How has the insider threat evolved in recent years?
Firstly, we now live in a heavily digitalised society. Previously, insiders may have had to sneak into an office, photocopy a document and try and discretely carry it out of the building. Now everything is digital and can be copied in a few seconds.
Secondly, our online lives afford people the opportunity to access and communicate with anyone anywhere in the world. This means that stolen data is easier to sell and forums allow people to discuss how to go about carrying out theft or fraud without being caught.
Competition is fierce in many industries and people move jobs more often than they did in previous generations. This inevitably means we see an increase in data and reports being taken when people leave.
How has the rise of insider threats impacted the cyber security landscape?
Imagine you are an attacker. Your chosen target is a high-profile investment bank. Their security is top notch, but you know what data you are after and who is working with it. You scour Facebook and LinkedIn for employees working on that team.
You find Karen. You can tell Karen is very unhappy with her job; her profile is full of negative comments about her manager and how she is desperate for a pay rise. She is getting divorced. Money must be tight.
You have two options:
1) Spend however long it takes to get into the network and risk being discovered or
2) be the knight in shining armour that Karen needs and offer Karen money to photograph the data on her phone.
I know which one looks easiest. This is the problem. Employees have the access that attackers (or sometimes even competitors) need.
If they catch someone in a vulnerable state at the right time with the right offer they can get what they want much quicker. The defences employed are usually aimed at stopping outsiders and not insiders.
We spend a lot of time, money and effort defending from outside attacks. That shouldn’t stop, but we do also need to think about attacks from within too. The increase in insider cases in recent years signals the need to shift our thinking.
What is a common misconception about the ‘insider threat’?
The most common misconception is that all insider threat actors are bad people who were born bad.
This has been proved not to be the case. For the majority of insider threat actors they were once loyal employees who then experienced personal and professional stress that lead to a tipping point.
It’s important to remember that, with the exception of a few people, nobody just wakes up one morning and decides to attack their employer. It is a journey with plenty of signs and signals you can be aware of.
How can an organisation protect itself against this type of threat?
The good news is that an employee won’t just magically transform into an insider threat. It is a journey and because of this there are lots of things companies can do to deter, detect and respond to this complex threat.
Deter: It’s a grave error to put all your eggs into the ‘detecting’ basket. By the time someone is exhibiting behaviour that could be detected you may well have lost data. Detecting someone who has not yet fully decided to commit fraud or theft is nearly impossible.
You, therefore, need to have a strategy for deterring people in the first place as well. This is often the element that I see being missed out of insider threat programmes. Training is the best way to drive this message home without it appearing like you don’t trust staff.
Staff will become aware of the threat, why it is concerning and it will reinforce that the organisation is taking this threat seriously.
Detect: Have tools and plans in place to detect any strange behaviour. HR plays a crucial role in insider threat detection because they possess contextual data that can help you understand who may be at a greater risk.
Work closely with other departments and have a whistleblowing policy set up. Monitor people with access to your crucial assets more closely.
Respond: Have a crisis plan that specifically deals with insider threats. Data tells us that the reputational damage from an insider attacks far exceeds attacks from outsiders, so your communications strategy is crucial to mitigate the damage.
What insider threat trends can we expect to see in 2020?
All companies can be at risk from insider threats but certain companies are more at risk than others. Companies holding financial data, generating intellectual property, investing heavily in R&D or ones with a big online presence are all at increased risk.
Competition is fierce in a lot of industries so I expect we will see a continued rise in the theft of intellectual property around the world. We will also see a rise in cases where staff use their mobile phones to copy and exfiltrate data and more cases of home working facilitating data theft.
Lisa Forte will be speaking at DIGIT’s 6th annual Scot-Secure Summit on 19th – 20th of February 2020, at Dynamic Earth in Edinburgh.
Book your place online now at https://www.scot-secure.com/