 |
| Who is the insider? |
But what exactly is the insider threat? What, or rather who, is an insider? Security professionals and government agencies all have their own definitions and all of these that I’ve read differ in their own little way, but fundamentally the meaning is the same.
I am not going to quote each and every definition (please use the web links opposite to visit some of the specific sites), but the important thing to remember is that an insider is a person to whom you have given legitimate access to your assets. In my opinion a former employee does not fall into this definition (and so is not an insider) as they no longer have legitimate access. In fact, their activities are likely to constitute a criminal offence in themselves.
In the counter terrorism arena we talk a lot about capability vs motivation. Terrorists have motivation in buckets but most lack the capability - for example they cannot access the materials to build an effective IED. On the flip-side the insider has the motivation but also the capability as they have the in-depth knowledge of your organisation and the way in which you go about your business.
Companies are understandably slow to come forward and admit about their insider incidents as it could demonstrate a weakness in their internal processes or systems. This weakness could lead to uncomfortable questions from shareholders and governing bodies. The majority of insider incidents are reported by co-workers who experience suspicious activity but many still go undetected.
An Insider can be anyone in your organisation, anyone from the part time cleaner right up to a member of senior management. There is no ‘one size fits all’ profile for the insider, but there are a number of warning signs which could identify that you have a problem (we will cover these in future articles). It is important to remember though that current staff can become an insider, so 'Jim' who has been at his middle management role for 6 years and has a clean record may have a sudden change in personal circumstances (he could fall into financial difficulties) and could become a threat!
There is a massive misunderstanding and a lack of experience when it comes to the insider threat and this stems from no one department taking responsibility for it. The HR department generally deals with pre-employment screening (although in our opinion the security team should), IT systems are taken care of by the IT geeks wearing sci-fi t-shirts and musical ties, and any resulting investigation is dealt with by the security team.
There are various different types of insiders and the threat they pose will be different to each of you but in general they are:
Single Action Groups (animal activists or swampy students) – to cause harm, damage or media coverage
Terrorists - to cause large scale harm and to maximise media coverage
The Lone Wolf - because they want to and can! They are not part of any other group
Journalists – to identify an loop hole and to sell more newspapers
Foreign Intelligence Service
Competitors (corporate espionage) - trying to gain trade secrets, insider trading information or just to gain the upper hand over you
Disaffected Staff – revenge for not giving them that promotion/pay rise or someone who thinks they know better then the organisation itself.
3rd Party Facilitation – helping somebody else to gain entry or supplying someone else with the data to commit crime, admin account login/password or giving them your building access card.
Unknown Pawns - exploited via various means but one way could be via social engineering or 'water cooler talk'. Normally these types of insider are unaware of the information they are supplying others with.
Why do these people do what they do?
The effects of an insider can be far reaching but may include:
Financial Loss – Loss of sales or fines imposed by the ICO or regulating authorities (e.g.: Ofcom or the FSA). Physical Damage
Unrest Internally with Staff – potential a lack of trust between staff
Loss of Operational Service
Theft
Fraud
Poor International Relations
I keep coming back to it, but the single most important factor to consider is that these people have legitimate access, but what does it mean?. For me, this means they have already bypassed the majority of your physical and electronic security measures which protect you. Insiders are placed into organisations for the long term to build your trust, to gain a very in-depth understanding of your processes and the assets they are interested in. Even law enforcement are concerned that people with clean records will join in entry level roles and will raise through the ranks in order to supply serious organised criminals with information to assist them in committing crimes.
 |
| There have been numerous incidents of insiders |
There are many tools in organisations to prevent these threats and most fall under the security specialism of Personnel Security, some of these are:
A robust pre-employment screening regime (most potential insiders can be detected at this stage - especially journalists and people that have clearly lied on application forms or CV’s)
Having a staff exit (leavers) procedure
Having a positive security culture – where staff are aware of the security risks that your organisation is susceptible to
Good policies and procedures, which staff are aware of and read
Awareness of the potential warning signs (we will cover some of these in a future articles)
Support from the board and senior management
A robust security audit process including auditing 3rd party providers (make sure all contracts include a 'right to audit 'clause)
Utilising the electronic tools you have in place – system logs, forensic tools etc
Whatever approach you decide for your business, it must be risk-based and targeted. Each organisation’s risk appetite will be different, but one thing for sure is you ‘will’ experience an incident as a direct impact from insider action – it is purely a matter of when, and how significant the impact is.
The insider threat is a very vast subject and something that is impossible to cover in a single blog post. In my future articles I will give you some more details on this risk but until then expect the unexpected, these people are very difficult to detect but are easier to prevent.
The report also found a 63% increase in cases of staff stealing or disclosing personal data in 2010 compared to 2009. While 29% of staff fraudsters were aged under 21, just 3% were aged between 41 and 50, and none were aged over 50. It was mostly more established members of staff committing the fraud – the average duration of employment before fraud was discovered was five and a half years in 2010.
