A Guide to Insider Threats

Insider threats

Insider threats are one of the most significant security risks for all businesses of all sizes. Why? Because the insider could be acting with negligence, ignorance or at worst, malicious intent. This can harm your company’s reputation, cause financial losses, or even risk of physical harm to staff and customers.

This article will help you identify and prevent the risk of insider threats to security in your business.

Insider threats in cyber security are threats poses by those inside, or close to a business or organisation. When you think about how many different people have access to certain areas of a business, it’s easier to see the breadth of the issue:

  • Current employees
  • Former employees
  • Their families and friends
  • Business partners
  • Contractors
  • Temporary or casual employees
  • Delivery personnel
  • Agency workers

Each one of these individuals poses a risk – they have the potential to negligently misuse their access and compromise security as a result.

Examples of Insider Threats

Inadvertent or Negligent Insider Threats

Scenario #1: A member of staff working on a laptop in a public place has a database open that contains sensitive client information. They leave the laptop unattended for 2 minutes and forget to lock the screen. Someone working for a large competitor sees the information and uses it to contact their clients to offer them a lower price.

Scenario #2: The door code to the office has changed, and an employee can’t remember the new code so asks the receptionist. The receptionist writes the new code down on a post-it note, which the employee later drops in the car park.

Scenario #3: A large delivery is being delivered. Someone props the door open to help the delivery driver unload all the goods, but no one closes the door afterwards, so the main entrance is left open and unattended whilst valuable goods sit in full public view.

In all 3 of these scenarios, if the employees paid extra care to seemingly small matters, these incidents would not have occurred. Consistent training and stringent procedures would also help these staff members behave in a more security-conscious manner.

Insider Threats from Malicious Individuals

Scenario #1: A member of staff working in a clothing store is responsible for unpacking deliveries of stock, and they work alone every morning. The member of staff routinely takes home high-value items to sell online for additional income.

Scenario #2: You hire a website developer to change the functionality of their website. They are given unrestricted administrative access to the site. The developer adds malicious code to the website via a SQL injection. It silently collects customer credit card details and sends them to the scammer.  

In these examples, regular supervision by senior members of staff would make it more difficult for malicious individuals to succeed. Also, joint accountability can help. For example, requiring two or more members of staff to sign off or check each other’s work for quality control. This can also help reduce threats caused by genuine human error.

CCTV and/or computer usage logging may also be used, as well as requiring all company business to be done on company-issued devices, therefore not allowing staff/contractors to use their computer equipment for this purpose. This allows for greater levels of access control and activity monitoring.

Disgruntled current or former employees

The difference between malicious employees and disgruntled employees is the motive, the intent behind the action. A disgruntled employee usually has a grievance with the organisation or another individual within it.

Disgruntled employees pose a significant risk, so it’s vital that managers can intervene with issues of staff dissatisfaction promptly. Employees spend a substantial portion of their time at work. If they don’t have the appropriate method to talk about their frustrations in a controlled way, then those feelings may intensify.

Scenario: An employee was dismissed for gross misconduct after an unrelated issue. Due to an admin delay, their email account was still accessible for a week after their dismissal. The disgruntled employee logged in, downloaded some client lists and other confidential files that were saved as email attachments.

Former members of staff should have their access revoked immediately upon their final day

Lack of Training or Ignorance

Scenario #1: A new volunteer for a charity is organising an event for parents in the LGBT community, they’ve collected the names and addresses of all the attendees and have this information stored in their phone without a password. The volunteer accidentally left their phone on the train. A few days later, all the event attendees had their homes vandalised with homophobic graffiti.

Scenario #2: A senior manager has not attended the last three cyber security refresher training sessions organised by HR. They do not feel that they need to attend, given their position and level of responsibility. They become a victim of a phishing email that contains a link, and when clicked, it installs RansomWare and emails a copy of itself to everyone in the contacts list.

It’s common for long-serving or senior members of staff to think that they do not need to attend training. Yet, these are the most frequent targets of phishing attacks, and they are extremely vulnerable to social engineering.

Training, at the very least, keeps security at the front of people’s mind and increases awareness of modern threats and tactics used by scammers, social engineers, and other criminal hackers.

This Certified course is an excellent way for employees to study during their own time. This course will immerse students into an interactive environment where they will acquire a fundamental understanding of various computer and common network security threats.

How to Overcome Insider Threats in your Organisation

Frequent, regular, and thorough training

In addition to traditional classroom training or e-learning, you could try some creative training methods, such as asking your IT department to send a false phishing email to see how many staff click on the link. This shouldn’t be about catching people out or getting people in trouble; it’s part of a training exercise and could be quite effective at encouraging vigilance.

Consider recording any important training sessions so that they can be re-watched if needed, and those who miss the session can catch up when it’s convenient. In ‘lecture’ style courses, learners may forget up to 90% of what they hear, so it’s essential to cater to different learning styles for better retention.

Engage with security champions within your company

Identify enthusiastic individuals throughout the business with different levels of seniority to become champions for security within their teams. Their role is to influence and assist their colleagues in best security practices throughout the day.

Implement Robust security procedures

This may mean:

  • Searching staff’s belongings upon entering/leaving the workplace
  • Monitoring staff’s computer and internet usage for unusual behaviour
  • Installing security software on staff’s computers, phones and other devices
  • Revoking all access as soon as an employee leaves the company
  • Biometric access for staff such as fingerprints or retina scans
  • Frequent changes of passwords, door codes, key fobs, etc
  • Spot checks to ensure security procedures are being adhered to

Clear Communication of security messages

Most organisations have a method of staff-wide communication. Whether it’s email, an intranet system or a tool like Microsoft Teams or Slack, staff need to know about important security updates within the company. It’s also useful to have a library of documents available for staff to reference at any time, for example:

  • Data Protection and Privacy Policy
  • Computer and internet usage policy
  • Password policy
  • E-learning videos about security within the company

You may also wish to “force” staff to read these policies upon their first login, asking them to digitally sign to demonstrate that they have read and understood the policy. You’ll then have an up-to-date record of everyone who has read the information.

Implement Physical and Digital Security Measures

  • Use privacy screens on laptops and tablets to prevent ‘over the shoulder’ data breaches
  • Enforce strong passwords that are changed often
  • Enable automatic screen-lock on all devices after 30 seconds of inactivity
  • Prevent staff from writing down passwords or codes
  • Remove the ability to use USB devices or other portable storage media with work computers
  • Block all spam, malicious or spoofing emails
  • Block access to certain websites that may contain malicious code or functionality
  • Multi-factor authentication for logging into systems that contain sensitive data

Obtain thorough character references for staff and contractors

Obtaining references for new members of staff are usually quite generic, the reference confirms that they are who they say they are, or at least, they’ve worked where they’ve said they worked.

Employment references usually consist of two pieces of information:

1. Did this person work at this company between these dates?

2. Would you employ this person again?

It’s important to get this information, but you can also obtain character references that contain more detail, with the permission of the applicant.

This could be a reference from a former colleague, manager, client, teacher or lecturer to confirm the validity of the applicant’s suitability for the position.

In the case of freelancers or contractors, look carefully at their online reviews, previous customers and experience working with similar organisations. Don’t be afraid to ask for character references.

Note that for specific roles, such as those working with children or vulnerable adults, require full DBS checks, which should be repeated regularly.

High levels of support for staff

Ensure that your staff are well supported. Managers should have frequent one-to-one sessions with their team to identify any potential issues that could jeopardise their wellbeing or performance.

Displaying posters offering assistance via helplines or anonymous support in staff areas such as kitchens, canteens, and bathrooms can often have a significant impact.

At the same time, posters and signage reminding staff of security measures and best practices can also help make people more aware of security.

A Clear Route for Staff to Report Security Concerns

Does everyone in your team know exactly what to do if they suspect a breach has occurred? There needs to be a clear process for individuals within your organisation to report concerns to the right people promptly.

Those responsible for security need to take appropriate action immediately to any reports made.

The process should be communicated to staff clearly, for example – a button on the staff intranet system.

Summary: Types of Insider Threats and How to Handle Them

Insider threats cannot be ignored by any business. If you’re employing staff or outside help, technically everyone hired poses a risk. However, this does not mean you have the right to hostility on this basis alone, as dealing with insider threats requires high-level risk management.

Reduce the risk of insider threats with:

  • Compulsory training delivered in a meaningful and engaging way
  • Stringent security procedures
  • Clear communication of security messages
  • Security policies that are easy to understand and not ‘open to interpretation.’

For a full security audit of your current policies and procedures, or if you want to find out how much of a risk insider threats pose to your organisation at the moment, speak to a security consultant today.