When constructing an information technology (IT) and cybersecurity architecture, companies often focus on external cyberthreats. Attacks initiating from outside the company are significant threats, but insider threats can match or even surpass them.
In this article, we’ll discuss what these are, where they come from, and what steps you can take to stop them effectively.
Insider Threat Risk Management for Your Business
Risks stemming from within a company can be incredibly damaging. Beyond financial costs, there are also threats to morale and trust across the workforce. To mitigate these risks, we’ll break down:
- The threats themselves, including what kinds of attacks are most likely, what to monitor, and compliance considerations
- Best practices for insider risks, including vulnerability monitoring, insider risk detection and response, third-party risk management, and penetration testing
Armed with this knowledge, you’ll be well prepared to protect your company against some of the most insidious threats it’s likely to face.
Threats Both Inside and Adjacent to Your Company
Internal threats are inherently problematic. While even the most optimistic strategist will assume some level of risk when accounting for external third-parties, most people want to feel secure around and trust the people they work with in the same company. Given their position within secured networks, insiders can, if so inclined, do a great deal of harm.
Nevertheless, threats posed to your company from within are relatively few compared to those from outside. Per Verizon’s Data Breach Investigation Report (DBIR), the ratio of external to internal attacks has remained approximately 75 to 25 percent from 2015 to 2019 but then skewed even further in favor of external attackers in 2020. About 80 percent of last year’s threat actors were identified as external, leaving 20 percent internal.
Common Forms of Insider Attacks and their Indicators
The DBIR estimates that insider threats may be less prevalent than even the 20% figure from above might suggest. Verizon carefully notes that much of what its experts classify as “internal” refers to miscellaneous errors, misuses, or accidental neglect of security policies. This contrasts with more significant events, breaches, and overall cybercrime, such as hacking attacks.
However, many insider threats also have unique stakes attached, surpassing those of strict financial motivation. Consider how leaks of sensitive information can have national security implications depending on your company.
Verizon also notes that, in many cases, what appears to be an insider threat may be an external actor in disguise. However, that illusion can work in the other direction, as an attack that seems to be from an external actor may be coming from a disgruntled employee. And some forms of internal threats, such as espionage, blur the lines between what constitutes an internal or external party.
Current and Former Staff and Other “Insider” Personnel
When monitoring for insider threats, the most critical parties to watch out for are classes of employees that are the most likely risk vectors. These include:
- Current low-level and technical staff who are observed to miss work, disregard rules or norms of office culture, or are generally distant, disengaged, or hard to get in touch with.
- Recently demoted, relocated, or dismissed employees may feel motivated to cause financial or other harm to the company to make up for what they perceive to be slights.
- Former managers and high-level employees who have since left the company, even on good terms; their access and privilege may be used without their knowledge to do harm.
These individuals are not the only risk vectors. Any close relatives of theirs, such as spouses or children, may have access to their files and devices—with or without their knowledge. Threats stemming from within the company do not necessarily need to reside within or be on your radar.
Risks Across Expanded Networks of Strategic Partners
The growing trend toward mobilization is considered the “next normal.” Companies seeking flexibility are increasingly turning to distanced and contract-based solutions rather than relying on expensive full-time staffing.
In turn, the network of strategic partners orbiting your business, including vendors, suppliers, and contractors, will only continue to become more integral to your business. Along with the many efficiencies and other bottom-line benefits this can entail, it also carries many risks that had previously lurked on the outskirts or margins of your company directly into its center.
While contractors working remotely may not previously have constituted internal risks, they now certainly do. As with salaried employees, these risks extend beyond the third-parties themselves and across their own work-from-home environments. The “call” no longer needs to come from within your company to be from “inside the house,” as the saying goes.
Compliance Considerations Concerning Insider Threats
Depending on the specific industry in which you conduct business, you may be legally required to implement insider threat detection, training, or other management programs. For example, consider the following compliance requirements related to insider threats:
- HIPAA – Companies in healthcare need to follow the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires strict personnel monitoring per the Privacy Rule and Security Rule. The Breach Notification Rule also has insider threat implications, as staff may inadvertently neglect to follow it, jeopardizing compliance.
- CMMC – To work with the US military, companies need to implement gradually more complex controls across the five levels of Cybersecurity Model Maturity Certification (CMMC). The final two “Maturity Levels” entail rigorous employee training specifically focused on identifying, reporting, analyzing, and ultimately mitigating insider threats.
- PCI-DSS – Across the 12 core Data Security Standard (DSS) requirements enforced by the Payment Card Industry (PCI) Security Standards Council (SSC), there are no explicit mentions of insider threats. Nonetheless, requirements for encryption (R3), and strict access control (R7, 8, and 9) exist to safeguard data even from your own employees.
HIPAA requirements apply nearly unilaterally across all covered entities, which comprises all providers, health plan administrators, and clearinghouses along with business associates. The CMMC framework is not in full implementation yet, but will soon apply to all companies in the Defense Industrial Base Sector (DIB) seeking contracts with the Department of Defense (DoD). And all companies that process card payments must comply with the PCI-DSS framework.
Best Practices for Effective Insider Risk Management
Insider risk management is more than a compliance concern. It’s a critical component of both compliance advisory and patch management for all companies, regardless of industry or size. It’s also critical to the broader threat and vulnerability management any company undertakes, ideally beyond what is legally required to do business within its particular industry.
Company-wide threat and vulnerability management comprises risk management and proactive measures to minimize the frequency and severity of attacks. It must identify all risk vectors as early as possible, long before they materialize into full-blown attacks. Optimizing this holistic approach for insider threats should never compromise your awareness or preparation for external threats. Instead, they need to be integrated and addressed together.
Top Four Protocols for Insider Threat Detection and Response
Threat mitigation involves monitoring for, detecting, analyzing, and preventing threats before they turn into actual attacks. A robust managed detection and response program, like RSI Security’s, hinges on four critical pillars:
- Threat detection – Swift detection depends upon constant monitoring of physical and digital resources, referencing lists of common vulnerabilities (CVE) and your own data.
- Incident response – Depending on the nature of the insider threat, a dedicated task force may respond before an attack is expected to occur or immediately as it happens.
- Root cause analysis – Before, during, and after an attack occurs, minimizing its harm and potential for future harm requires examining conditions for existence and escalation.
- Regulatory compliance – Maintaining compliance in spite of attacks requires fulfilling all framework requirements during or after an attack occurs (e.g., HIPAA breach reporting).
Optimizing these for internal threat mitigation requires a focus on the data access and behavior across all employees, third-party contractors, and other user accounts.
Considerations for Third-Party Risk Management System
As detailed above, some of the most significant internal risks to your company may not even come from your own staff and personnel. Third-parties handle an ever-increasing portion of companies’ internal operations, so the practice of third-party risk management (also known as TPRM or 3PRM) is a critical extension of any effective internal threat management program.
An effective TPRM or 3PRM program, like the one offered at RSI Security, should be holistic and all-encompassing. Potential vendors and other third-parties need to be vetted long before contractual relationships are established. This includes monitoring their risks and the strengths of their IT and cybersecurity infrastructure, along with its compatibility with yours.
Beyond recruiting, contracting, and onboarding third-parties with an eye toward security, your company will also need to train these individuals and teams alongside your own. Plus, you’ll need to limit data access to only what is necessary for their roles and functions, with the possibility of fully revoking access immediately.
Robust Training to Ensure Awareness and Commitment
You’ll need to implement a robust IT and cybersecurity awareness training program across your internal staff, along with all third-parties close enough to constitute internal threats. The most critical factor when planning out this regimen is maximizing all stakeholders’ access to as many courses and instructional materials as possible. Foster an environment of constant learning and assessment, which is the only way to guarantee accountability.
The best way to do this is through dynamic, interactive training modules rather than static lessons or reading materials. For example, exercises like RSI Security’s incident response tabletop simulation can be tailored to specific internal threats, such as an intentional leak to spies or foreign governments, or events like unintentional misuse or disclosure of sensitive data.
The Advanced Analytics of Internal Penetration Testing
Finally, companies can also optimize the most advanced analytical methods to bolster defense against internal threats. Penetration testing (pen-testing), a form of ethical hacking, is typically done either externally or internally. External or “black box” pen-tests usually measure how quickly a hacker with no privileged information can get into your systems. Internal or “white box” tests instead measure what exactly an attacker can do once already inside your systems.
Per our in-house guide to internal pen-testing, the primary steps to take break down as follows:
- The pen-testing team and target company will prepare the context for the attack, negotiating the positionality of the attacker and the amount of access or information they have to begin.
- The pen-tester or testing team will work independently to identify critical weaknesses to exploit as they move laterally within the system, leading up to the simulated attack itself.
- The attackers will launch the attack, starting from some negotiated position within the company, and attempt to seize control of all resources as quickly and covertly as possible.
- The attackers will first attempt to remove themselves from the systems without being detected, then eventually report back to the company on findings to optimize defenses.
RSI Security offers a suite of internal, external, and hybrid penetration testing services for all elements of your cybersecurity architecture.
Professional Insider Risk Management and Security
To recap, insider threats pose serious risks. Current and former employees, along with your network of third-parties, can all potentially jeopardize your safety. A robust approach to internal threat and vulnerability management, especially from a qualified managed security services provider (MSSP) like RSI Security, can help immensely. Contact RSI Security today to get started!
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.