There is a strong emphasis on IT security in society today, with companies investing significant resources in securing systems against malware, ransomware, and other external threats. It is often assumed that the company is relatively secure as long as such measures are implemented. Yet, what if the threat comes from within, among employees and authorised system users?
One of the utmost security threats within an IT system is the people who work with and process information within the system. This is not to say that any of the employees in your company has malicious intent — though it’s possible — but they may not be adequately trained, or your enterprise data security policies may be poorly enforced. It is in other words the company and its management that must have the right human and technological measures in place to prevent an insider threat.
Even though the employee may have legitimate access to the company’s systems, procedures, objects, and information, it can pose an insider threat if they, with or without intention, misuse this knowledge and access to perform actions that cause the company harm or loss.
How much damage or loss an insider can cause depends on the person’s function within the organisation, competence, and access to the company’s information values. At the same time, it is difficult to predict who a possible insider may be, as there are often numerous employees working in various roles within a company.
Who is the insider?
Insiders can pose a potential serious threat in and of themselves, or as a well-placed tool that external threat actors can exploit to achieve their goal.
At the one end of the scale, we find insiders who, of their own free will, without interference by anyone, take action that have negative consequences for the company. These can for example be employees who are motivated by political convictions or who by their own initiative offer their access in the organization to others in return for money. However, the will to do this does not necessarily mean that insiders understand the extent of their actions’ consequences.
Insiders may also be people who are recruited by a third party, such as criminals, political groups, and government intelligence services. The recruited insider may be cultivated over time, seduced, pressured or in other ways influenced to carry out an action. Both individuals, organised criminals, and intelligence services can use direct or indirect pressure and threats to make someone within the organisation perform an otherwise unwanted action.
Finally, there are insiders who consciously seek out and infiltrate the company who holds the values they wish to acquire or influence. These may be intelligence personnel and criminals, or persons who have been recruited to operate on behalf of such actors.
What does the insider need to succeed?
For an inside threat to succeed, some key factors must be present:
An employee can have many different motives for becoming an inside threat. This can for example be economic motives, a desire for revenge against the employer, a personal conviction that it is the right thing to do, or fear after being pressured by a third party.
Another important factor is the room of opportunity that the insider has to commit criminal acts. For example, this room increases if the organisation lacks routines for controlling employees’ system use and adequate access control management.
Finally, the insider must have the capability to carry out the action that he/she is motivated for and has the opportunity to perform. Within internal systems that the insider is already familiar with, the person will have good conditions to do so.
How to reduce the risk of an insider threat?
The “life cycle” of an employee within a company consists of an employment process, an employment relationship, and a final offboarding process. The following measures may be relevant to reduce the risk of an insider threat:
In the hiring process
Carry out background checks of applicants, where all information provided is thoroughly checked and verified. For example, the employer should be aware that there are websites where false employment conditions with associated references are offered, and where Norwegian and foreign diplomas can be purchased. In some professions, requiring a security clearance and a police certificate may help to verify the background of applicants. In some cases, it is also possible to examine the applicant’s financial situation.
Maintain good access control. The recruitment process should include an assessment of which systems the new employee should have access to, in order to limit access that is not necessary for the employees’ daily tasks. The term “nice to know” should in other words be replaced by the term “need to know” as a guiding principle for access control.
During the employment relationship
Maintain a manner for logging activities within systems. This will make it easier to detect and handle abnormal system use. Moreover, the fact that employees know that activity is logged could be risk-reducing by itself.
Abnormal behaviour and behavioural changes can also be signs that something is not as it should be. Therefore, interaction and exchange of information between the company’s HR department, security department and IT department is crucial (within given laws and regulations). For example, the risk of an inside threat can increase with downsizing and personnel matters within the company, where loyalty may be replaced by motives of a negative nature.
Maintain a healthy employer/employee relationship. Adequate and routinely follow-ups of employees are beneficial so that management may be able to notice whether an employee is struggling and consequently be proactive to ease the situation. This may for example be done through regular employee interviews by asking direct questions. By creating a work relationship where difficult situations can be talked about, one may prevent this pressure to influence the employee in an unfortunate manner. The absence of such an arena may also give a threat actor the room it needs to manoeuvre and exploit the employee in question.
In the final phase and after termination of the employment relationship
Have good routines for collecting electronic equipment used by the employee who is offboarded. Make sure that all access to systems is closed. It may also be relevant to remove certain system accesses during the notice period.
Conduct a final interview, where duties, requirements and possible consequences are repeated, as this can also have a preventive effect.
How may Defendable aid you and your company?
It is recommended that businesses use dedicated solutions, technologies and strategies that automate system monitoring and reduce the chances of error or irresponsibility.
Defendable has experienced advisors who can contribute across the entire spectrum of information security. We can contribute with advice on and implementation of human, technological and organisational measures to reduce the risk of insiders negatively affecting your business.