Managing threats from inside the business

Barry O’Connel at Trustwave discussing the increasingly frequent threat of malicious insiders in a business that are the root of many major cyber-breaches

 

In today’s digital landscape, organisations face a myriad of cyber-security challenges. While external threat actors, such as nation states and cyber-criminals constitute most of these attacks, a critical and often overlooked vulnerability lurks within business walls: the insider threat.

 

An insider threat refers to a cyber-threat initiated from within the business. This internal risk factor, though less sensationalised, poses significant risk to an organisation’s security posture. Moreover, the narrative surrounding insider threats frequently paints a picture of malicious intent.

 

However, the reality can be far more nuanced. Not all insider-related security incidents stem from deliberate actions. Many are the result of unintentional mistakes, lack of awareness, or even well-meaning employees inadvertently compromising security protocols.

 

This article details the difference between intentional and unintentional insider threats and provides actionable steps, which enable businesses to spot an insider threat. 

 

The evolving nature of insider threats

Insider threats fall into two primary categories: unintentional and intentional. It’s the unintentional category that often flies under the radar yet poses a significant risk to an organisation’s operations.

 

Further, within the realm of unintentional threats, we encounter two subcategories, negligent and accidental. 

 

Negligent threats stem from employee carelessness - the colleague who constantly ignores cyber-security advice. These may seem like minor infractions, but they can create gaping vulnerabilities in an organisation’s security posture.

 

Accidental threats, on the other hand, are the inadvertent missteps that can have outsized consequences. Picture the rushed executive who mistypes an email address and sends sensitive information to the wrong recipients. 

 

Recent data on insider threats also paints a troubling picture. Over the past year, 40% of companies have experienced a surge in insider-related incidents compared to previous periods. Even more alarming is the frequency of these occurrences, with 45% of organisations reporting five or more insider threat events within a 12-month span.

 

This uptick in insider activities isn’t just a matter of increased frequency—it’s also hitting businesses where it hurts most: their bottom line. Each insider threat incident costs an average of $5 million. In today’s complex business environment, identifying these risks is particularly challenging, as they often resemble normal activities, whether they result from intentional actions or simple mistakes. Modern adversaries exploit this by mimicking everyday employee behaviour, making detection even harder.

 

Companies can no longer afford to treat insider threats as a rare or isolated problem. Instead, they must develop comprehensive strategies to identify and mitigate these risks proactively. This calls for a multifaceted approach, combining technological solutions with human insight and organisational culture changes.

 

Spotting the insider threat

By definition, insider threats usually fly under the radar as the work under the guise of the “normal” behaviour of employees. Insiders choosing to cause harm do their best to mimic everyday personnel behaviour. In doing so, threat actors utilise a series of manipulation tactics. The experience of calling IT support and having them remotely access a computer to fix an issue is a standard practice of any modern business. This practice on its own is not a cause for concern.

 

However, having multiple remote access tools installed on employees’ computers raises alarm bells as this increases the risk of misuse of the tools by a malicious employee. For this reason, organisations should limit Remote Monitoring and Management (RMM) Tools to a list of identified users and implement detection rules to flag any unauthorised installations. Additionally, restricting authorised accounts and locations for RMM use can enhance security.

 

Instances where employees install personal VPN software on their work machines, despite the presence of a company-approved VPN solution can also be a cause for concern. While personal VPNs aren’t inherently malicious, they can enable employees to bypass web access controls to keep their internet activity private. This form of protocol tunnelling through anonymity increases the risk of data leaks and exposure to malware from unsafe websites.

 

Mitigating this certain insider threat requires businesses to implement a clear strategy for managing VPN usage. This includes enforcing the use of a single, authorised VPN solution across the organisation to reduce security gaps. Detection rules can then be put in place to flag any use of unauthorised VPN software. Additionally, multi-factor authentication (MFA) should be required for the authorised VPN to strengthen access controls.

 

Finally, deploying database protection tools can help monitor and prevent unauthorised data transfers through enforcing rights management, adding an extra layer of security against insider threats. 

 

Finally, data exfiltration via physical devices (like USB drives) reveals a two-sided risk. Transferring large amounts of data to a USB drive could indicate anything from an unhappy employee or corporate espionage to someone simply backing up their work. Regardless of intent, this kind of activity carries a high risk of data leakage. The other side of the USB device problem is that without strict USB policies, employees can introduce malware by using unvetted USB devices from unknown sources. 

 

Raspberry Robin malware, for example, spreads through infected USB drives. Once executed, it connects to compromised servers, downloads malicious files, and persists in the system, often aiding in ransomware distribution.

 

Mitigating this threat involves establishing and implementing a clear policy in place on the authorised usage of USB drives. For the risk-averse, USBs can be disabled completely. However, in those cases where the use of a USB drive is necessary, options like enforcing encryption, monitoring data usage, implementing on-demand access, restricting usage to company-provided devices, and allowing only non-sensitive data to be transferred can help control data flow.

 

Secure inside and out

Overall, insider threats will always pose a challenge for organisations, but the key is to minimise the risk of unintentional threats and have robust detection and response mechanisms for malicious actors. Leveraging Endpoint Detection and Response (EDR) telemetry for behaviour-based threat hunting can offer valuable insights into employee activities, helping businesses stay ahead of potential risks.

 

Additionally, while it’s crucial to detect and prevent insider threats, organisations must also ensure that these efforts are balanced with respect for employee privacy. Implementing proper privacy controls, such as clear data usage policies and transparency about monitoring practices, helps build trust and avoids overreach.

 

Striking the right balance between security and privacy is essential to maintaining a positive workplace culture while protecting the organisation from internal risks.

 

---

 

Barry O’Connell is General Manager of EMEA Services at Trustwave

 

Main image courtesy of iStockPhoto.com and Andreus