Your biggest security risk isn’t the hacker in a hoodie with their face obscured. It’s the people you trust: your staff.
If you don’t train them, you’ll suffer more breaches. It really is that simple.
This quote from Damian Garcia, our head of GRC consultancy, explains the insider threat in a nutshell.
Malicious insiders are part of the insider threat.
But most breaches are caused accidentally.
Verizon’s 2024 Data Breach Investigations Report found that 68% of data breaches involved a “non-malicious human element”, such as human error or falling for social engineering.
Damian explains the insider threat and how to protect yourself.
In this interview
What is the insider threat?
What is the insider threat, exactly?
You can break the insider threat down into two camps: malicious and accidental.
Both originate from staff, whether that’s someone:
- Clicking a malicious link
- Sending data to the wrong person
- Deliberately stealing money or data
If it originates from a legitimate user’s account and can cause harm to the organisation, you’re looking at the insider threat.
Insider threat examples
What is a real-life example of an insider threat?
There was a car salesman in the UK who recently pleaded guilty – and got a £1,200 fine – to stealing over 3,600 customer records from his employer’s database, and attempting to sell that data to competitors. He stole that data just before he resigned.
I also recall a real-life example a training course attendee shared. Someone left their organisation on a Friday afternoon, duly returning all their assets – including their access badge – and was escorted off the premises.
The following morning – on a Saturday, when they knew the reception would be unmanned – that ex-employee returned, using an access badge belonging to an employee from another organisation in that shared office block. That badge had been believed lost.
What happened next?
That former employee gained access not just to the building, but to their former office – meaning their ex-employer didn’t change the access code to that office, or perhaps that employee never returned their key.
Once in the office, they logged back into their workstation and deleted all their data, then left. The employer doesn’t know what data has been lost, as they didn’t back it up immediately after this person left – nor did they revoke the person’s access to the system, obviously.
That’s generally the greatest risk organisations face from the malicious insider threat: when people leave, and the organisation doesn’t take steps to immediately revoke the individual’s access to its systems.
But, again, the insider threat doesn’t have to be malicious – it can involve clicking a phishing link, or falling for another type of social engineering scam.
Why are insider threats an issue?
Your Master’s thesis focused on the insider threat. Why did you choose that topic?
As I talked to more experts in the field, I realised the scale of the insider threat problem.
For instance, I had the opportunity to work with a large UK charity, whose workforce consists mainly of volunteers. Their head of information security made a point about how most of their people are working for this charity out of pride. They want to help – they’re not likely to be malicious.
But this charity was having a massive problem with accidental breaches. Issues like people:
- Clicking phishing links
- Not logging out of their terminals
Accidental breaches were by far this charity’s biggest problem.
How come? Why were accidental breaches such a big problem?
The workforce was quite diverse:
- Some worked in an office and were very familiar with computers and how to use them.
- Others were manual labourers, who lacked IT literacy. They were very knowledgeable in their field but knew little about computers and the associated risks.
That is part of the challenge – how to tackle the insider threat when you have a diverse workforce.
The other problem is that you’re more likely to trust an insider – they’re supposed to have access to confidential systems and information.
So, if something goes wrong with that account, it can do a lot of damage. It may also take a while before you realise that something is wrong.
Sector trends and patterns
Do charities have more trouble with the insider threat than other sectors?
Quite possibly, but the same applies to other sectors less likely to invest in their people.
Out of all the ways you can address the internal threat, staff training is the most obvious solution. If you don’t invest in basic training and awareness, you’re going to suffer more data breaches. It really is that simple.
Plus, charities tend to have that diverse workforce – so, they’re more likely to have people who aren’t very knowledgeable about computers. To be clear: there’s nothing wrong with that – we all have our own strengths and weaknesses – but you do need to teach those skills.
It comes down to understanding the risks that the organisation faces to its information assets, then figuring out how to address and manage them.
What other sectors are more likely to have a big problem with the insider threat?
I work with a lot of councils. You see a similar pattern as with charities:
- Diverse workforces
- Good cyber hygiene isn’t a given
- Staff training can be limited and ineffective
So, by extension, smaller organisations are also more susceptible to the insider threat? Because they can’t afford – or rather, think they can’t afford – to invest in staff awareness training?
Absolutely. If I was a cyber criminal, without a doubt, I’d focus on small and medium-sized organisations. They typically lack the funds to invest in cyber security, making them easy targets.
They also tend to see their data as not worth very much, so don’t see why they’d be the focus of an attack.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Malicious insiders
Staff awareness training is a way to address accidental breaches. What about malicious insiders? How can organisations protect themselves from that type of insider threat?
The first step is to understand why someone might turn malicious. Why might an employee wish harm on your organisation? Typically, that’s a disgruntled employee. So, a way to mitigate that risk is to look after your people.
Another angle you should consider, to better understand the risks that your organisation faces, is the respective level of technical knowledge of your staff. For instance, an unhappy receptionist poses a vastly different threat to cyber or information security compared to an unhappy system administrator.
So, if you have someone who’s technically competent, pay attention to whether they’re happy. If they exhibit signs of poor performance and being disgruntled, put extra measures in place to ensure they’re not taking steps to cause problems for your organisation further down the line.
Security culture
Good leaving procedures and staff awareness aside, how else can organisations defend against the insider threat?
Culture is very important. You want a culture that’s security-aware and where all members of staff [not just IT] acknowledge they have a part to play in security.
Also, you mustn’t punish people when they make an honest mistake. So, to be crystal clear, if someone accidentally clicks a phishing link, do not punish them!
You want to encourage your staff to report incidents right away, so you can promptly investigate.
That seems rather obvious. Do organisations really punish staff for making that type of mistake?
Yes. I worked with a client overseas that had a very interesting – a very male-dominated – culture.
This company wanted to put a procedure in place that automatically disciplined anybody who caused a cyber incident, such as clicking a phishing link. That type of approach fitted with their culture.
I asked them to reconsider their approach.
Without going into too much detail, this company was likely to be targeted by well-crafted social engineering attacks. And if someone does fall for one, you want them to call it out as quickly as possible! Because the longer a problem carries on, the worse it could become.
How to detect the insider threat
How can you detect the insider threat? Besides people reporting accidental breaches, like clicking a phishing link?
First, you need to establish a baseline – the ‘normal’ pattern of behaviour. Then you can identify red flags – when your tools are catching behaviour falling outside those normal patterns.
For instance, would you expect:
- Your London-based employee to log in from mainland China at 3:00 am?
- Terabytes of data to be leaving your systems at 4:00 am?
Either of those suggest you may have a problem, requiring some form of response.
It’s important to have both these types of automated monitoring tools, as well as staff training, email filters, and all sorts of other preventive measures – in short, cyber defence in depth.
Overlaps between the internal and external threat
What you’re saying about security monitoring, email filters, and so on doesn’t sound that different to how you’d address the external threat.
Yes, the two aren’t completely separate. They are distinct, of course, but you have to implement controls that apply to both. Security monitoring is one.
Another is access control:
- Do you have role-based access control?
- Are you following the principle of least privilege?
- Are you only granting access on a need-to-know basis?
Regardless of who’s controlling the account, you want to give people as little access as possible.
What other technical controls work for both internal and external threats?
Segmentation and segregation are good. Again, limit the access people have to things, whether an authorised user or not. Conditional access and zero-trust architecture will also help with that.
But the most important thing is to not rely on just one control. Take a defence-in-depth approach – get multiple layers of measures working together, making up for each other’s weaknesses.
You can never know where the next attack or threat might come from. Who might turn malicious, what might turn bad, who may want to harm your organisation.
So, the more defences you have in place, the more protected you’ll be.
Reduce your insider threat
Staff training is one of the most cost-effective measures you can take to reduce your insider risk.
Our Phishing Staff Awareness Training Programme offers world-class content for a competitive price, developed by experienced and knowledgeable industry experts.
The course is:
- Quick to deploy;
- Easy to repeat; and
- Convenient for your staff.
Taking just 45 minutes, it’ll help employees spot the signs of common threats like phishing.
It also explains the importance of staying alert and teaches staff what to do if they think they’ve been attacked.
Don’t take our word for it
Here’s what our customers say:
Daniel:
Supplied and quickly available to staff from the point of purchase and order. Content was clear and simple for staff to understand.
Recommended for the right staff levels.
Debbie:
Easy to understand, using plain language and a very informative course, delivered very quickly from the point of purchase – a useful dashboard to track learner progress.
Highly recommended for content and value – thank you, IT Governance – would have no problem in securing further training from you for my staff!!
Caroline:
I certainly like the steps through the modules – it clearly builds the picture and explains the terminology in an easy-to-understand manner.
I tend to prefer E-Learning for my staff and as an SME, consider very good value for money learning – recommended content.
About Damian Garcia
Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.
He has an MSc in cyber security risk management from the University of Southampton. Damian’s dissertation focused on the insider threat. He received a distinction for both.
Damian maintains various professional certifications. As our head of GRC consultancy, he remains deeply committed to safeguarding organisations’ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.
We’ve previously interviewed Damian about how to start managing risks, how to mitigate risks, and common cyber security and ISO 27001 myths.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
