70. Understanding and Mitigating Insider Threats

In this lesson, we are going to discuss an all-important aspect of cybersecurity: Understanding and mitigating insider threats. Insider threats, in cybersecurity, refer to security risks that originate from within the organisations where they are expected to cause harm. They mainly stem from current or former employees, contractors and other insiders who have access to sensitive information or critical infrastructure.

Identifying Insider Threats

The first step in mitigating insider threats is understanding and identifying them. Insider threats can be intentional or unintentional – a dissatisfied employee with harmful motives or a well-meaning team member who inadvertently falls victim to phishing tactics, respectively.

There are three key categories of insider threats: negligent insiders, malicious insiders, and infiltrators. Negligent insiders are employees or partners who take excessive risks or disregard security policies. Malicious insiders are employees or partners who actively seek to harm an organisation, usually for personal gain. Infiltrators are outside agents who have successfully obtained insider access, usually by compromising an insider’s credentials.

The Impact of Insider Threats

Insider threats can cause substantial damage, which includes loss of confidential information, disruption of regular operations, and even reputational damage to an organisation. Threats from insiders are particularly intimidating because insiders have authorised access and familiarity with the organisation’s infrastructure, making their actions more challenging to detect.

Mitigating Insider Threats

Here are some of the tactics that come highly recommended for reducing the risk of insider threats:

1. Security Education and Awareness: Fostering a culture of security, where employees understand the risks involved and the part they play in mitigating such threats, is crucial. This involves regular training sessions and reminders about safe online behaviour and the importance of following security protocols.

2. Access Control: Adopting a ‘least privilege’ approach is beneficial. By only providing the minimum level of access required to perform their duties, you can reduce the risk of insider threats.

3. User Activity Monitoring: Monitoring user activity can prove useful in detecting suspicious behaviour, preventing data breaches and ensuring policy compliance.

4. Regular Audits: Implementing regular audits can help identify security gaps and detect unusual activity. These audits should be a combination of both technology-led and human-led activities.

5. Incident Response Plan: Having a well-defined incident response plan in place can help minimise the impact in case of insider attacks. This plan should include the steps to be taken immediately following a breach, as well as in the aftermath.

Use Case: Sony Pictures Hack

In one of the most notorious insider threats, the Sony Pictures hack in 2014 led to the leak of unreleased films, confidential employee data and damaging internal emails. The attackers were suspected insiders who had a thorough understanding of Sony Picture’s network topology and administrative credentials. The attack was a harsh reminder of the damage an insider can wield and further reiterated the importance of mitigating insider threats.

Conclusion

Insider threats can be as dangerous, if not more so, as threats from external hackers. By understanding the types of insider threats and implementing effective mitigation strategies, organisations can significantly reduce their risk.

We recommend further reading on this topic, such as the CERT Guide to Insider Threats from Carnegie Mellon University’s Software Engineering Institute, and the UK government’s guidelines for mitigating malware and ransomware attacks.

No matter your organisation’s size or industry, awareness, vigilance, education, and preparation are the best defences against insider threats.