National Insider Threat Awareness Month (NITAM) is observed every September and is a collaboration between U.S. federal agencies and industry organizations to educate and emphasize the importance of detecting, deterring, and reporting insider threats. The goal is to raise awareness of the risks posed by ‘insiders,’ and provide strategies, tools, and resources to identify and mitigate these threats.
At Cowbell, we work with our agency partners and brokers to help educate our clients on emerging and evolving cyber risks and the enemy within can present a very real threat.
What is a Cyber Insider Threat?
A cyber insider threat is a cybersecurity risk that occurs when someone with legitimate access to an organization’s systems or data misuses that access for the organization’s detriment. Insider threats can be intentional or unintentional, and they are the cause of most data breaches. Insider threat individuals are typically split into two types of actors:
Malicious Insider Threat (which falls into two categories).
- Employees who actively turn on their employer. These insider threats often act to gain financially or to cause harm to an organization. However, they can also include whistleblowers, who serve to bring public attention to the failings of their employer.
- Employees who collaborate with a cyber criminal and use their authorized access to steal sensitive data, such as customer information or intellectual property. They are typically financially motivated or reveal information to disrupt business operations.
Negligent Insider Threat
- Company employees who are manipulated into carrying out malicious activity, such as disclosing their user credentials or downloading malware. They are often targeted by attackers through social engineering or spear-phishing campaigns.
- Employees who believe that they are exempt from their organization’s security policies and bypass them. Whether through convenience or incompetence, their actions result in data and resources going unsecured, which gives attackers easy access.
Insider Threat Examples
Although not all threats are intentional and may be caused by negligent or careless decisions, they still are considered to be insider threats because they come from within the organization. Malicious attacks, on the other hand, are often carefully planned, executed, and concealed.
Here are some insider threat examples that involve a mix of malicious and accidental incidents:
A Fired Employee Fires Back
In 2021, an employee at an undisclosed credit union, decided to exact revenge after being fired from their job. The IT team did not immediately deprovision her access to sensitive systems after termination. Within 40 minutes, the former employee deleted over 21GB of data that included 3,500 directories and 20,000 files. Some of the deleted files were anti-ransomware software and mortgage applications. The employee was also able to access board minutes and other sensitive information.
An Insider Error Steers Data of Drivers into Hacker’s Hands
An employee at a technology company stored the data of US drivers in an insecure offsite location, leaving it vulnerable to a breach. The accidental leak impacted 27.7 million records. Even though the breach did not involve either financial or social security data, the technology company still ended up covering the cost of incident response—and it is facing a class-action lawsuit as a result.
U.S. City Files Deleted Because of an Insider’s Mistake
An employee of a large U.S. city was fired after it was discovered they had deleted more than 22TB of data between 2018 and 2021. Among the destroyed files were 13TB of videos, photos, and case notes that belonged to a Police Department. The investigation revealed that the incident was not a malicious attack. The employee simply failed to follow internal procedures while transferring files.
As you can see, there are a wide variety of outcomes that can result from both malicious and non-malicious insider threat activity.
How Do Cyber Insider Threats Usually Operate?
When insiders attack, they sometimes need to hack security systems or set up hardware or software infrastructure to make it easier for them or others to access systems. Understanding insiders’ tactics and tools can help businesses spot the attack and take steps to mitigate it. Below is a list of what to watch out for:
- Backdoors that enable access to data: To find backdoors, perform a backdoor file scan or monitor your system for external requests from hackers who may be trying to use the backdoor.
- Hardware or software that enables remote access: Look out for instances of remote access software, such as TeamViewer or AnyDesk, and check for physical servers installed around your campus, such as Synology devices.
- Changed passwords: Any time a user’s old password does not work and they feel it may have been changed, check to see if this is true. It could have been an inside attacker changing it to enable them access to the resources that the user has rights to.
- Unauthorized changes to firewalls and antivirus tools: Any time the settings of a firewall or antivirus change, it could be the result of an inside attacker trying to pave an easy path to your system.
- Malware: If you discover malware, it is best to investigate when and where it was installed. It could have been put there by an insider.
- Unauthorized software: When unauthorized software gets installed, this should always raise a red flag. In many cases, the software may look innocent, but it could be a Trojan horse virus, which contains hidden malware.
- Access attempts to servers or devices with sensitive data: Any time someone tries to access a sensitive area of your network, this could be an insider threat, particularly because you often need credentials issued by the organization to do so.
Vigilance is critical and can often help prevent an attack before it’s perpetrated.
How To Stop Insider Threats
- Detect
Organizations need to be able to detect malicious, suspicious, or unusual activity on their networks. Threat detection includes having real-time insight into user logins, such as where and when a user has logged in to the corporate network and the location they have accessed it from. Security solutions and rapid threat detection help organizations increase the visibility of their network, track employees’ actions, and get alerts regarding anomalous activity.
- Investigate
Once the suspicious activity has been detected, organizations need to be able to investigate it immediately. There is no use detecting suspicious activity but not investigating it until several days after the event, as the attacker will likely have escalated their privileges and carried out their attack.
- Prevent
When it has been determined that the suspicious activity is malicious or unauthorized, organizations need to prevent users from gaining access to their networks and systems. They need a threat prevention solution that blocks an attacker from gaining access to data and snooping on user activity. Organizations can also prevent insider threats by deploying virtual private networks (VPNs), which encrypt data and enable users to keep their browsing activity anonymous behind a VPN solution.
- Protect
Organizations need to protect their users and devices by enforcing security policies and securing their data. Critical assets, such as facilities, people, technology, intellectual property, and customer data need to be protected at all times with the appropriate levels of access rights and privileges. Policies need to be clearly documented, and all employees must be familiar with the security procedures they need to follow, their data privileges, and their intellectual property rights. This final step of the process is crucial to complying with increasingly stringent data privacy regulations.
Being proactive and understanding the unique risks associated with Insider Threats not only safeguards your organization from potential security breaches, but also mitigates business interruptions, protects your reputation, and fosters a more secure and resilient digital ecosystem. In the end, that is the goal of National Insider Threat Awareness Month.