Cybersecurity challenges are not exclusive to external threat sources. Insider challenges, intentional or accidental, are just as big a strategic consideration. Kaushal Perera, CISSP shares some of his first-hand experience in addressing this challenge.

Kaushal Perera, CISSPAs organizations rely ever more heavily on digital systems to store and manage sensitive data, the corresponding risk of security breaches looms larger than ever. While threats from external sources are often the focus of security measures, it's crucial not to overlook the dangers posed by insiders with various levels of access to internal networks, applications, and data.

Insider threats occur when individuals within an organization are compromised or misuse their access to sensitive information for malicious purposes. These individuals could be employees, contractors, or partners who have legitimate access to the organization's systems and data. Unlike external threats, insider threats can be more challenging to detect and prevent because the perpetrators often have intimate knowledge of the organization's security controls, vulnerabilities and processes.

Insider Threat Profiles

There are several types of insider threats, each with its own motivations and characteristics. The most common types include:

  • Insiders with malicious intent: these individuals intentionally misuse their access to steal sensitive data, sabotage systems, or carry out other malicious activities for personal gain or revenge.
  • Insiders showing negligence: negligent insiders inadvertently compromise security through careless actions, such as falling victim to phishing scams, sharing passwords, or failing to follow security protocols.
  • Insiders who have been compromised: compromised insiders are individuals whose credentials or access rights have been compromised by external actors, allowing them to exploit the organization's systems from within.

The consequences of insider threats can be severe, ranging from financial losses and reputational damage to legal repercussions and regulatory fines. Therefore, it's crucial for organizations to implement robust security measures to mitigate the risk of insider threats effectively.

An Insider Threat Strategy

Based on my own experience, I recommend the following controls to effectively mitigate this risk and reduce its impact. These controls have been successfully implemented in various places where I have worked. However, each control must be enforced at the highest stringent level to ensure its effectiveness.

Conduct background checks
Conducting thorough background screenings on employees, contractors, and partners is crucial before granting access to sensitive systems and data. This practice ensures that individuals with genuine intentions are hired, without connections to criminal entities, financial issues, or ties to competitors. We implemented procedures to meticulously validate credentials, employment records, and references, which helped uncover any potential warning signs or indications of threats. Additionally, these procedures undergo periodic audits to ensure their effectiveness and efficiency.

Establish a security-conscious culture
After selecting and hiring the right people, providing training and awareness becomes crucial. In some of my former workplaces, I conducted training sessions to ensure all staff members understood the importance of cybersecurity and their role in protecting sensitive information. Awareness sessions prevent sharing of access credentials and educate users on detecting and reporting incidents of suspicious behavior within the company. Furthermore, users are informed about the consequences of violating policies and procedures and made aware that their access is logged and monitored around the clock, thereby discouraging malicious or fraudulent activity. In my experience, classroom or online interactive training sessions are highly effective because they allow for a better understanding of participants' mindsets, ensuring effective delivery of the training. Additionally, I used to assess their knowledge after the training sessions to ensure they understood the content and could contribute to building a secure culture.

Segregation of duties
This involves dividing tasks and responsibilities among different individuals or departments to prevent errors, fraud, and misuse of resources. The key idea behind segregation of duties is to ensure that no single individual has control over all aspects of a critical process or transaction. In some of my previous workplaces, I emphasized the risk associated with network and database administrators having access to activity logs, as they could potentially modify or manipulate them. These administrators should also not be tasked with monitoring the logs. Additionally, in some organizations, the risk of administrators creating forged user accounts and executing unauthorized actions has been mitigated by transferring the user access creation procedures to separate departments, thus keeping them away from IT admin users.

Enforce least privilege and dual access controls
I always ensure these controls are defined in relevant policies and procedures and enforced through technical measures. Implementing these access controls is paramount to restricting employees' access to sensitive data and systems according to their job responsibilities. Adhering to the principle of least privilege ensures that individuals are granted only the necessary permissions to access the resources essential for their tasks. Most companies achieve this through role-based access. Additionally, employing dual access control measures is crucial, particularly for highly sensitive and critical information. When I was working for financial institutions, I observed that financial transactions exceeding a predetermined limit cannot be executed by a single user. Instead, another person must log in and authorize the transaction within the system. This strategy effectively diminishes the risk of unauthorized access and misuse.

Monitor user activity
It is important to collect activity logs and monitor them to detect behaviors such as accessing sensitive information, abnormal data transfers, unauthorized system changes, or attempts to bypass security procedures. Security Information and Event Management (SIEM) tools combined with User behavior analytics (UBA) technologies help collect, correlate, and analyze logs in real-time to detect anomalies and take prompt actions to investigate and mitigate risks. However, as mentioned earlier, this responsibility should be separated from IT technical teams or administrators and assigned to a distinct, separate internal or external team.

Mandatory leave
Early in my career, I discovered that an email administrator had set up a forwarding rule on a company's email server to receive copies of all incoming emails intended for the CFO. These emails were automatically sent to the administrator's private email account. This discovery occurred while the administrator was absent, and we were assisting our client company in responding to an incident. Mandatory leave provides companies with opportunities to uncover suspicious activities like these. Mandatory leave ensures that someone else temporarily assumes an employee's responsibilities and duties. This temporary absence can reveal any irregularities or discrepancies in the employee's work or behavior, such as fraudulent activities. Further, mandatory leave allows others to review and assess an employee's work in their absence, which can help identify any errors or mistakes that may have been overlooked.

Regular Security Assessments and Audits
After implementing the above controls, it is crucial to validate and routinely monitor them to ensure they function correctly. We conduct regular security assessments and audits to evaluate the effectiveness of existing security measures and identify areas for improvement. Further, regular assessments or audits help us detect any ongoing or completed fraudulent activities within the organizations. Additionally, we stay updated on emerging threats and evolving best practices in insider threat prevention to continually adapt and strengthen our security strategies.

In conclusion, insider threats pose a significant risk to the confidentiality and integrity of organizations' data and systems. During my career, I have found that implementing the security measures discussed above in a layered structure, known as defense in depth, effectively reduces the risk of insider threats. This approach helps protect sensitive information by adding multiple layers of security, making it harder for unauthorized access and misuse to occur while enabling prompt detection of any breaches.

Kaushal Perera, CISSP, has more than 15 years of experience in financial and technology services. He has held management and technical roles, with responsibility for information security assurance and technical implementations. His cyber security work spans from implementation and management of technical security controls to certifying companies for PCI DSS, ISO 27001 and ISO 2000 standards.