Mitigating Insider Threat: A Guide and Game Plan for Small Businesses

Data Exposure

Data can be compromised or exposed by malicious activity or by accident. A malicious attempt to steal data is often associated with login credentials or account misuse and compromise. For example, an insider may already have access to sensitive data and use this access to illegally expose data for financial gain. Disgruntled employees may set out to take revenge by embarrassing a company through data exposure.

Accidental data exposure is an insider threat caused by negligence, such as emailing sensitive data to the wrong person. Unsanctioned apps, called "Shadow IT", can cause accidental data exposure. Employees may use apps that are outside the company's control to do company work. The apps may be poorly secured, and data may be placed at risk. The increased use of Generative AI in the workplace is now beginning to cause concern over data exposure from accidental Insiders, with "AI leaks" being the next big trend in privacy and security concerns.

IP Theft and Espionage

Industrial espionage can be carried out by employees and other Insiders. Proprietary information is valuable to competitors, and some unscrupulous individuals may recruit employees specifically to locate and steal intellectual property (IP). As a result, research shows that 15% of employees take sensitive IP with them on leaving an organization. Stolen IP may be used to influence competitor product design. Company secrets are also at risk of general market exposure once stolen by an Insider.

Damage To Property and Computer Equipment

Insider Threats may involve damage to computer equipment, including damage to networks. Some types of damage are costly to fix and could open security gaps, leading to broader security incidents like ransomware infections.

Fraud

Research shows that fraud is a consequence of 9% of Insider Threats. Financial pressures may push an employee to commit fraud. A UK anti-fraud firm, Cifas, hosts an insider threat database (ITD). The form has seen registrations grow by 14%. The growth is attributed to dishonest actions by employees, with many organizations identifying financial pressures as the trigger event.

Credential Theft and Exposure

Accidental Insiders can be as harmful as those intent on malicious activity. Phishing and social engineering attacks can lead to employees accidentally exposing their login credentials. However, negligence and accidents also result in sensitive information like credentials being left unprotected, including messaging apps like Slack and even paper notes on a desk. Once exposed, a malicious person can use the credentials to harm the business.

Disruption and Downtime

Both malicious and accidental Insider Threats can lead to business disruption. Exposed data, damaged IT systems, and the results of exposed credentials can result in a system shutdown while an incident is dealt with: Productivity is negatively impacted, employee morale is threatened, and reputation damage is likely.

Malicious Insider

Malicious Insiders set out to deliberately perform an action that damages and harms a company they are associated with. They may be acting on their own, or they may have been "recruited " by ex-internal hackers. These types of insiders often take sophisticated precautions to hide their activity. A recent report found that 77% of malicious insiders took steps to evade detection.

Accidental Insider and Negligence

A recent report found that 88% of data breaches are caused by employee mistakes. Simple accidents and negligence can be as harmful as an intentional cyberattack. Accidental Insiders can reveal sensitive and proprietary information because they do not adhere to or understand security precautions. Accidental Insiders are also covered under phishing attacks, where an employee will unwittingly click on a malicious link in an email or SMS text message or download a malware-infected email attachment.

Emails are often the way that accidental data exposure occurs. Arlington Research found that 80% of organizations experienced a data breach when an employee attached the wrong file to an email. Email misdirection is another likely accidental insider incident, with 80% of companies experiencing a breach when an incorrect recipient is cc'd on an email.

Third-Party Insiders (partners and supply chain)

An organization's supply chain and supply chain members are increasingly targeted to open doors into the broader chain. A Third-Party Insider is a supply chain member who either maliciously or accidentally exposes other companies' data or IT systems to a threat.

Collusion

Collusion occurs when an insider, like an employee, works under the direction of an external nefarious entity, like a hacker or hacking group. The hacker instructs the Insider to perform tasks like sharing login credentials, stealing IP, or installing malware. The Insider is usually financially rewarded for helping breach the company.

Disgruntled Employee

Employees with a grudge to bear may turn to cybercrime. Those who are upset with a company for one or other reasons are an easy target for cybercriminals looking to collude. However, disgruntled employees are also known to steal customer data or IP when they move between companies.

Revenge

Revenge is sweet, and an employee who has fallen out with an organization may plot their revenge by becoming an Insider Threat. A New York credit union took advantage of her old user account, which was still open when she was fired from her job; the angry employee deleted over 20GB of critical corporate data.

Financial Gain

An employee may become an Insider Threat if they are struggling financially. Darkweb recruitment of Insiders, selling customer data on dark web marketplaces, and industrial espionage can offer financial rewards for an employee looking to make some quick money. One telecom company employee was fined $77,417 and put on probation for three months for providing SIM swaps to cybercriminals.

Sabotage

Some employees turn to Insider to purposely sabotage projects or company data. The motivations are usually revenge after a work conflict. Other reasons for sabotage include collusion at the bequest of a competitor for financial gain. Other sabotage scenarios involve system administrators abusing their rights to shut down servers and cause general outages.

Political Motivations

Ideological reasons can sometimes be behind Insider Threats. For example, an employee may make an Insider Threat if they view an organization as unethical.

Security Awareness

Accidental and negligent Insider Threats are often attributable to a lack of understanding of what constitutes a threat. Security awareness training educates employees about how their actions can impact an organization's security. The training packages provide guidance on many areas of work, including safe internet use, data protection, and compliance, and how to spot phishing messages. Importantly, security awareness training hones in on individuals and their roles, teaching employees about the importance of data protection and password hygiene.

User Behavior Analytics (UBA)

UBA solutions use AI, behavioral analytics, and machine learning to identify unusual behavior patterns of users on a network. By creating a baseline of expected behavior, any unusual patterns will alert administrators, who can then check the identified events for accidental or nefarious actions. Examples of possible unusual activity are signs of logging in from unexpected IP addresses or at strange times of the day and night.

Least Privilege / Privileged Access Management (PAM)

Some Insider Threats derive from the misuse of privileged access. The Principle of Least Privilege (PoLP) is a best practice measure that specifies that an employee is only given just enough access rights to do their job. Privileged Access Management (PAM) solutions are used to identify and enforce the right level of access to help mitigate account misuse. Identity Governance and Administration (IGA) automates the removal of access rights when someone leaves an organization so that a disgruntled employee cannot steal data or cause damage.

Encryption

Data should always be encrypted in storage (e.g., encrypted as stored in a database) or when being transferred. Some email protection solutions will encrypt the contents of an email so that if incorrect recipients receive the email, they will be unable to decrypt the content unless they can provide the right authentication.

Data Leak Prevention (DLP)

DLP software prevents sensitive information from leaving an organization. The DLP software uses rules to identify specific keywords and phrases or recipients when emails are sent and received; this then triggers the DLP solution to stop the email from leaving the confines of the company network.

Incident Response Plan

Companies should create an incident response plan that details the steps to contain, mitigate, and respond to an Insider Threat. A risk assessment is an essential starting point when creating an incident response plan. The plan should also contain sections on how to detect an Insider Threat early on, incident handling and reporting, incident escalation measures, and how to ensure regulatory compliance is maintained.