There have been a number of recent events that have forced organizations to reevaluate the possibility of insider threats. In order to deal with insider threats a security analyst must have a very different mindset towards security than they have for dealing with external threats.
The insider threat can be characterized by three issues: why do employees engage in inside threat activities; what damage can employees do from within; and how can security professionals prevent inside threat activity?
Why do employees engage in inside threat activities?
The logic of being an insider really does not seem to make sense because the insider acts against an organization that they are (or were) a part of, therefore acting against their own interests.
In order to examine insider activity we can use a model known as MICE, which is used to examine espionage motives (Koenig & Srikantaiah, 2004).
M – Money
I – Ideology
C – Coercion
E – Ego
More often than not one or more of these motives is involved when employees decide to conduct insider activity. The nature of the attack by the employee may differ based on the particular motive. For instance, an insider interested primarily in monetary gain might prefer to set up a quiet way to steal (and sell) confidential or proprietary information. In contrast, an employee with a personal grievance might do a more demonstrative attack meant to highlight his or her discontent for the organization.
What damage can employees do from within?
The exact damage an insider can cause would depend on their motives, but there’s no two ways about it: the damage they cause can be significant.
The exact damage that can be caused would depend on who the insider is. Meaning what access privileges do they have? For example, a system administrator can cause far more damage to a network than a receptionist. But someone with access to and knowledge of critical information could cause far more financial damage to the company than the system administrator.
The point is that in the event of a breach that is the work of an insider, it is very important to identify what has been breached and mitigate it quickly and efficiently.
Preventing insider attacks
In general, prevention and mitigation techniques for insider attacks can be grouped into two categories: technical and non-technical.
Technical steps to prevent insider attacks are broadly similar, if not identical, to security industry best practices. Organizations must begin to consider insider attacks as vigorously as they do external attacks. Organizations may not be able to completely prevent them from occurring, so they need to detect them as quickly as possible.
Non-technical means of security may be more important in dealing with insider threat. As mentioned, employee discontent increases the risk of insider attacks; therefore, it is both good management and good security practice to handle delicate situations well. Also very important, is to disable the credentials of employees who leave the organization as quickly as possible to help prevent security leaks.
Dealing with insider threats is possibly one of the most difficult tasks facing an information security practitioner today. However, best practices implemented correctly can help mitigate this threat.
To learn more about insider threat or to purchase our new book, Cybersecurity in Our Digital Lives, visit Hudson Whitman/Excelsior College Press website. Also available as an e-book.
The National Cybersecurity Institute at Excelsior College is a powerful resource for learning more about insider threat and cybersecurity in general. With a dedicated focus on cybersecurity education as it relates to government, military, industry and beyond, the NCI is ideally positioned to help alleviate the nation’s cybersecurity talent gap. Please visit Excelsior College to learn more about our cybersecurity education opportunities.
Koenig, M. E., & Srikantaiah, K. T. (2004). Knowledge Management Lessons Learned. Information Today Inc.