September is National Insider Threat Awareness Month. This is a collective program started by the U.S Intelligence Community and Homeland Security to bring information to U.S business entities that will assist in identifying, protecting, detecting, and assessing risks for their organization with Insider Threats.

Some may say, “My organization is not at risk of an insider threat,” because of the belief that their data or the assets in their organization aren’t that interesting or valuable on the ‘Dark Web’. Others may be in denial that bad actors could be operating silently within their own company. The reality is all data and computing assets have value, and internal players (knowingly or not) are one of the top causes of breach.

As reported in the 2019 Verizon Data Breach Investigations Report, 57 percent of data breaches involved internal actors; a good portion of these “internal actors” had elevated privileges and were not aware of their involvement at the time.

What is an Insider Threat?

In order to protect your organization from an insider threat, we first need to define it. Let’s start with the classic definition. An insider threat is the risk an insider will use their authorized access, wittingly or unwittingly, to do harm to their organization. This can include:

  • Theft of information and technology
  • Damage to company facilities
  • Actual threat or harm to employees
  • Any activity that disrupts normal business practices
What Do They Look Like?

We just listed out the definition and some general examples, but do you know how to spot one in the real world? Let’s examine the news headlines…

Headline 1: Mid-2011, a foreign national with permanent residence status was convicted of stealing formulas for pesticides and food additives with the intent to establish a company in his home country with co-conspirators.

Headline 2: July 16, 2020, Russian citizen, Egor Igorevich Kriuchkov, attempted to recruit a Tesla employee to get access to the company’s computing systems. The Tesla employee did the right thing and reported this to his management, which in turn led to the involvement of law enforcement and the arrest of Kriuchkov.

Headline 3: 2013 Target Breach; this was the result of a third-party vendor taking credentials of critical systems outside of the appropriate use. With these elevated credentials, they gained access to Target’s payment system and the hackers were able to exfiltrate Personally Identifiable Information (PII) from Target.

Those were 3 examples from recent news stories and to be honest, that was just the tip of the iceberg. So, let’s review the lesser known and more probable causes of internal threats you should be ready for.

Headline 1: March 2011, RSA employees fall for Phishing attacks which led to employees’ accounts being compromised. The nefarious actors pretended to be trusted coworkers and contacts. This led to employee records being compromised, as well as the compromise of Security ID Authentication tokens.

Headline 2: The 2017 conviction of Jason Needham for stealing protected information. Needham had left the engineering firm Allen & Hoshall to start his own engineering firm and stayed in touch with his former employer, who kept Needham as a trusted external source. While keeping in a good status with his former employer, Needham gained access to an Allen & Hoshall employee’s email account. This allowed him to receive confidential passwords and gain access to protected documents. These documents were then used to compete against Needham’s former employer, which is how the breach was finally uncovered after nearly three years of access.

Headline 3: June 2015, an employee for Eastern Health (one of Canada’s largest health authorities) lost a USB drive containing spreadsheets of 9,000 employees PII. The corporate policies in place to prevent this type of data loss were not followed in this incident, resulting in major loss.

These examples all showcase how trusted individuals may have made poor or intentional decisions that negatively impacted their companies, team members, clients, and reputation as a result.

Don’t Underestimate the Severity of an Insider Threat

For those reading this article and still doubting whether their organization is a serious target for an insider threat, I ask these questions:

  • Does your organization receive Phishing and Whaling attempts?
  • Have you had an employee walk off the job in the middle of a shift?
  • Does your organization restrict to only required access for employees or contractors/vendors based on essential job requirements?

Now you might say to yourself, “Every employer has these issues listed above.” Well, that is exactly my point. All data and computing assets have value to not only nation-state actors, but all malicious actors. Let’s review some examples of the infiltration methods themselves…

Phishing and Whaling Attempts

There is a nefarious actor that has taken the time to understand who in your organization is either:

  • A leader that may ask for financial transfers OR
  • Be a trusted source that you would click on a URL from and unknowingly install malware
Employee Walks Out on a Shift

There are several concerns with this to address. Some that should instantly come to mind are:

  • What was the reason for this action?
  • Were the warning signals ignored by management?
  • Did your organization change account passwords, access codes, and other shared account info after the employee left that they may have taken with them?

These may not seem important, however, people can make poor decisions when angry. They could access vendor portals and make changes to accounts that could negatively impact the business.

Restriction of Elevated Privileges

If your organization is receiving phishing or whaling attempts, and malware gets installed because your “trusted” employee installed an application unknowingly, this could compromise every account this employee has access to.

Simple items like not allowing admin privilege on company-provided equipment, defining job responsibilities and limiting access to essential systems only, requiring Multi-Factor Authentication, only allowing company provisioned, monitored equipment onto the corporate network, and implementing password rotations for critical system access can all reduce this risk.

Factors That Can Motivate an Employee to Act Out

There are numerous factors that can cause an employee to act out. Here are the most popular ones:

  • Anger/Revenge – Wanting to retaliate against the organization for actual or perceived slights such as lack of recognition, missed promotions, conflict with management or co-workers, and even pending layoff.
  • Compulsive or destructive behavior – This can include drug, alcohol, and gambling dependencies. These can cause debt and other issues that may become a motivation to find funding for their activity.
  • Ego/Self-Image – ‘Above the rules attitude’ could be subject to flattery or promises of a better job elsewhere could cause the recipient to want to show the provider it was deserved.
  • Family problems – Marital or other relationship difficulties can cause stress in their personal life. This is a sensitive item and depending on the employee, no one in the work environment may even know another employee is having personal problems.

Warning Signs

Some of the warning signs or indicators that an employee may exhibit when acting against their employer include:

  • Removing proprietary information or seeking data/information outside their job function scope
  • Working odd hours without reason or approval
  • Taking multiple short, unexplained trips (particularly overseas)
  • Making unapproved contacts with competitors or business partners
  • Showing interest in projects or work outside the employee’s job responsibility
  • Remotely accessing the network from home or on vacation outside approved work routines
  • Unnecessarily copying manuals or large volumes of materials or unauthorized transfer of data

It is important to remember that the presence of some or even all of these activities by an employee does not mean they are engaged in illegal activity or guarantee the employee will pose a future threat.  However, this behavior should be addressed so the employee base understands systems are monitored, access is reviewed, and anomalies are questioned to prevent insider threats.

So How Do You Protect Your Organization?

The good news is, there is guidance from multiple agencies that you can utilize to bulk up your organization’s Insider Threat Program:

This guidance will walk you through not only the formation of the program, but also how to evaluate & assess, recognize & report, and provide training and awareness videos that can be implemented in your organization’s Insider Threat Program.

This has been a lengthy article to read and hopefully I still have your attention. If the only takeaway you have is that no matter your organization’s size or industry, your data and systems have value, then this read was successful.

The threat landscape is ever evolving with a worldwide pandemic that has sparked everything from changes in work environments and processes to geo-political and civil unrest. These outside influences can impact your business from crypto jacking to data exfiltration to even losing all control of your systems.

Protect Against Insider Threats with LightEdge

Insider threats in cybersecurity are one of the top concerns that businesses are facing today. Whether that threat is due to ignorance, negligence, or is made with malicious intent, use this information and LightEdge’s secure services to protect your organization.

LightEdge is committed to keeping your data safe, secure, and compliant. LightEdge offers a comprehensive product portfolio to ensure complete protection and uninterrupted performance of IT operations and mission-critical systems in the event of a disaster.

LightEdge is your trusted partner delivering fully integrated data protection, disaster recovery services, and workplace recovery facilities to ensure your business is always fully covered and operational and meets required compliance standards.

Our owned and operated facilities, integrated disaster recovery solutions, and premium cloud choices make up a true Hybrid Solution Center model. LightEdge’s highly-interconnected data center facilities now span Des Moines, IAKansas City, MOOmaha, NEAustin, TX and Raleigh, NC.

Each of our LightEdge facilities strive to deliver more than traditional data centers. We have created true Hybrid Solution Centers designed to offer a complete portfolio of high speed, secure, redundant, local cloud services and managed gateways to public clouds through our hardened facilities.

Want to learn more about LightEdge’s security, disaster recovery and business continuity services? Contact one of our security and compliance experts to get started or to schedule your private tour of any of our data center facilities. We have disaster recovery, colocation, and business continuity experts standing by to answer any of your questions.


Related Whitepaper:

Related Posts:

 

 

Share This Article
Robert Bennett

Rob Bennett has served in a variety of leadership positions focusing on Security Operations & Business Continuity since 1993. His roles included a 12-year stint as the Director of IT Operations for a global telecommunications company, implementing video and VOIP communications systems and ITIL-based processes. Rob has also spent 7 years in consulting roles with regulated companies seeking to attain specific compliance certifications.

See Full Bio