Keys to thwarting insider threats

Asia Pacific (APAC) countries spent an average of US$11.9 million ($17 million) to deal with an insider threat incident this year, according to the 2022 Ponemon Cost of Insider Threats report. Common insider threats include employee or contractor negligence, malicious insiders and credential theft.

Shawn Thompson, senior manager for global insider risk services at the cybersecurity firm Mandiant, tells DigitalEdge more about insider threats and how APAC organisations can deal with them effectively.

What are the common types of insider threats today?

At Mandiant, we dissect insider threats by types, motivations and attack tactics.

Motivation is hard to assess and often not established until later in an investigation. Motivation may include ego, revenge, financial gain, intelligence gathering, praise, or to gain favour.

Finally, we see these broad classification types of attack tactics: Intellectual property theft, espionage, fraud and workplace violence.

See also: Keys to achieving human-centred automation testing

Here are some insider threat personas that businesses should take note of:

• Leakers who take actions that harm the business are protesting the organisation itself, a specific action, or obtaining personal notoriety at the organisation’s expense.
  
• Careless insiders who unintentionally cause harm to the company. Most research suggests that 50% to 75% of insider threat events — such as falling to phishing scams — are caused by these individuals.
  
• Disgruntled individuals who have experienced certain adverse events that impacted their current view of the organisation or their particular role in the company. They allow those events to manifest hostility towards the organisation by serving as triggers for harmful actions. These individuals may be the most difficult to identify based on the ubiquitous nature of the underlying causes themselves.
  
• Opportunists seeking to better themselves at the organisation’s expense. While they do not necessarily seek to harm the business or to maximise immediate profit for themselves, each is a natural and axiomatic consequence of their actions.
  
• Thieves are motivated by profit. In addition to information theft, they will also steal tangible corporate property — such as comput￾ers, supplies, electronic devices, or other corporate-owned assets — for their gain.
  
• Conspirators who seek to harm the business by any means necessary, like attacks on a company’s employees, information systems, facilities, or the reputation and goodwill of the organisation itself. These individuals have specific and defined purposes for acting so.

Why are APAC organisations struggling with insider threats?

See also: Human element still important for effective mass communication

Organisations are more reactive to insider attacks than proactive because they have no guidelines to manage insider threats. This lack of guidelines is exacerbated by the lack of insider threat definitions and proper governance framework. Privacy, legal and cultural factors also contribute to the difficulty of addressing the insider threat problem.

Most organisations might be familiar with the traditional outcomes of falling prey to an insider threat — such as loss of intellectual property or client data — but other risks are also present. These additional risks are not always obvious and might come in avenues the organisation did not anticipate.

For example, the US State Department issued an advisory in May on attempts by remote North Korean IT workers to obtain employment while posing as non-DPRK (Democratic People’s Republic of Korea) nationals.

The advisory warns that “hiring DPRK IT workers poses many risks, ranging from theft of intellectual property, data and funds to reputational harm and legal consequences, including sanctions under both US and United Nations authorities.”

Additionally, Mandiant has observed insiders posing as external attackers and attempting to extort their employers by claiming to have access to sensitive digital information.

Can you share some best practices to mitigate insider threats?

The first step is to conduct a full insider threat capability assessment, which will identify existing gaps and areas of improvement that can support the development of a resilient and mature insider threat programme (ITP).

To stay ahead of the latest tech trends, click here for DigitalEdge Section

Next, they should define the scope of their insider risk management efforts. They should apply an accurate risk model — assessing asset impacts, threats, and vulnerabilities — that will promote a tailored and proactive application of resources on areas of most significant impact, intentional or unintentional.

Resources are needed to build an effective ITP to improve their overall security posture. However, most of those capabilities are entirely reactive and largely ad hoc. The existing functional components operate independently with minimal formal collaboration. The goal is to leverage those resources in a cross-functional manner to optimise value.

It is also essential to ensure that their ITP balances privacy with security. The former includes ensuring that employees are not subjected to invasive intrusions that breach their reasonable expectations of privacy. The latter involves protecting the organisation’s assets — including people, information, facilities, intellectual property and brand reputation.

Companies must view each step symbiotically as both are essential components of an effective ITP. Privacy policies must not be overly restrictive but must strike the proper balance between protecting employees without unnecessarily restricting legitimate and tailored security efforts.

Similarly, security must be tailored and pursue the least restrictive means methodology to strike the proper balance between protecting an organisation’s assets without unnecessarily impacting the legitimate privacy interests of employees.

Organisations should also apply role-based access control policies. Employees having more access to information than they need to do their job increases the risk of compromise.

Role-based or rule-based access policies allow companies to enforce the need-to-know policy across the organisation. Pre-defined access grants for each organisational unit can be applied and enforced through a robust role-based access control solution or similar access control paradigm.

To supplement that, organisations can segment networks and observe principles of least privilege. That way, a malicious insider who might be an administrator will not have free reign over the entire infrastructure but relatively privileged access over only the portions of the infrastructure they are responsible for maintaining.

Failing to monitor insider behaviours properly and limit data interactions significantly increases the organisation’s risk of compromise. As such, organisations should have visibility into how insiders interact with data to help with data loss prevention, and the level of network activity to monitor for behaviours indicative of insider threats.

Besides the IT and cybersecurity team, what else can the rest of the organisation do?

Corporate investigations and HR play a large part in reducing insider risk and handling incidents, along with the cyber operations teams.

For instance, the HR team must ensure that a thorough background check is part of the hiring process. Organisations can also monitor the dark web for threat actors selling access to their information or networks using tools such as Mandiant’s Digital Threat Monitoring.

Since education and training are essential yet often overlooked components, organisations should also play out insider threat scenarios with tabletop exercises that can help evaluate a company’s cyber crisis processes, tools and proficiency when responding to cyberattacks.

This article has been edited for clarity and length