Just as store employees can steal far more than shoplifters, malicious insiders can often wreak more havoc than cybercriminals.
By Nigel Bowen
Nowadays, most people are aware of the threat posed to businesses by tech-savvy lawbreakers operating from far-flung corners of the world, such as Russia and Nigeria.
Much less attention is being paid to the vast potential damage that can be caused by aggrieved or self-interested employees from only a few feet away.
While you may not have come across the term “malicious insider” before, it is possible that you know of – or maybe even know – one of them.
Malicious insiders, or “turncloaks”, use their legitimate access to a company’s files and security systems for personal or financial gain, or to harm their employer because they feel aggrieved at the way they have been treated.
While there are plenty of anecdotal accounts of small and large businesses falling victim to malicious insider attacks, there is not much solid data available on the scope of the problem.
Nonetheless, most cybersecurity experts argue that business owners and senior managers should be at least as worried about malicious insiders as they are about external malicious threats.
These experts also warn “inside job” attacks will have likely increased with the advent of widespread remote working.
Daniel Weis, senior cybersecurity specialist and lead penetration tester, Nexon.“Even before the pandemic, there were reports indicating about a third of all data breaches were the work of insiders,” says Daniel Weis, senior cybersecurity specialist and lead penetration tester at IT services company Nexon.
“Given most organisations have now embraced the cloud and are allowing some or all of their workforce to work from anywhere, at any time and access lots of sensitive data, it would be strange if malicious insider activity hadn’t grown since early 2020.”
When people’s circumstances change, their behaviours often change, too, agrees Charles White, chief technology officer with cybersecurity company Fornetix, who worked for US Army intelligence before going into the private sector. “It’s a lot more tempting to, say, go to a website you shouldn’t when you’re using a laptop in your living room, rather than using a desktop computer in an office,” he says.
“And, if you manage to visit inappropriate websites without suffering any adverse consequences, you may decide to start testing other boundaries.”
The perils of playing detective
As anyone who has employed or managed staff knows, discerning the current mindset and likely future actions of a worker is no simple task. By definition, malicious insiders want to damage or rip off their employers.
However, that does not narrow things down much, given that many employees, at least on their worst days, feel justified in questioning the integrity of their employer.
Academic research suggests that, while any employee has the potential to engage in IT sabotage, it is the underperformers and overperformers who should be watched most closely. That’s because the large majority of malicious insiders appear to be motivated by the prospect of financial gain.
Mediocre performers who are denied pay raises and promotions can easily morph into disgruntled employees. Overachievers may feel undercompensated for their efforts, or harbour ambitions to go out on their own, taking customer data with them.
According to the Australian Cyber Security Centre, “happy, valued and challenged staff members are less likely to act to harm your organisation”. Even so, experts argue that every employee should be seen as a potential malicious insider, and that all businesses should arrange their cybersecurity defences accordingly.
Guarding against the enemy within
Professor Matthew Warren, director of the RMIT Centre of Cyber Security Research and Innovation, points out that most organisations’ cybersecurity is based on perimeter defence.
This is the equivalent of building a high wall around your castle – it is difficult for an enemy army to breach the wall, but it offers no protection from the threats that may already be lurking within.
Professor Matthew Warren, director, RMIT Centre of Cyber Security Research and Innovation.In the 1980s, when computers were starting to be used widely in workplaces, access control enjoyed a brief period of popularity. However, this approach to security fell out of favour because of the grunt work involved in granting and revoking access to various levels of information for staffers, contractors and consultants.
These days, most cybersecurity experts are proponents of “zero trust” networks, an approach to cybersecurity based on the idea that an organisation should not automatically trust anyone, either inside or outside its perimeter defence.
In practical terms, this means no staff or contractor gains access to IP addresses, data, devices or networks until they have been authorised to do so, and when they do, they always need to prove their credentials before using a work device or logging onto a network.
There are many good reasons to embrace a zero trust model, and preventing staff from misusing company or customer data is one of them.
Zero trust model tools, such as user behaviour analytics and log management, can be used to monitor staff’s online behaviour. Unfortunately, these tools usually require deep pockets and a well-resourced IT department.
Warren suggests that those who own or manage small businesses start with the low-hanging fruit.
“It’s not practical or advisable to micromanage access to the information staff and contractors need to do their job,” he says. “But many organisations have gone to the opposite extreme and now give staff and contractors access to sensitive information that’s in no way relevant to their role.
“I’d suggest anybody worried about malicious insider attacks start by instituting some basic access control.
“It’s also a good idea to disable USB ports on any work computers. Even the most computer illiterate individuals can manage to download company data onto a thumb drive.”
Weis agrees with Warren about access control and disabling USB ports. He also warns against hiring anybody with a “spotty” job history, and suggests putting stringent user termination processes in place.
White points out that there is a growing number of virtual chief information security officers and managed security service providers offering Cybersecurity-as-a-Service at prices even small suburban accountancy practices can afford.
White also urges businesses to encrypt their data wherever possible.
“I’m biased, given my company’s focus on encryption,” he says. “But, as many others have argued, once data is encrypted – whether it remains on the premises or goes into the cloud – it becomes a far less attractive target both for insiders and hackers, who are unable to do anything with it unless they also manage to get hold of the key required to decipher it.”
Managing an insider attack
Part of the reason there is so little historical data on the frequency and costs of malicious insider attacks is that businesses have always been reluctant to admit they have been duped by someone they hired.
However, the Notifiable Data Breaches scheme means that, in many cases, Australian businesses are now obliged to report insider attacks to the Office of the Australian Information Commissioner (OAIC).
Since late 2020, New Zealand businesses have also been obligated to report any privacy breach “likely to cause anyone serious harm” to the Privacy Commissioner.
Warren and Weis both advise erring on the side of reporting malicious insider attacks to the OAIC, even if they do not seem overly serious, followed by a security review.
“Honesty is the best policy,” Weis observes. “Being the victim of a data breach isn’t fatal, but not being upfront with your customers, staff, suppliers and the OAIC could be.
“Obviously, as well as informing everyone who needs to be informed of the breach, the owner or CEO of the business will need to organise a security review to determine what data has been lost or exposed, and prevent the malicious insider doing any further damage.”
“Regrettably, most businesses will only pay penetration testers to conduct internal threat audits after an insider attack has occurred,” says Warren.
“If you’re the victim of an insider attack, you should certainly do this. But I’d advise businesses to invest in regularly conducting both external and internal threat audits if they want to avoid the cost and embarrassment involved in a data breach in the first place.”
The zero trust trade-off
You might be wondering whether employers treating their employees as dangerous threats and watching them like hawks is likely to create happy and productive workplaces.
Warren concedes it is not.
“There are no easy solutions when it comes to getting the balance right between trusting your staff to do their jobs and monitoring their activities to make sure they aren’t up to anything,” he says.
“That’s one of the reasons safeguarding against insider threats is so difficult.”