Connect with us

Hi, what are you looking for?


Management & Strategy

How to Improve Your Chances of Staying Out of the Insider Threat Headlines

Insider Threats Are a Fact of Life and Are Not Going Away.

Insider Threats Are a Fact of Life and Are Not Going Away.

The continuous headlines of data breaches and leaks caused by insiders, in both the private and public sectors, starts to feel like a broken record. Combatting insider threats is one of the greatest cyber challenges facing organizations today. They are stuck between a rock and a hard place, needing to give people access to valued information and systems to do business but also making the organization vulnerable to a potential compromise if any one of those people missteps. Access implies an inherent level of trust between employer and employee, or client and vendor. The written or unwritten contract between the parties is that access is being provided for the individuals to do their jobs, and they in turn will not use it for anything outside those boundaries. It is also explicitly stated or implicitly implied that the employee or contractor will not intentionally or negligently expose critical assets which would elevate the risk of loss.

A few questions regarding this setup present themselves right off the bat. Does the insider understand their responsibilities when it comes to protecting the information and systems they are accessing? Do they understand what is required to live up to those responsibilities? Are they provided with the tools to execute their jobs while still living up to those responsibilities? Are they working in a protected environment, like an office, or in an exposed environment, like at a coffee shop? What is the inherent risk of the person being provided access? Are they committed to the company? Do they have any personal characteristics that would drive them to compromise the company?

Insider ThreatThere are also ongoing operational challenges such as making sure that everybody only has the level of access required to do their jobs, and that privileged access is limited and monitored. Finally, how do you detect an insider threat and stop them before they do damage?

Before we approach answering these questions, it is important to step back and define what is included in the scope of insider threat. In the old days, it was focused entirely on the classic malicious insider profile – employees intentionally taking action for spite or profit. As the insider threat domain has evolved, it has grown to refer to any credential based threat – intentional or accidental, employee or contractor, executed by the real owner of the ID or by a bad actor who has compromised the account. The reason it has expanded in this way is because it has been recognized that from a detection point of view, they all follow a similar profile and elevate risk to the organization. Of course, no two insider threats are exactly alike, and more importantly, source and motive will often define the level of potential impact.

Unfortunately, it takes time and effort to minimize exposure to insider threats. Here are some tips to make the process a bit easier and more efficient:

• Create well defined, concise policies and procedures that govern access, user responsibilities and what to do if an incident occurs.

• Create a culture that embraces cyber security by (over) communicating and highlighting the importance of security at every possible opportunity. We all know the “if you see something, say something” mantra, because we’ve seen it and heard it repeatedly. The same principle applies for corporate environments.

Advertisement. Scroll to continue reading.

• Provide security awareness education for all users that’s relatively short and targeted based on the policy each user violated.

• Build cyber security into business processes. Many of us consider cyber security when building applications, but often overlook how our employees and contractors are doing their jobs. Incorporate cyber security into everyday business processes for all parties who interact with your valuable assets to reduce non-malicious but risky behavior.

• Actively manage access, especially privileged access. The access provided to users is the attack surface that insiders (and bad actors when compromised) go after to do damage. Minimize access to valued assets for those individuals to the least privileges required and closely manage privileged accounts. Access control management is not a onetime shot. It needs to be reviewed and reduced regularly, based on changes in the organization and in people’s roles.

• Know your crowned jewels and mission critical systems. Managing the attack surface, including user access and vulnerabilities in general, is even more critical when it comes to your most important assets. However, before you can take extra measures to protect these very important corporate assets, you need to know what they are and where they reside.

• Implement active and passive controls that block sensitive data from leaving the organization and monitor user behavior to identify anomalies. Anomaly detection is the only way to identify when a user, who is not necessarily setting off any policy alarms, is doing something unusual and is therefore a risk. However, anomaly detection alone is not enough. To prioritize the most critical threats and minimize false positives, correlate behavioral analytics with other elements of risk including associated vulnerabilities that could enable the threat to succeed, financial or mission impact to the organization if the asset were compromised, and asset value. Also, get qualification from application owners who govern the assets under attack to provide input into whether unusual activity is in fact business justified. Pay extra attention to higher risk populations like third parties.

Insider threats are a fact of life and are not going away. Careless users, who create most of the noise in detection tools, all too often don’t have the education or the means to securely do their jobs. Malicious insiders and compromised accounts can be tricky to identify and stop because they often get lost in the noise. However, with the right cyber hygiene up front in addition to tools and processes utilized on an ongoing basis, the impact of insider threats can be greatly reduced and mitigated.

Upcoming Webcast April 13 at 1PM ET:

 The Flavors of Insider Threats & Receipes for Detection – Register Now

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.