The REAL insider threat. Have you been looking in the wrong place?

The REAL insider threat. Have you been looking in the wrong place?

Written by our Chief Security Officer, Gerry Grant.

When we think of an ‘insider threat’ we might imagine someone sneaking around our office, stealing sensitive data and information to sell in a dark alley to a competitor. Many organisations might even believe that they don’t need to worry about insider threats. Staff might have worked with them for years and quite rightly they are trusted.

The reality is that there are two distinct types of insider threats that need to be considered. Firstly, there is the ‘Malicious Insider’ and secondly there is the ‘Unintentional Insider’ and unfortunately, we need to consider both of them.

The Unintentional Insider

The Unintentional Insider is the largest category of internal cyber security risk, these employees do not intend to cause any harm but put the company at risk by taking actions, or not taking actions, that can lead to security weaknesses. These are the people who accidentally lose that USB stick or laptop that contains information or data. They are the ones that don’t attend security training sessions or make poor decisions when sending sensitive information. They may be the ones that fall victim to a scam email or phone call, maybe due to having a bad day or due to not being trained properly in the risks that all organisations face in this day and age. The unintentional insider may just have their password on a sticky under their keyboard. You know, just in case they forget it.

The Unintentional Insider can be just as costly to an organisation as a Malicious Insider. Take Heathrow Airport as an example.

Back in October 2017, a member of the public found a USB stick lying in a London Street. It turns out that this USB stick was full of juicy details about security procedures at the airport and sensitive personal details on staff. The stick contained over 76 folders and 1000 different files, many of which were marked “sensitive” or “confidential”. Now, I’m pretty sure that the loss of this USB stick was entirely accidental, but it does raise a number of questions. Was it really necessary for all of this information to be on one USB stick? Why was it not password protected?  And why was it being taken off the premises? Heathrow Airport may well even have policies and procedures in place to prevent this type of thing from happening, but it can often be too easy for staff to circumvent these rules and procedures.

The result of this USB stick being lost? A £120,000 fine from the Information Commissioners Office. But things could easily have been a lot worse. Imagine that this USB stick had fallen in to the hands of a criminal gang rather than a member of the public who handed it in.

My point is that all organisations need to ensure that employees are trained and understand why policies and procedures are in place and be aware of the dangers and risks that the organisation faces.

The Malicious Insider

It is very rare that a Malicious Insider develops overnight, it might take months, or years before the real threat is discovered. In the beginning a Malicious Insider might not be specifically looking to harm the organisation, they might be looking for self-gain. Perhaps they have money problems at home and are trying to supplement their income. Maybe it starts off small and unnoticeable, but it can soon escalate in to something bigger.

Some Malicious Insiders may be working with external parties, but again this may not be as intentional as you think. Perhaps the ‘insider’ has been socially engineered, or specifically targeted for some reason to turn against the organisation and reveal information. Maybe they have been told about some ‘unethical’ practices at the firm and the only way to stop them is to extract specific details from the system.

There are of course the Malicious Insiders that are the stereotypical unhappy employee. These are the ones that are looking to wreak some revenge on the organisation for some personal reason. Take Morrison Supermarkets for example.

Back in 2014 an employee who was upset at being disciplined stole the personal details of over 100,000 Morrisons employees and posted it online. The employee was found guilty and jailed for 8 years, but the story does not end there for Morrisons. They have been involved in lengthy court proceedings after being sued by employees and were found liable for the loss of the data back in late 2018. The saga continues as Morrisons is appealing the decision, but it has no doubt cost them not only in terms of reputation but also a significant sum of money, which may increase as time goes on.

Conclusion

Regardless of the size of your organisation, the trust you have in your employees or the type of business you are in, the insider threat is real and something that needs to be considered. I’m not saying that you should immediately be suspicious of all your staff, but it is essential to ensure that they only have access to data that is necessary for their job role. It is also vital to provide cyber security training and ensure that each individual understands their roles and responsibilities in keeping the organisations information safe and secure.

If you feel you could benefit from a chat around insider threats or cyber security in general, get in-touch. We’re happy to help.

Internal threats are not always easy to spot

The unintentional threat

Lost USB cost Heathrow £120,000+