These are malicious activities carried out by your own people, consultants and suppliers or partners who may work for you and have legitimate access to your IT systems and data.
The fact that this important threat is overlooked by the majority of the people may have to do with the belief that most attacks are launched from the internet by criminals who are financially motivated and run their operations like a business.
The reason I started to think about this was a recent experience during a project where several members were of the opinion that security testing was not needed, as the applications were only published on the intranet and not accessible from the internet. Knowing the internal network infrastructure is already protected, one should not bother about it. This way of thinking completely ignores the risk of the malicious insider.
But the insider threat does exist, and is difficult to defend against. The network perimeter security which protects your internal network and applications against the outside world is not helping if your colleague has the same aspirations as Dr. Evil.
According to IBM, two thirds of total data records compromised in 2017 were the result of malicious insiders, and insider threats are the cause of 60 per cent of cyber-attacks. Based on the 2018 Cost of Insider Threats report from Ponemon Institute, the average cost of insider-caused incidents was $8.76 million in 2017 – more than twice the $3.86 million global average cost of all breaches during that same year. Your most valuable asset – your people - has become your biggest risk.
In general there are three categories of insider threats used, although every malicious individual has their own reasons, but I’ve added a fourth one to this list: the ones who introduce risk without knowing.
1. Theft of data: the most well-known category, this can vary from stealing competitive information (sales plans, customer contacts, trade secrets, designs, CRM exports, etc.) to Personally Identifiable Information data (like credit card data, passport number, full name etc.). This type of information can be really useful for insiders who may leave the company and start their own company or move to a competitor. It may also be used to ruin the organisation by leaking the information to the public.
2. Sabotage: This type of threat results in the unavailability of data on IT systems and/or the equipment itself and is mostly related to disgruntled employees who are looking for a way to damage the organisation.
3. Fraud: In general this is the result of insiders who are looking for personal gain. It may be related to a better financial situation or even trying to get themselves a better position. Business processes and controls which are simply not in place or are easy to bypass make it easy for malicious insiders to execute their plans.
4. Unintentional threats: Those introduced into the organisation without the individuals involved even being aware, for example employees using a private mail account for business related correspondence, use of unencrypted USB sticks, or connecting a wireless access point to the corporate network because it is more convenient. This type of insider threat has a lack of awareness and seems almost innocent but can have very serious consequences.
It’s not just the people and business processes which introduce a threat, it’s also the IT systems themselves, which is why we must test our applications and internal networks, even though these may not be internet facing. Anyone who works with IT systems needs to consider that a weakness caused by ignorance, limited skills or awareness might result in disclosure of data, financial or reputational damage. This can happen during the development phase, but also during implementation or lifecycle management.
To understand the risks associated with this type of threat, you need to evaluate the security posture of internal IT systems like you do for external ones. Some examples of issues we have identified when testing internal facing applications and associated network infrastructure were:
Security testing is an ongoing activity which never stops, just like attacks launched by malicious individuals never stop, whether it is from the outside or the inside. Our team of ethical hackers can identify your weak spots and then work with you to fix them. Find out how secure your organisation is.
We can help you identify your weak spots and also work with you to fix them.