When one thinks of a breach, there’s a cliché image of a mysterious hacker wearing a hooded sweatshirt trying to infiltrate a company’s online defences. This image is often mirrored by the way in which most companies treat the threat of cybercrime – that it often stems from outside the organisation. According to the Office of the Australian Information Commissioner (OAIC), human error was the second largest source of total data breaches during the last calendar quarter of 2018.
In fact, employees and partners a.k.a insiders can do just as much damage from within a company. Whether from malice or negligence, the results can be equally devastating. In fact, insiders have advantages over external actors seeking to circumvent security: insiders often enjoy trust and privileges, as well as knowledge of organisational policies, processes and procedures. They know when logging, monitoring, and auditing are used to detect anomalous events and behaviour, which can make it difficult for organisations to distinguish between legitimate and malicious activities.
There are five distinct types of insider threats that organisations need to look out for:
1. The careless worker
The careless worker is one of the more difficult threat actors to defend against. This is mainly because their actions are the result of a mistake, unknowingly misusing assets and credentials, or mishandling data. Other common scenarios include Shadow IT, when staff install or introduce unauthorised applications or devices to a company’s network without the knowledge of IT or management. They are also often victim of phishing attacks via email or clicking through to bogus websites.
Specific actions included sending personal information to the wrong recipient via email and unintentionally releasing or publicising of personal information. Failure to securely dispose records of personal information was also recorded.
2.The inside agent
Inside agents typically work on behalf of an external threat actor and secretly steal information for them. They are commonly recruited, solicited or bribed by external parties to exfiltrate data, particularly when there are feelings of retribution towards the organisation coupled with financial strain. The malicious behaviour of inside agents can be difficult to detect when they hide their true intentions, and their actions can be mistaken as legitimate activities. For instance, when they plug a USB flash drive into a computer it has the potential to allow unauthorised programs to run and circumvent many security controls.
3.The disgruntled employee
Disgruntled employees aren’t just angry. They’re potentially dangerous, even if they don’t resort to physical violence. Some may turn to cybercrime, including stealing information, destroying property, systems or data and disrupting business operations. Such incidents may arise when details about upcoming redundancies may be leaked, leaving the opportunity for affected employees to use their existing administrative access to download confidential company files that they may choose to distribute or as a bargaining chip for their next role.
4.The malicious insider
Often difficult to detect as they hide their true feelings, these actors have access to corporate assets and endpoints systems, servers, networks, and organisation domains. They use these existing privileges to steal corporate information for personal gain. Typically, a malicious insider act on their own and can be a current or former employee, contractor or business partner. They may also steal co-workers’ credentials to gain unauthorised access to an organisation’s network, system or data.
These attackers made up 12 per cent of total malicious attacks recorded during the last calendar quarter of 2018 by the OAIC’s Notifiable Data Breaches Quarterly Report. They were most prominent in the healthcare and finance sectors.
5.The feckless third-party
The feckless third-party is a threat actor with inside access, who through negligence, misuse or malicious intent compromises organisational security. An example of when these threat actors may attack could be through data exfiltration by redirecting an organisation’s network traffic to an unknown, offshore IP address. Attacks like these can be difficult to detect unless organisations monitor their system behaviour to understand what “normal” should look like.
Employees are the first line of defence when organisations try to combat many incidents, including inside threats. Regular security awareness training for new employees, seasoned workers, management and part-time employees that reinforces what is and what isn’t acceptable behaviour is critical – and it should start as part of an employee’s onboarding during their first day.
Training should cover security policies and procedures, what is acceptable user behaviour, how to spot potential security threats, and what the consequences are for unauthorised or malicious activity. Training should have full management support, and attendance or completion of these training sessions are a must.
It’s also good practice for organisations to control and restrict data access to sensitive company information on a need-to-know basis and have systems in place to monitor a baseline of system behaviour to understand what normal and abnormal behaviour looks like. Adopting an IT management process that can vet hardware supply chains including original equipment manufacturers can also help reduce potential risk from threat actors.