Cybersecurity professionals spend much of our time focusing on keeping threats out — and with good reason. From business email compromise attacks (BEC) to malware, there are a host of threats that, once inside our defences, can do significant damage. However, not all attacks are perpetrated by outside forces. Sometimes, the threats are coming from inside the organisation.

Just like outside threats, those that stem from the inside have the potential to cause significant damage.

Not all insider threats are malicious, however. When we consider unintentional threats – such as the installation of unauthorised applications or the use of weak or reused passwords – this figure is likely much higher.

Whether due to human error or malicious intent, threats from within are notoriously difficult to defend against. Not only is the attacker already within your defences, but in the case of malicious insiders, they may be able to use privileged access and information to actively avoid detection.

Understanding insider threats

When constructing a defence against insider threats, it’s easy to make the case for the old cybersecurity adage: trust no one.

However, this approach is not practical nor conducive to the flow of information required to run a modern-day business.

Fortunately, there are several less drastic steps that can be taken to detect insider threats – or better still, to stop them before they take root.

The first step is to understand exactly what drives an insider to pose a threat to your organisation. Motivating factors can generally be grouped into three categories:

• Unintentional: From installing unauthorised applications to misplacing equipment or reusing passwords, careless employees can pose a serious threat to your organisation.
• Emotionally motivated: Threats of this nature are posed by employees with a personal vendetta against your organisation. Emotionally motivated malicious insiders may seek to cause damage to your reputation by leaking privileged information or disrupting internal systems for maximum inconvenience.
• Financially motivated: There are many ways to profit from privileged access, be it through the leaking of sensitive data, selling access to internal networks or disrupting internal systems in an attempt to affect company share price.

Whatever the intent behind them, insider threats can occur at any level of your organisation. With that said, actions that take place lower down the business hierarchy may be harder to detect.

While privileged users are usually closely monitored, some employees further down the line sit in an unfortunate sweet spot – with access to sensitive data required to do their jobs and minimal account monitoring or supervision.

Lower-level employees may also be less invested in, or knowledgeable about, good security practices and can therefore pose an unintentional threat. In the case of malicious threats, these employees could have greater cause to be disenfranchised or more tempted by financial incentives offered to access sensitive systems and leak data.

Defence in depth

Detecting and protecting against insider threats requires a broad and robust defence. A comprehensive combination of tools, policies and education.

Employees should be regularly trained on how to ensure they do not cause an unintentional threat to your organisation – covering topics such as password reuse, phishing and BEC. Beyond this, educate employees on how to spot unusual behaviour among colleagues and on the consequences of perpetrating or facilitating a malicious threat.

Ensure you have tools in place to monitor users’ network activity – flagging up repeat or unusual requests for system access to spot potential privilege misuse. Limit the printing and copying of sensitive data, and only allow access to need-to-know information with a legitimate and documented reason.

Finally, implement and police policies regarding the use of email, acceptable use, external storage devices and BYOD. These policies must be agreed to by anyone with access to your systems – employees, vendors, contractors and any other third party.

Ultimately, while fending off insider threats can be challenging, it is not impossible. But transparency and vigilance are key.

It’s vital that you know who has access to your data, and that you understand why and how they are accessing it. The greater your understanding, the easier it is to spot irregularities or changes in behaviour – and the faster you can nullify potential insider threats.