Insider Threats: Could That Be You?
I work in technology, and my degree is in Cybersecurity, so I think about how we use tech a little differently than most of my friends. We, the technology and security professionals who work in the places you work and shop and visit, put a lot of effort and a lot of resources into keeping those places safe for their purposes. You must understand, however, that all of our technical efforts only go so far. They stop at the user. There are things that we simply cannot do, and those things involve the actions that you need to be aware of needing to do or not do.
What is an Insider Threat?
There are people who act as what we call Insider Threats. You’ve heard of them, people who work in a place and use their position to do horrible things like steal money, sell information to foreign powers, or exact revenge. But there is another type of Insider Threat. The non-malicious Insider Threat is someone who has legitimate access to resources and, in general, uses that access appropriately, but, at some point, makes a mistake, or an error in judgment, or allows a lapse in security. Insiders are employees, yes, but they can also be contractors, vendors, and anyone with inside access to the organization’s systems and data. They don’t intend to cause problems, and perhaps no problems arise, but the threat exists. It’s important to understand that your lack of malicious intent has a limited capacity to mitigate the damage done by the existence of the threat.
The Dual Nature of Insider Threats
I’m going to say this again, because it’s very important: There are two types of insider threats: malicious (intentional) and accidental (unintentional). The malicious threat actor may be motivated by money, ideology, ego, or he may have been compromised in some way. That is, someone may have discovered something about him that he may not want disclosed, and they may be blackmailing him. The unintentional threat may be caused by a lack of awareness of how actions affect the security posture of the organization, or he may not have received adequate training on proper security procedures.
Understanding Unintentional Insider Threats
Unintentional insider threats can occur when employees make mistakes or overlook important security settings on their devices or within the organization’s systems. That’s why some settings aren’t available if your organization’s IT team is managing them and you can’t change them the way you may want to. Misusing credentials is another way employees can become threats. If you share your login information with someone else, or if you use a weak password or make it something someone can easily guess, you can be letting a malicious threat into the organization. You may also unintentionally disclose sensitive information in conversations with others, or by not paying attention when you’re using your computer and someone watches you access a system. Additionally, phishing scams are a very common tactic to trick you into revealing sensitive information, or getting you to give someone access to systems. Make no mistake, the people who send you the emails and text messages to get you to click on something are very good at what they do, so it’s not a case of playing on a lack of intelligence. They’ve studied the psychology of how to get you to help them, and they count on you wanting to be helpful or too busy to notice something that may give them away.
As an example of a configuration error creating an insider threat situation, do you remember the Equifax breach? In 2017, a misconfigured Amazon Web Services (AWS) server by a third-party contractor exposed the personal data and tax numbers of approximately 143 million consumers in the Equifax data breach. The misconfiguration was due to the failure of implementing proper security measures, which allowed hackers to gain unauthorized access to sensitive data.
Phishing is still the most common method of getting into an organization. In 2016, the Democratic National Committee (DNC) fell victim to a phishing attack that led to the theft and subsequent leak of sensitive internal emails. The attackers sent spear-phishing emails to DNC employees, tricking them into revealing their credentials and providing access to the attackers who later leaked the emails, potentially influencing the 2016 US presidential election. (Definition: spear-phishing – phishing that is targeted to certain individuals.)
What’s the Impact of Unintentional Insider Threats?
The fact that you don’t mean for anything bad to happen doesn’t mean nothing bad will happen. While the bulk of defense will fall on the IT department, a simple user lapse can cause a data breach, and the outcome of that can cause loss of trust, as in the Equifax breach. Your organization can also experience serious financial repercussions.
Your company’s IT department will take a defensive stance to mitigate the risk of malicious insiders, but some of the things that department does, inconvenient as they probably are, that will help keep you from becoming an insider threat:
- Education and training: the periodic security training you have to undergo is to remind you or instruct you of the role you play in preventing data loss or breaches
- Robust security configurations: the updates that come at the most inconvenient times, access controls, the configurations that you can’t change
- Monitoring and detection: periodic scans of systems to ensure that your computer is getting updates and patches; notifications to security systems that a user has done something unacceptable or unusual (like logging into a system during off-hours, or trying to access a folder designated for specific personnel, like HR or Finance)
These measures also prevent malicious activity, and the fact that they’re in place isn’t an indication of a lack of trust, but more of an overall security plan.
A Culture of Security
If your organization has put any of those measures into place, it’s trying to create a culture of security, where the employee behavior – that is, the behavior of all of the employees – becomes secure by default. Each employee should expect to have to access the building securely; while holding the door for someone is a nice gesture, if the requirement to use an access badge or code is in place, that’s what you should do, and that’s what the person behind you should expect to do as well. It can be frustrating to have to deal with some of the security configurations (we have to comply with them, too, and we feel the same frustrations), but every security measure is a response to a recognized threat, and you shouldn’t take any of it personally.
Take some time to think about your organization’s security policies and procedures. You play an important part in keeping the company running securely. Maybe next time you get a notification about security training, you’ll understand better why it’s required, and when a new security measure is implemented, you’ll realize that it’s not just to make you mad.
Drop a comment below if this helped you in any way.