Can You Spot An Insider Threat?

How to spot an insider threat (without becoming paranoid)

We’ve all seen it in films or TV, tense music plays, fingers clattering keys like lightning as a hacker breaks into a system. Behind this villain, we can hear the elevator pinging as it draws closer to the floor. Just before the doors open, they hit the enter, confirming they want to execute a program called something like “FortKnox.exe.” The hacker stands and heads for the elevator, a smile and wave before entering, telling their boss to have a good night. The villain worked there, and they are about to make a clean getaway.

These kinds of stories capture our imagination (and if you have information that needs to be kept safe, they likely keep you up at night). And it’s not like there isn’t reason to be afraid. After all, 85% of data breaches are at least partly caused by a person in or close to an organization taking an action (or failing to do so). It’s true that this number is so high because of insider threats, and some of these threats are the sort that will say “I’m in” as they are betraying their organization.

This is the part where you remember not to panic. There are 6 types of insider threat personas, and the most common ones are not criminal masterminds. Here’s what to look for:

1. The Naïve Insider: They’ve won a lottery they didn’t enter or maybe there’s a prince trapped somewhere that needs their help. This insider threat doesn’t mean any harm, and the potential damage can be mitigated through training programs. Teach them how to spot a phishing line before they get hooked.
2. The Careless Insider: Somewhere in your company, there’s an employee with a thousand things on their plate, and they’re frazzled. They don’t have time to worry about things like password security…so they use the same one for everything. Plus, it took them so long to remember this one password (it has numbers and symbols after all), how can you expect them to do that for every login? This is another one for education. Show them how easy it is for their passwords to end up in the hands of hackers, and why you need to make password rotation a matter of course.
3. The Opportunistic Insider: Locks aren’t made to keep hardened thieves out of your home. We mostly have them so that a stray thought doesn’t lead an otherwise decent person to take a bad action. How do you keep an employee from making a bad choice? Least privilege and zero trust. It also won’t hurt to address disgruntled employees’ concerns before they become a problem.
4. The Moonlight Insider: This person was given an offer. Extract some information for an outside person or group, and receive a tidy payday. We are getting on the more malicious side of insider threats here. Detection and monitoring are the keys here. Be on the lookout for suspicious activity. Suspicious logins, large downloads, these can be signs that someone might be up to no good. Make it difficult to discourage this kind of threat. If you bake security policy into your company culture, it can go a long way in ensuring your people decline that offer because they don’t believe it would be worth the trouble.
5. The Mole: This person was recruited either before they worked for you (or because of their position for you). We’re in full corporate espionage territory. Foreign governments, rival companies, it’s difficult to say from where this threat is coming, but it is clear what you need to do. Implement zero trust as a destination not a single tool. That means looking for signs in the hiring process. Track violations to see patterns as they emerge. Training helps prevent the less malicious insider threats, but it also makes those potential liabilities into assets who know how to spot a mole.
6. The Saboteur: Maybe the most famous example of this was in 1998, when a programmer for Omega Engineering planted malicious code in their systems, deleting thousands of applications and causing millions of dollars in damages after being fired. This took time, and it took planning. What’s more, it took a culture that fostered this kind of behavior. Yes, you need to manage privilege and trust. You absolutely have to be vigilant for suspicious behavior. However, the best way to mitigate this kind of sabotage is to make sure your employees don’t feel justified to do so. Treat them with respect and address culture problems early and often. It also doesn’t hurt to lock their accounts when terminating employment.

SO… with these personas is there anything you can do?

First, don’t panic. The sky isn’t falling and your entire team isn’t malicious. After taking a beat, consider these three simple steps:

STEP 1: Plan.

One of the easiest ways you can help make sure insider threats don’t become a major problem is by making sure you have controls in place that can address each of these threats. Consider performing a quick tabletop exercise to start understanding how you can address concerns that come up. This would also be a great exercise to go through with your clients.

STEP 2: Asses.

Once you understand what to look for, start evaluating that your stack is prepared to accommodate these threats. One of the easiest ways MSPs can do this is by performing a third-party cyber stack assessment.

STEP 3: Rinse and Repeat.

You already know that threats are constantly changing. Your environment changes. Your team changes. And so does your stack. As you advance your security stack, hire more team members, and grow your client base, consider repeating Steps 1 and 2 on a regular cadence (at least annually) to make sure your team is prepared and set for an inevitable security problem.