Some years ago, I was working for an organization when one of the employees was fired.One of my managers did not follow the standard procedures to remove the person who was let go from the system. What happened next was utter chaos.
In a fit of rage, the terminated employee, who still had access to the shared server with every single project we had been working on, deleted all of the files. Everything was gone in an instant.
That's an all too common example of how a disgruntled employee, an insider threat, can create enduring difficulties for your business.
SecureWorld recently hosted a panel discussion on the topic of insider threats featuring four guests: Phillip Curran, CISO and CPO at Cooper University Health; Jordan Fischer, cyber attorney at Beckage; Billy VanCannon, Head of Product at Spirion; and Justin Turner, Associate Director of Cybersecurity and Data Privacy at Protiviti.
Here are the types of insider threats organizations may encounter, according to our experts.
1. The accidental internal threat
Most insider threats are accidental, meaning an end-user may have downloaded data or opened and clicked on a phishing link, but it was not purposeful. These are your common human errors, and most times, the employee does not even realize what they have done.
"I think a lot of dialogue for that accidental actor [is] I didn't mean to click on the link, I didn't have my third cup of coffee that day, or something along those lines," Jordan Fischer said.
According to a presentation by Code42 at the 2021 Women in Cybersecurity Conference, the internal, non-malicious threat, sometimes called an "internal risk," makes up about 80% of the threats. These mistakes could potentially open a hole in your network for an actor with bad intentions to breach.
Phillip Curran said in the SecureWorld presentation that fighting against the mistakes employees within an organization can make is a major focus:
"Quite frankly, I'm more concerned about [the accidental threat]. Just trying to do their job, they accidentally click on [a link] without any kind of attachment, versus a malicious actor who is deliberately trying to do something."
2. The malicious internal threat
A person with access and the intention of doing your business harm is likely going to fall into this category, bar some cases where a disgruntled employee may use their knowledge to their benefit. A bit like this case in which a former Netflix software developer used his contacts for insider trading. Fischer said:
"I do think it is important to recognize that there are sometimes employees that have a nefarious reason behind what they're trying to do. They're disgruntled. They have been let go, but it's in that two-week time period where they still have access to the system, where they've been let go, and haven't been appropriately off-boarded, meaning that they determine there's still access on their phone where they have access to a social media account that they were managing that wasn't removed, then you start to see actions being taken."
On a positive note, while it may take proper procedures and communication with your team, this kind of threat can be averted. Fischer continued:
"It's just being aware of access control, and then management communicating with IT and the other departments to make sure that offboarding is done in a way that minimizes the risk of an employee taking something that they wouldn't want.
It's really looking at those controls that you have in place, and testing them, monitoring and auditing them, to say are we in fact, shutting down access in a way that's appropriate to the employee's own access as they're here and then making sure they’re not taking anything with them."
Justin Turner added that understanding the regular routines of internal users is valuable. Changes in daily activities could be a red flag.
"The first thing we need to do is be able to understand what is normal user baseline activity that aligns with what their job function and their job responsibilities are, because then we're able to identify what the deviations are from that," Turner said.
Turner says sudden mass transfers of data or other out of the ordinary activity can be a major warning sign.
3. The external-to-internal threat
Hackers are crafty and for every good guy, there is bound to be a bad guy with the goal of disrupting your business. APTs, black hats, and elite hackers fall into this category. They are the ones trying to extort money from your organization, steal data to sell on the Dark Web, or any number of other nefarious acts.
Once they breach your system, they are inside your network and have full access to do what they will.
Billy VanCannon said it is important to note that when an external threat breaches your system, successfully slipping by undetected, that actor is now considered an internal threat.
"When an external threat is able to socially engineer internal [access], they come in through the email and they're able to convince [a user] to click on a link and download malware or phishing for credentials. They go from being an external threat to looking like an internal threat."
In some cases, tools we may not consider part of insider threat defense can become exactly that:
"Multi-factor authentication (MFA) may not sound like an insider threat protection, but if the credentials are lost, then that's your defense against somebody who looks like an insider," VanCannon said.
If you missed this presentation, catch it on-demand to learn more about the ways you can mitigate the risks of an insider threat.
[RESOURCES] When it comes to being breached, what's your line of defense look like? Register for SecureWorld's Remote Sessions webcast, You've Been Breached. Now What?, to learn more about how to protect your organization.