5 ways to defang the “insider threat” of cybersecurity

Sometimes, the greatest threats come from within. While that might sound better suited to a movie poster than a cybersecurity manifesto, “insider threats” – brought about by employees, business partners, and others with privileged access – can prove at least equally damaging to business systems and data as those from the outside. Any robust cybersecurity strategy should take these threats seriously – which means understanding how insider threats arise, who’s commonly involved, and what to do about them. Here are five ways to help minimise the threats that even the best employees can potentially pose:

1. Don’t underestimate the threat of carelessness.
Say “insider threat” and most people will assume some lone vigilante with an agenda, the hacktivist or corporate spy on a mission to extract sensitive data. Most insider threats, however, are much more pedestrian – which doesn’t make them any less threatening. The 2019 Data Breach Investigations report found that the top two threats to organisations today are phishing and stolen credentials. Both come about exclusively because of careless, sometimes even negligent employee behaviour, from oversimplified passwords to over-itchy fingers clicking on things they shouldn’t. Our own recent APAC cybersecurity study validated the threat of the insider; 65 percent of respondents attributed the largest portion of cybersecurity threats to internal users making mistakes. Targeting this “lowest common denominator” of threats can significantly reduce any organisation’s threat surface, well before even considering the (relatively small) risks posed by hypothetical moles in the business.

2. Assume you’re already compromised.
Most cybersecurity managers of some experience will have already realised that you can’t prevent every threat, no matter how good your skills or expansive your resources. Instead of trying to do so, develop your cybersecurity strategy on the basis that your systems and data have already been breached, hacked, or otherwise exposed. That typically results in much more pragmatic and realistic battle-plans with strong detection, response, and recovery components to them – all of which tend to be overlooked when IT focuses exclusively on keeping the bad guys out. One of the best things you can do is to try and identify where insider threats might have already struck against your infrastructure, then use those existing issues as a starting point to understand where the organisation faces the most risks.

3. Keep critical systems isolated.
Building on an “assumed compromise” framework suggests that the best preventative measure against insider threats isn’t education or training – it’s making sure employees can’t access sensitive systems in the first place. One particularly effective example: creating a true air-gap between the main network and the organisation’s backups or recovery systems. Doing so helps ensure that when an insider threat strikes the organisation, IT can quickly roll configurations and data back to their last safe state – without the potential risk that employees might have compromised the backups as well. Similarly, restricting access permissions and walling off critical production systems can mitigate the harm that any compromised credentials can cause, while combining thorough systems and network monitoring with “defence in depth” techniques can filter out most threats caused by carelessness. Don’t assume employees will act in a responsible, thorough manner at all times: the less chance you give them to make mistakes, the less mistakes will occur.

4. Know how to react.
The way in which you respond to insider threats can often determine how frequently they’ll occur in the future. Panic can quickly fluster employees and lead to further mistakes, while a laissez-faire attitude tends to encourage more lax behaviour in the future. IT teams should ensure that whatever insider threats they come across, they respond in a way that’s swift, decisive, and appropriately forceful. That may, for example, include non-technical measures like taking legal action against the employee who caused the issue if their conduct appears to have been either malicious or negligent – creating a much stronger deterrent than any seminars or policies can typically achieve. Ideally, cybersecurity managers should devise a range of templated responses for inside-threat scenarios of varying degrees of sophistication and seriousness, which can then be quickly put into action the moment a breach or breach-in-progress is discovered.

When facing insider threats both intentional and unwitting, IT leaders should remember that a failure to sufficiently prepare for such threats could render them complicit in any breach that occurs. By assuming insider threats have already hit the organisation, however, cybersecurity managers can not only minimise the harm caused by current and future issues but also keep themselves from being held liable for the misdeeds of their co-workers. The better IT can then understand the root causes of those breaches – some cultural, some attitudinal, all ultimately human – the more effectively they can go about correcting them before the threat within becomes too big to contain.