When discussing insider threats, we refer to security risks posed by individuals within businesses with access to sensitive data and systems – intentionally or unintentionally, misusing the access and compromising security.
These threats can come from employees, third-party contractors, or even disgruntled business partners. Insider threats are particularly challenging to detect and prevent because insiders often have legitimate access to systems and data. Segregating duties within businesses is a crucial countermeasure as it forces collusion (less likely to happen if fraud requires more than one person).
I considered writing this article while reminiscing over my days at the University of Teesside (now rebranded as Teesside University). In the first semester back in 1993, our class was broken into teams of 4 or 5 and given topics to research and prepare a 30-minute presentation; ours was computer crime.
I recall concluding with the importance of hiring trustworthy staff. I referred to Gus Gorman, played by Richard Pryor in Superman III, who collected all the ½ cents from everyone’s salary after rounding down to the nearest cent. He added them to his salary and bought himself a new car. Background checks are at the top of my list of countermeasures, including verification of the following:
- Employment History – the investigation into employment history will vary from role to role. At a minimum, it must include verification of the start and end dates of employment, job titles, and responsibilities. Speaking with referees will add additional insights such as:
- Validation of candidate claims such as achievements and awards
- Overall attendance records
- Reason for leaving
- Job performance
- Academic qualifications and professional certifications – academic institutes, professional bodies, and product vendors offering degree courses, certificates or certifications allow a third party to verify a candidate’s claim, either online or offline. If the human resources onboarding process involves these checks, someone is unlikely to lie about qualifications and get away with it.
- Financial checks – it may seem unfair to deny or deprive someone of an opportunity for work because they have poor finances; the job itself would probably make their problems disappear. However, from a risk perspective, hiring someone with significant financial issues could leave them susceptible to accepting bribes or open to blackmail in cases where someone could lose their job if their employer found out about large debts.
- Disclosure and Barring Service (DBS) – these checks differ depending on the role. Most employment opportunities should only require a basic DBS check, but positions involving children involve a more comprehensive background check. Depending on the type of check, the DBS check returns details of an individual’s criminal record, including spent and unspent convictions, cautions, and any reprimands or final warnings. The DBS certificate can also include soft intelligence held by police that they consider relevant to the role.
Hiring the right people is at the top of my list, but:
- The wrong people might still slip through the net.
- The right people can still become disgruntled over time.
- People do become disillusioned or disenfranchised over time for many reasons.
We must consider a more comprehensive suite of countermeasures to mitigate insider threats. Here is a selection:
- Training and awareness – implement a security awareness programme that:
- Includes educating employees about the risks of insider threats
- Encourages reporting of suspicious activities
- Access control
- Implement strong access controls.
- Use the Principle of Least Privilege (PoLP) to limit access to systems and sensitive data based on job role and need to know/access.
- Implement Privileged Access Management (PAM) to control and monitor privileged access.
- Enable Multi-Factor Authentication (MFA) for access to critical systems and data.
- Immediately revoke access to systems when employees leave the business.
- Control physical access to sensitive areas within the business.
- Conduct regular use access audits.
- User activity monitoring – log and monitor user activities to detect suspicious or unauthorised behaviour. Consider using behavioural analysis tools to identify unusual behaviour patterns.
- Data Loss Prevention (DLP) – deploy a DLP solution to monitor and restrict the movement of sensitive data.
- Segregation of Duties – prevent errors and fraud by ensuring that no individual controls all aspects of any critical financial or operational process. As mentioned earlier, segregating duties forces two or more persons to conspire to carry out fraudulent activities, reducing the risk of it happening.
There is no single countermeasure to provide complete protection against insider threats. An effective strategy involves a combination of:
- Technical solutions
- Employee education and reporting suspicious activity
- Proactive monitoring
- Auditing control effectiveness and strengthening countermeasures
Psychological support also plays an essential role in preventing insider threats, and any number of personal difficulties could be a trigger that leads to malicious behaviour.
Information security, risk management, internal audit, and governance professional with over 25 years of post-graduate experience gained across a diverse range of private and public sector projects in banking, insurance, telecommunications, health services, charities and more, both in the UK and internationally – MORE