A Comprehensive Guide to Understanding and Mitigating Insider Threats

Insider threats are the skeletons in the closet that we rarely like to talk about. It’s bad enough that we have to worry about cyberattacks and targeted efforts from shadows on the outside, right? Yet, here we are, faced with the uncomfortable truth that our greatest asset, namely our people, can also be a security risk. This should not be a plot twist for you however it might be uncomfortable to discuss the depth of it.

What makes the issue of insider threats a bit particular is that they’re not just about technical vulnerabilities but are influenced by a cocktail of behavioural and organisational factors and could be the product of conscious actions or neglectful behaviour. Addressing them thus requires a holistic approach that blends policies, procedures, and technologies. It’s no wonder these threats often slip through the cracks, especially in smaller companies, where the idea of involving the entire staff and plowing through heaps of administration and bureaucracy feels more like a nightmare than a necessity.

However, whether you’re running a tech giant or a promising startup, understanding the scope of insider threats and taking relevant steps to mitigate them could be what sets you apart in the long run. It’s about finding that balance—embracing sociotechnical approaches that consider the human element while ensuring robust security practices. Remember, treating every employee like a potential traitor might just push them into becoming one. So, as we explore this topic, let’s keep in mind that protection from insider threats means also avoiding an atmosphere of mistrust.

In this article, we advocate for a nuanced understanding of insider threats, emphasising that organisations of all sizes can and should address these risks effectively and responsibly. After all, the goal is to safeguard our assets while maintaining a positive, trust-based organisational culture.

Understanding Insider Threats

Organisations have become remarkably savvy in deploying sophisticated physical and cyber security measures to fend off external threats. But in this digital fortress, we often need to remember to lock the door against potential threats from within. There are many definitions of what insider threats are, and multiple classification systems and ontologies have been proposed to classify these threats. For instance, if you read Wikipedia, you will find a classification dividing insiders into three categories: malicious, negligent, and infiltrators. I do not say this is wrong, but as someone with a background in psychology, I subscribe to the idea of classifying not people but motivational pathways. After all, insider threats could be considered a temporary, reactive response to certain conditions, where orchestrating conditions improves outcomes.

One such idea is proposed by Schoenherr et al., [1] who devise motivational pathways leading to three core behavioural patterns: unintentional, ambivalent, and intentional.

Unintentional Behavior. This is active in people who are motivated to remain in the group and retain their roles. They usually conform to social norms with little or no perceived inconsistency in individual or group attitudes or values. For example, an employee, unaware of the company's strict data protection policies, accidentally sends a confidential document to the wrong email address. This person had no malicious intent and was trying to complete their tasks efficiently.
Ambivalent Behavior. This manifests in people motivated by multiple roles in multiple groups who attempt to conform to multiple group norms, leading to inconsistency between roles or responsibilities. For example, a project manager who is involved in two projects might accidentally misuse one of the projects' resources or information, balancing dual roles without malicious intent. Their divided loyalties and responsibilities lead to security oversights.
Intentional Behavior. This is driven by values that harm a target group (antisocial), help another group (prosocial), or help oneself (asocial). It involves temporary or pragmatic conformity to group norms. A commonly referred-to example is a disgruntled employee, feeling undervalued and overworked, who intentionally leaks sensitive company information to a competitor for retribution or personal profit.

For the purposes of this discussion, we will use this categorisation, along with the following terminology, as described by the UK’s Protective Security Authority [2]:

Insider. Any person who has, or previously had, authorised access to or knowledge of the organisation’s resources, including people, processes, information, technology, and facilities. [3]
Insider Risk. The likelihood of harm or loss to an organisation and its subsequent impact [4] due to an insider's action or inaction.
Insider Threat. An insider, or group of insiders, that either intends to or is likely to cause harm or loss to the organisation.
Insider Event. The activity conducted by an insider (whether intentional or unintentional) that could result in, or has resulted in, harm or loss to the organisation. [5]

Key Threats and Risks: A People, Processes and Technology Perspective

As mentioned at the beginning of this article, insider threats are a multifaceted issue that requires a holistic approach. Thus, I want to approach the categorisation of these risks from the perspective of the people, process, and technology framework.

People

Human Error and Negligence. Human error and negligence are the most common and challenging aspects of insider threats to mitigate, as they concern unintentional behaviour. Employees, regardless of their role or level of access, can make mistakes that compromise security. Phishing attacks, for instance, exploit human psychology and often succeed because they appear legitimate. To follow this example, an employee might inadvertently click on a phishing link, granting malicious parties access to the company's network.

Even with robust security systems, human error can open the door to insider threats. This highlights the need for comprehensive training and awareness programs, in the first place, followed by a set of best practices for mitigation of insider risks caused by unintentional behaviour:

Training. Regular and thorough training sessions should be conducted to educate employees about common phishing tactics and other social engineering schemes, for instance. This should include simulations and practical exercises.
Awareness Programs. Ongoing awareness programs can keep security at the top of employees' minds. This could involve regular reminders, newsletters, and updates about the latest threats.
Reporting Mechanisms. Establish clear and simple processes for employees to report suspicious emails or activities without fear of repercussions.
Communication Channels. Encourage employees to verify unusual requests through established communication channels before taking any action.

Disgruntled Employees. Disgruntled employees pose a significant risk because their insider knowledge can be used maliciously. This is a good example of intentional behaviour. However, this does not mean that the person is inherently good or bad. Although some personality traits might show an inclination towards retaliative behaviour, background checks will not serve much of a purpose here. In fact, this person might regret their actions deeply. Factors such as feeling undervalued, overworked, unfair treatment, or missed promotions can lead to intentional harm to the organisation.

Monitoring employee sentiment and having clear channels for grievance redressal can mitigate the risk of retaliatory actions, along with having ethical protocol as a company and treating your employees according to it:

Sentiment Monitoring. Regularly gauge employee satisfaction through surveys, feedback sessions, and monitoring of workplace behaviour.
Grievance Channels. Provide clear, accessible, and confidential channels for employees to express concerns and grievances. Ensure these channels are effective and responsive.
Proactive Management. Train managers to recognise signs of dissatisfaction and address issues promptly. This includes regular one-on-one meetings and open communication.
Support Systems. Offer support services such as counselling and employee assistance programs to help employees manage stress and grievances healthily.

Third Party Vendors. Third-party vendors and contractors often require access to sensitive systems and data, making them potential vectors for insider threats. If these third parties are compromised, it can lead to significant security breaches.

Ensuring that third-party vendors adhere to strict security protocols and regularly auditing their access, followed by other best practices, can prevent such incidents:

Strict Security Protocols. Ensure that all third-party vendors adhere to the same stringent security protocols as the organisation itself. This includes access controls, data handling procedures, and incident response plans.
Regular Audits. Conduct regular security audits of third-party vendors to ensure compliance with security standards and to identify potential vulnerabilities.
Limited Access. Implement the principle of least privilege by providing third-party vendors with the minimum access necessary to perform their duties.
Contractual Obligations. Include security requirements and responsibilities in contracts with third-party vendors to ensure they are legally obliged to follow the necessary security measures.
Vendor Training. Provide security awareness training for third-party vendors to ensure they understand the organisation's security expectations and protocols.

Processes

Addressing process-related risks could support safeguarding against insider threats, mainly resulting across the motivational pathways, but mainly in terms of unintentional behaviours.

Insufficient Threat Detection. Effective threat detection is crucial for identifying and mitigating insider threats before they can cause significant damage. Without robust detection mechanisms, organisations may be blind to malicious or negligent activities occurring within their systems. What you can do to mitigate this risk:

Advanced Monitoring Tools. Implement advanced monitoring tools that provide real-time analysis of user activities, detect anomalies, and flag suspicious behaviour.
Behavioral Analytics. Use behavioural analytics to establish a baseline of normal activity and detect deviations that may indicate potential insider threats.
Incident Response Plans. Develop and regularly update incident response plans to ensure swift and effective responses to detected threats.
Regular Audits. Conduct regular audits of monitoring systems to ensure they are functioning correctly and covering all necessary areas.
Integration with SIEM. Integrate threat detection systems with Security Information and Event Management (SIEM) solutions for comprehensive monitoring and quick incident response.

You can read more about this risk from the insider threat perspective in the OWASP Insider Threats Document Wiki here. [6]

Inadequate Access Controls. Inadequate access controls can lead to unauthorised access to sensitive information and systems, increasing the risk of insider threats. Overly broad access privileges can be exploited by malicious insiders or misused by negligent employees.

Many mitigation strategies exist to counteract this risk:

Least Privilege Principle (PoLP). Enforce the principle of least privilege, granting employees only the access necessary to perform their job functions. [7]
Role-Based Access Control (RBAC). Implement RBAC to manage user permissions based on roles within the organisation, ensuring that access is consistent with job responsibilities.
Regular Access Reviews. Conduct regular reviews of access permissions to ensure they are still appropriate and remove unnecessary privileges.
Automated Access Management. Utilise automated tools to manage and review access permissions, reducing the risk of human error.
Multi-Factor Authentication (MFA). MFA is required to access sensitive systems and data to add an extra layer of security. [8]

Insecure Resource and User Management. Effective resource and user management are essential for maintaining the security of an organisation’s systems. Poor management practices can result in unauthorised access and misuse of resources.

Thankfully, there is a lot to do about this as well:

User Provisioning and De-Provisioning: Implement strict procedures for provisioning and de-provisioning user accounts to ensure that only authorised users have access to resources.

Audit Trails. Maintain detailed audit trails of user activities and access changes to track and review actions taken within the system.
Regular User Access Reviews. Conduct regular reviews of user access rights to ensure they are appropriate for current job functions and remove any outdated or unnecessary access.
Segregation of Duties. Implement segregation of duties to prevent conflicts of interest and reduce the risk of unauthorised actions. [9] This also protects from ambivalent behavior-based insider threats.
Policy Enforcement. Develop and enforce policies for user and resource management, including regular training for staff on these policies.

You can read more about this risk from the insider threat perspective in the OWASP Insider Threats Document Wiki here. [10]

Insufficient Asset Management and Documentation. Proper asset management ensures that all physical and digital assets are accounted for and securely managed. Insufficient documentation and tracking can lead to unauthorised use and difficulty in identifying security breaches.

Mitigation strategies include:

Asset Inventory. Maintain a comprehensive inventory of all physical and digital assets, including their locations, ownership, and access permissions.
Asset Tracking Systems. Automated systems can track assets' lifecycles, from acquisition to disposal, ensuring accurate records.
Regular Audits. Conduct regular audits of asset inventories to verify their accuracy and identify any discrepancies.
Documentation Standards. Establish and enforce standards for documenting asset management processes, including access controls and maintenance procedures.
Asset Tagging. Implement asset tagging to identify and track physical assets within the organisation easily.

You can read more about this risk from the insider threat perspective in the OWASP Insider Threats Document Wiki here. [11]

Technology

Outdated Software: Outdated software often contains vulnerabilities that have been discovered and fixed in newer versions. However, when these legacy systems are still in use, they present an easy target for attackers looking to exploit known weaknesses.

Mitigation Strategies:

Regular Updates. Establish a routine schedule for updating all software systems to the latest versions.
Patch Management. Implement a robust patch management process to apply security patches promptly after they are released.
Legacy System Replacement. Plan and budget for replacing legacy systems with newer, more secure alternatives.
Vulnerability Scanning. Use automated vulnerability scanning tools to identify outdated software and potential security gaps.
Vendor Support. Ensure that the software in use is still supported by the vendor, providing access to security updates and patches.

You can read more about outdated software through the lens of insider threat management in the OWASP Insider Threats Document Wiki here. [12]

Insecure Configurations and Network Management. System misconfigurations can lead to unintended vulnerabilities that malicious actors can exploit. These configurations might include insecure default settings, unnecessary services enabled, or incorrect permission settings. Similarly, ineffective network controls can allow unauthorised access, making robust network access management critical for maintaining secure network access.

Implementing secure configuration practices and regular audits can close security gaps. Robust network access management practices ensure secure access to the network, preventing unauthorised access and potential breaches. Beyond that, you can also ensure:

Configuration Baselines. Establish secure configuration baselines for all systems and ensure they are applied consistently to minimise vulnerabilities.
Regular Audits. Conduct regular configuration audits to identify and rectify misconfigurations, ensuring systems remain secure.
Continuous Monitoring and Automated Tools. Automated configuration management tools monitor configurations, reducing the risk of human error.
Configuration Management Database (CMDB). Maintain an up-to-date CMDB to track and manage configuration changes, providing a comprehensive view of the system's configuration status.
Zero Trust and Network Segmentation. To contain potential breaches, implement a Zero-Trust security model and segment networks into smaller, isolated sections where no one is trusted by default as much as possible.
Network Access Control (NAC) and Access Control Lists (ACLs). Deploy NAC and ACLs to enforce security policies on devices accessing the networks and their resources.

Find out more in the OWASP Insider Threats Document Wiki here. [13][14]

Insecure Use of Cryptography, Passwords and Default Credentials. Effective cryptography use and secure password management are foundational elements of a robust security posture. [15][16] Weaknesses in either area can lead to significant vulnerabilities. Outdated or improperly implemented cryptographic methods can fail to protect data, while weak passwords and default credentials provide easy entry points for attackers.

To prevent this, you can ensure:

Use Strong Algorithms. To ensure data security, use strong, industry-standard cryptographic algorithms and protocols, such as AES-256 and RSA-2048.
Key Management. Implement robust key management practices, including regular key rotation and secure storage, to protect cryptographic keys from unauthorised access.
Encryption Policies and Password Policies. Develop and enforce encryption policies for sensitive data and password policies, requiring complex and unique passwords for all accounts to prevent unauthorised access and regimenting the use of password managers.
Compliance. Ensure cryptographic methods comply with relevant regulatory requirements and industry best practices to maintain legal and industry standards.
Default Credentials. To eliminate common attack vectors, ensure that all default credentials are changed immediately upon the deployment of new systems.
Multi-Factor Authentication (MFA). Implement MFA to add a layer of security beyond just passwords against intentional or unintentional information leakage.

Structured Approach to Insider Threat Management

If categorising insider threats based on motivational pathways doesn't provide a practical guideline, another robust approach exists in the form of the NIST Cybersecurity Framework (CSF) [17]. The NIST Cybersecurity Framework is a set of industry standards and best practices designed to help organisations manage and reduce cybersecurity risk. It provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders.

The NIST CSF is a voluntary framework that provides organisations with a structured and comprehensive method for managing cybersecurity risks. It breaks down cybersecurity management into five key functions: Identify, Protect, Detect, Respond, and Recover. Let's explore how these functions apply to insider threat management.

The “Identify” function assists in developing an organisational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The focus is on identifying and prioritising business and mission objectives and goals, as well as the alignment of cybersecurity activities to support them. In the context of insider threat management, this means:

Maintaining an up-to-date inventory of all assets, including people, processes, information, technology, and facilities that could be affected by insider threats.
Conducting regular risk assessments to identify potential insider threats and vulnerabilities within the organisation.
Identifying and managing risks associated with third-party vendors and partners who may have access to the organisation’s systems and data.

The “Protect” function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. The goal is to limit or contain the impact of a potential cybersecurity event, which in the case of insider threats might mean protecting assets using the mitigation techniques laid out above based on their relevance and applicability.

The “Detect” function on the other hand defines the appropriate activities to identify the occurrence of a cybersecurity event. The focus is on developing and implementing the appropriate activities to detect cybersecurity incidents. One of the core strategies to implement at this step is to set in place systems and processes for continuous monitoring to detect any anomalies that may indicate insider threats or related behaviours.

The “Respond” function includes appropriate activities to take action regarding a detected cybersecurity incident. The goal is to effectively contain and mitigate the impacts of a potential cybersecurity incident.

At this step, within the context of insider threats, but also beyond, extending to other contexts, key actions include:

Developing and maintaining an incident response plan specifically tailored to addressing insider threats.
Implementing actions to mitigate the effects of insider threats, such as isolating affected systems and revoking compromised credentials.
Ensuring that clear communication channels and protocols are established for reporting and responding to insider threat incidents.

Last but not least, the “Recover” function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident with the goal of restoring normal operations as quickly as possible and improving recovery plans based on lessons learned. This includes developing and implementing recovery plans that address how the organisation will return to normal operations following an insider threat incident, but also:

Continuously improve recovery strategies by incorporating lessons learned from past incidents and regularly updating recovery plans.
Maintaining open lines of communication with stakeholders throughout the recovery process to ensure transparency and trust.

By aligning with the NIST Cybersecurity Framework, organisations can adopt a structured and comprehensive approach to managing insider threats. This alignment not only helps in identifying and mitigating risks but also ensures a robust response and recovery strategy, enhancing the overall security posture of the organisation.

In Conclusion

Insider threat management is not a one-time task but an ongoing process that requires continuous improvement and vigilance. By fostering a security-conscious culture, leveraging advanced technologies, and staying informed about emerging threats, organisations can build resilient defences against insider risks. Remember, the goal is to protect your assets while maintaining a positive and trust-based organisational environment.

In this blog post, we’ve taken a whirlwind tour through the maze of insider threats, emphasising the importance of recognising and addressing these risks through a structured and comprehensive approach. From understanding the psychological motivations behind insider actions to aligning with the NIST Cybersecurity Framework, we’ve covered various strategies to enhance your organisation's security posture.

To recap where you might want to start, first things first: you need to know what you’re dealing with. Establishing an organisational baseline involves identifying all the assets that could be affected by insider threats and conducting regular risk assessments. Determining your organisation's risk appetite is like setting your tolerance level for spicy food—you need to know how much risk you can handle before you start sweating. Allocate resources effectively to address the most critical threats and ensure that your security measures align with your business objectives. From here on after, take whatever is applicable from this blog post to your unique context.

As you reflect on the insights shared in this blog post, we encourage you to assess your own organisation's insider threat management practices. Consider implementing the strategies discussed, and get in touch with us if you need additional support with the security hardening of your organisation.