A CISO’s Perspective: Insider Threat - The Problem and Security Measures



Andrew Smeaton's article was included in the Feats of Strength Magazine March 2021 issue

  • Cyber-defenders often focus on threats from outside an organization; however, the most damaging security threats originate from trusted insiders as they have legitimate access to computer systems, networks, and sensitive data. They often know precisely how the data is protected and can find ways to circumvent security controls, maintain persistence, and evade detection.

    To add to the problem, remote work, during this pandemic, has opened up new insider threats. Many people have lost their jobs, and some are scared of losing. As a result, users might download their work files to an unsecured computer for future reference, which increases security risks.

    Furthermore, remote employees might use their personal laptops and computers not protected by the organizations’ security bubble, such as web gateways, intrusion detection systems, firewalls, endpoint protection systems, etc. This significantly increases the risk of data theft.

    According to the insider threat report, 68% of organizations confirm insider attacks are becoming more frequent, and 53% of organizations believe detecting insider attacks has become significantly to somewhat harder since migrating to the cloud. In another report, the study showed that the average global cost of Insider Threats rose by 31% in two years to $11.45 million , and the frequency of incidents spiked by 47% in the same time period (from 3,200 in 2018 to 4,716 in 2020).

    Insider threat is a multifaceted and multidisciplinary problem and is one of the most critical issues to combat where traditional security measures are ineffective. There are different types of insider threats:

    Negligent insiders: Negligence is considered the most expensive type of insider risk. Their intention is not to harm the organization but does so through inadvertent errors, carelessness, simply disregarding IT policies, or because of a lack of security awareness training. For example, they might open a phishing email or fall victim to a business email compromise scam.

    Malicious insiders (disgruntled employees): Insiders or third party with legitimate access who abuses their authority to harm the organization. Their goal may be to exfiltrate proprietary data or sabotage a company.

    Collusive insiders: In this case, malicious insiders are often found to work in collaboration to compromise the organization. It often involves fraud, intellectual property theft or a combination of the two. An example would be:

    Two employees of General Electric (GE) stole data on advanced computer models for calibrating turbines the company manufactured as well as marketing and pricing information. With the stolen intellectual property in hand, one of the employees started a new company and competed with GE in tenders for calibrating the turbines.

    What were the consequences?
    GE lost several tenders for turbine calibration to the new competitor. In 2020, after several years of investigation, the insiders were convicted and sentenced to prison time and $1.4 million in restitution to General Electric.

    GE employees downloaded thousands of files with trade secrets from company servers and sent them to private email addresses or uploaded them to the cloud. None of these malicious actions triggered a response from the GE cybersecurity system. Deploying access management and user activity monitoring solutions could have helped GE detect intellectual property theft in time and speed up the investigation by gathering necessary evidence.

    Imposters/Infiltrators: Threat actors outside of the organization who steals the credentials of an authorized user and leverage that user’s access to meet their objectives like exfiltration of critical/sensitive data.

    Honestly, insider threats are harder to defend against than malicious outsiders. CISOs must prevent, protect, and prioritize the security threat from insiders as a part of a comprehensive security program. The program should be continuous and combine both technical and non-technical security controls. Cybersecurity best practices should be followed in general, such as candidate screening and hiring, onboarding and offboarding practices, security awareness training, and continuous assessment of security posture. In addition, a security policy for BYOD, remote work, IoT devices, social media, etc., should be established.

    Another tip is establishing a very close relationship with your HR department. The HR department can often inform you of possible disgruntled employees.

    Further, some of the key areas to focus on are as follows:
    Identify and classify assets: The first step in asset security is to identify and classify information and assets as all the actions that follow depends on the classification. Determine the most valuable assets, their location, assess access criteria, and prioritize protection based on your organization’s risk tolerance.

    Implement separation of duties: the principle of least privilege, and job rotation: Separation of duties is ideal for protecting against collusion, which causes a deterrence effect. The principle of least privileges ensures that the insiders are granted only the privileges necessary to perform assigned work tasks and no more. It helps reduce the surface areas for malicious insiders. Job rotation serves two functions - First, it provides knowledge redundancy, and second, it reduces the risks of fraud, data modification, theft, sabotage, and misuse of information.

    Use AI-powered solutions to monitor user behavior in real-time: An organization needs to invest in user behavior monitoring and analytics capabilities that provide visibility into people and assets and helps identify insiders who don’t follow standard policy.

    There are various tools available in the market that can be used in this context such as DLP, IAM controls, and SIEM with SOAR and UEBA (user and entity behavior analytics) integration.

    Implement zero-trust architecture: “Never trust, always verify” is an ideal concept for more robust security. Zero trust eliminates the concept of trust as if the resources are being accessed by a stranger each time. With this implementation, we can prevent any unauthorized access to organization networks, resources, and data. It can also be used to granularly control what assets users can access.

    Implement network segmentation: To combat insider threats, organization should implement intelligent network architecture using microsegmentation and Software Defined Network (SDN). SDN virtualizes network functionality and greatly simplified the management of an organization network. Microsegmentation creates secure zones in data centers and cloud infrastructure that allows the system administrator to isolate workload and limit network access based on a zero-trust approach.

    Follow best security practices: Work with your HR department. HR-related controls can play a significant role, including vetting/background checks, execution of nondisclosure agreements, including during the hiring process, and active use of job descriptions in line with “need-to-know” requirements. Tip: make sure you compare the background check companies and have in-depth background checks on employees whom have key positions.

    Follow global laws: Internal policies addressing requirements relative to the use of company equipment, devices and information assets must be in place. Organizations may significantly restrict the actual privacy expectations of employees by expressly excluding the private use of company assets. The GDPR requires companies to report a personal data breach to data protection authorities within 72 hours after becoming aware of it.

    Insider threat monitoring software useability can only be used with strong business justification/ trade secret violation etc. -- not as evidence of loafing.

    You can read an extended version of Andrew's article here:


    Stay up to date with cyber security trends and more