Skip to main content

The CSO’s 2017 U.S. the State of Cybercrime Survey finds that 54 percent of all security-related incidents were linked to employees. Out of these, only 18 percent were intentional, and 8 percent were a result of credential theft. But most striking, perhaps, is the fact that 28 percent of insider security incidents were unintentional. These incidents could be directly linked to employee negligence and ignorance which continues to be the primary driving factor of most insider security events. IT Support Houston has been devising ways to protect companies against insider threats for decades.

What is an Insider Threat?

An insider threat can be defined as a range of malicious activities directed against an organization from legitimate users within the organization’s network. Threats can come from anywhere including current or former employees, vendors, business partners, contractors, or temporary workers – virtually anyone that has legitimate access to the company’s network. Insider threat mostly refers to intentionally malicious activity, but it can also be used to mean harm caused to the network and the company through unwitting mistakes or carelessness.

Difference between insider threat and insider attack

To elaborate on above, insider threats are distinctly different from insider attacks. Insider threats are not always malicious in intent, but insider attacks are always malicious and executed by someone within your organization with authorized system access. With most companies bent on protecting their network and assets from external attacks, many find themselves unprepared for attacks that originate within its own network.

Common types of Insider Threats with examples

Malicious Insider

To elaborate on above, insider threats are distinctly different from insider attacks. Insider threats are not always malicious in intent, but insider attacks are always malicious and executed by someone within your organization with authorized system access. With most companies bent on protecting their network and assets from external attacks, many find themselves unprepared for attacks that originate within its own network.

Negligent Insider

Sometimes, employees may not have any malicious intent at all, but are simply lackadaisical in following proper IT procedures and safety guidelines. This could be someone who forgets their laptop in the car or always forgets to log out when leaving the systems unattended for long periods of time. It could even be a systems administrator who skips patch cycles.

Such seemingly insignificant behavior can have severe repercussions on a company’s safety even as it tries its best to secure all endpoints. Falling victim to phishing emails is also an example of negligent insider attack. In fact, this kind of attacks are particularly pernicious and The United States Federal Bureau of Investigations (FBI) reports that phishing-enabled Business Email Compromise (BEC) scams cost organisations more than $12 billion in a single year.

Compromised Insider

An employee who unwittingly allows his computer to be attacked with malware is a good example of a compromised insider. This could also result from phishing scams or simply by clicking on malicious attachments or links. The compromised system or chain of systems can easily be manipulated by attackers to serve as a point of ingress into the company’s extended network. They could even potentially access administrator privileges to scan all file sharing, infect other systems, and more.

The recent Twitter breach can serve as an example of a compromised insider attack. In this instance, attackers compromised employee credentials and their internal network through a phone spear phishing attack to hack into several high-profile accounts and distribute a cryptocurrency scam.

Ways to prepare against insider threats

Employee Training

To protect against insider threats, you may need to fine tune security awareness training to focus more on anti-phishing training. A hands-on approach to this could be through sending phishing emails to your own employees to gauge their preparedness for phishing attacks. If certain employees are unable to detect the attack, you should focus training on those users. Organizations could also benefit from extensive employee training in spotting risky behavior and inculcating a safe culture of reporting the same without fear of repercussions. IT Outsourcing Houston can help you implement effective and regular security awareness training.

Coordinate IT Security and HR

Without close coordination between the HR department and IT security teams,  layoffs can be an easy opportunity to abuse access privilege. Affected employees should be put on an IT watchlist well before it’s time to revoke their access privileges. This sort of necessary watchlist should extend to more than layoffs and cover employees who may have been passed over for promotions or a raise. Needless to say, this kind of preparedness in IT security requires close coordination between the CISO and the head of HR.

Employ User Behavioral Analytics

User and Entity Behavior Analytics (UEBA) can help organizations in tracking, collection, and analysis of user and machine data to flag potential threats. This utilizes a variety of analytical techniques to distinguish significant anomalies in data patterns. Managed IT Services Houston can help you implement the right strategies and tools for UEBA. Keep in mind that it can take some time for UEBA to become truly effective as it’s only through a collection of data over a period of time that the system can start to recognize normal user behavior and differentiate it from behavior that does not fit the pattern. UEBA has proved particularly useful in spotting credential abuse, unusual access patterns, large data uploads etc. before attackers have a chance to compromise the network.

Potential list of abnormal behaviors can include:

  • Attempting to access sensitive data outside the scope of normal job function
  • Attempting to gain access privileges to sensitive data
  • Significant spikes in file activity in sensitive folders
  • Any attempt to alter system logs or delete large volumes of data
  • Significant data exchange with parties outside the company

Building a Threat Hunting Team

Many organizations are choosing to move out from their largely reactionary approaches to insider threats by building dedicated threat hunting teams. This allows them to have a much more proactive approach towards mitigating insider threats instead of simply reacting to them upon discovery. These dedicated threat hunting teams actively look for signs of suspicious activity, like those listed above, to alert concerned teams potentially head off attackers before they can steal from or otherwise disrupt the system.

Scott Young

Scott Young

Scott Young, is the president of PennComp LLC, an IT Support Houston company. Being a CPA, Six Sigma Master Blackbelt, Change Management Certified and Myers Briggs Qualified, Scott’s expertise is reflected in PennComp as a leading IT company for computer services and network integration. PennComp utilizes Six Sigma methodologies and practices in their service delivery and offers state-of-the-art monitoring and management tools to their clients.