equipment and documents from the photography tycoon, compromising Kodak’s reputation an

d bottom line in the process.

Unintentional Actors

Unintentional actors are those who work within a company but do not harbor malicious intent. In fact, most unintentional actors become a risk to their parent organization simply out of carelessness, recklessness, or negligence. This type of insider threat is best characterized by the employee who loses their access badge, holds open the door to a secure area for a stranger, or falls victim to any number of social engineering tricks. Unintentional actors are often used as accessories to crimes; they are rarely the perpetrators themselves. A famous, historical example of the fallout from an unintentional actor took place in 2015, when both Facebook and Google were subject to a massive phishing attack. Employees – the unintentional actors – unknowingly opened malware-clad links that led to several, massive cybersecurity breaches, ultimately costing both tech giants upwards of 100-million dollars.

Fringe Actors

Fringe actors are the wild cards of the insider threat world. They are the catch-all cohort for corporate partners (e.g.,

 vendors, contractors, etc.), occasionally comprised of more than one individual. Fringe actors are hard to detect given their limited degree of interaction with security, middle management, and other company gatekeepers. Nonetheless, their impact can be just as devastating as intentional and unintentional actors. An infamous example of a fringe threat is Edward Snowden. A contractor for the National Security Agency, Snowden stole untold numbers of documents from the Federal Government and leaked many highly classified pieces of information to the press. The ramifications of his actions are still felt throughout the world today.

Managing a breach takes a village.

Although types differ, any insider threat’s potential for catastrophe is the severe. A company’s goal should always be to prevent a threat from happening in the first place. But should that line of defense fail, then an agile response and recovery is key. The steps are straightforward: Recognize, Respond, and Recover.

Recognize

Learning how to spot indicators of insider threats is step one. The Center for Development of Security Excellence suggests the tell-tale signs of an ongoing threat might include factors like an employee’s sudden and unexplained affluence, security protocol breaches, drastic changes in behavior, unauthorized software detection on company equipment, and more. The most frequently observed factors at play when considering someone’s risk as an insider threat are money, ideology, compromise, and ego, colloquially referred to by the mnemonic device, “MICE.”

Respond

Once an insider threat is identified, time is of the essence. Response should be both urgent and deliberate, to ensure an incident is handled in a proper, controlled manner. Depending upon the severity of the breach, an organization might choose to involve local or federal law enforcement to augment their existing resources. They might also reach out to public sector partners for a coordinated response. For example, federal agencies like the Defense Counterintelligence Security Agency provide insider threat response support for private entities aligned with the U.S. Department of Defense mission.

Recover

Once an impacted company has subdued the insider threat and assessed any consequent damage, recovery comes next. Companies should have a clear, tabletop-tested, recovery plan already in place.

No two incidents are ever alike, and neither are any two organizations. Some might choose to handle the matter internally, while others might hire specialized consultants experienced in corporate security. Regardless of how a recovery strategy unfolds, it is essential that the entire company and all those effected work together in close collaboration.