What is the Insider Threat?
The insider threat is one of the most difficult cyber security issues to deal with as it involves someone you trust betraying that trust behind your back. They betray that trust and exploit the access they have to privileged information or processes.
Unfortunately the insider threat is a risk you have to live with. Every organisation has to trust people to some extent, even though those people could betray that trust!
The other issue is you only have so much money to spend on cyber security.
What can you do about the Insider Threat?
I have discussed in a number of other articles some of the ways that organisations can mitigate the insider threat, and these include:
Create a Positive Cyber Security Culture
Blame culture is something that paradoxically can encourage insider threat. In this case it is not for gain that the trust is betrayed, it is for self-preservation!
Information Classification and Segmentation
This is one of the easiest precautions to implement. If someone cannot access certain information they cannot compromise it.
The Insider Threat – the threat landscape and the first steps…
Authorisation – It Shows You Care
There is always the stick!
A positive culture is an absolute must. However you do need to include the legal consequences of betraying trust in your contracts, policies and procedures.
Back again, because that insider threat has not gone away…
Keep a 24/7 continuous watch!
This is where a Security Operations Centre (SOC) steps into the security stack. By collecting logs and data from endpoints, servers and services – for instance Microsoft 365 and RMM* – and automatically comparing these to known threats, indicators of compromise and your known normal operations, the SOC can grade a threat and then either raise a ticket or alert the on-duty cyber security team to take action. This is done even when you and our cyber security support team are in bed!
So how can that stop an insider threat?
It cannot stop it. But simple rules built around your working hours, how sensitive information is stored and used and monitored use of your users and their computers can alert the SOC team, us and yourself to suspicious behaviour in real time. Giving everyone time to react, even getting us out of bed, if that trusted person thought logging in at 3am would avoid detection.
Monitor and React
No system is going to be 100% when it comes to cyber security. What you have to consider is the risk and put in place appropriate cyber security defences. Anti-virus, RMM*, enforcing AAA** and the “principle of least privilege” are obvious. The biggest organisations use a SOC – it was expensive but effective. Now we can offer a SOC to smaller organisations and even one-person businesses.
Are you interested in showing you care for the security of your information and putting in place a deterrent for the insider threat?
Clive Catton MSc (Cyber Security) – by-line and other articles
* RMM = Remote Monitoring and Management Software
* *AAA = Authentication, Authorisation and Accountability
Further Reading
Authentication – Who Do You Let In?