What an insider threat really is
The idea of an “insider threat” sounds like some sort of double agent hiding away in a cubicle—someone hired to steal company secrets and take you down. That sounds pretty exciting, but it’s not very accurate. When we talk about insider threats, in reality, we’re usually talking about people who have made a mistake that led to a breach of company information. But just because their actions caused harm doesn’t mean they’re guilty of malicious intention.
Defining an insider threat
“Insider threat” or “human error” shows up a lot as the major cause of data breaches across all types of reports out there. But often it’s not defined, or it’s not clearly defined, so people conjure up their own definition.
When you hear stories about insider threats, these are the main ones they’re talking about:
A disgruntled employee chooses to leak data and cause the company harm
This is the most direct action a person can take. They are looking to harm you and your company by making you the victim of a data breach.
Unfortunately, this doesn’t just happen after an employee leaves the company. It can happen during employment just as easily as it can happen post-employment.
The best way to combat this is to have clearly defined hiring, onboarding, and offboarding procedures and use a password management system. Employees should not have the ability to access anything using personal emails, and once they’ve left the company you should turn off their access completely. A password management system allows you to remove access simultaneously to several systems upon someone leaving the company: You also know everything they’ve ever had access to so you can do the housekeeping that’s necessary.
The other obvious way to avoid this is to create a good company culture. This might not seem like cybersecurity advice, but when employees are happy they’re less likely to spend time formulating ways to take you down. If you sense an employee isn’t happy, reach out and make sure you talk to them.
An employee cuts a corner
Just look at the news for examples.
Let’s look at KeepNet Labs. Just this year they suffered a massive data breach that left 5 billion records compromised. This happened because a security professional, someone working for a security vendor hired by KeepNet, disabled a firewall for only 10 minutes! They wanted to speed up the transfer of the database with those 5 billion records, and it cost them big.
You could even argue that Bangladesh Central Bank was a victim of cutting corners. Their lack of basic cybersecurity practices allowed hackers to make 35 transfers from the Bangladesh Bank account to the Federal Reserve Bank of New York for a total of $81M lost.
There can be a huge range in the types of ways that companies can “cut corners.” It’s up to you to provide the tools and procedures for securely sharing information or transferring data. And the importance of following procedure needs to be shared with your staff. No one wants to be the person who bypasses a simple procedure to save a few minutes only to cost the company millions of dollars.
Someone makes a poor decision online
We’ve all gotten phishing emails and stumbled onto malicious websites. It’s even possible we’ve experienced those things without even being aware of it. Maybe we were just lucky:
- We opened a phishing email and just didn’t click
- We navigated to a malicious site and didn’t go to the page with the malware
- We were presented with a scam deal and just weren’t interested
- We ended up on a duplicate of our banking site but didn’t have a reason to log in
These are all very real possibilities that easily could have gone the other way for us. When Anthem was hacked in 2015, it was because someone fell for a phishing email. For employees who don’t have the same cybersecurity training as the rest of us, these situations are even scarier. If they’re not careful enough, they could take an action that could result in a personal or professional breach.
Let’s think about a financial employee landing on that fake banking site I mentioned above. What if they entered your company account information? Or that phishing email: What if it was asking to wire money from the company to a customer?
These are situations that have happened to real people. Education around what a scam looks like is a good first step, but putting the right protections in place is just as important. After all, even if you’re the most cybersecurity aware person on the planet, you can still fall for a really good scam.
So what should you do?
Install DNS protection so that every click you and your employees take online is protected. Employees can be blocked from accessing phishing and malware sites. Good DNS protection will give you the ability to deploy either to the network or to individual devices, depending on your company’s needs.
Unclear terms around public and private information
At every company, there are things that are OK to share with the general public and things that aren’t OK. Some of these are obvious like login credentials and API keys. But some things are less obvious, like tools you use or links to certain information repositories.
Let’s say an employee shared a link to something publicly, that was somehow accessible by people outside the company, that should not have been. Maybe someone created a public GitHub repository on their personal account instead of under the company account. Or maybe they shared a link to some reporting that isn’t customer-facing. These types of assets may have information that could lead an external party to find a vulnerability at your company. And it’s all because your employee didn’t know what was and wasn’t OK to share.
The easy fix for this is to have policies around what is and isn’t acceptable to share with external parties. Make sure that employees never use their personal accounts when housing vulnerable company information and that you have dedicated places for them to create new projects or content. Rules need to be in place, and you also need to encourage questions. If they aren’t sure about what the right next move is, they should ask instead of assuming. This can save you from becoming the victim of a data breach.
Interested in learning more about accidental cyberattacks? DNSFilter did a recent webinar with MYKI called “Humans = Weak Link.” Watch it on-demand here.