Detecting Insider Threats to Security

Posted June 8, 2021

Discussions around IT security generally center on software, budgets, virtual infrastructure, firewalls, backups, and user credentials. Often missing from the conversation is the human component and insider threats to security. We all want to believe our employees, vendors, consultants, business partners, and even board members are trustworthy, but the truth is that today’s most damaging security threats don’t originate from outsiders or malware but from trusted insiders. According to a CA Insider Threat Report from 2018, over 50 percent of organizations suffered an insider threat-based attack in the prior 12 months, while a quarter reported suffering attacks more frequently than in the previous year.

Not all insider threats are intended to do harm. Often the vulnerabilities derive from human negligence or simply circumventing security because it makes the job easier. According to research from Cyber Security Insider, 63% of organizations think that privileged IT users pose the biggest insider security risk to organizations.

And 78% of businesses surveyed don’t believe they have very effective management of user privileges. Insider threats present another layer of complexity for IT professionals to manage, requiring careful planning with regards to access controls, user permissions, and monitoring user actions.

In 2020, we witnessed insider threats play out at the likes of Amazon as a former Finance Manager was charged in a $1.4 million insider trading scheme, an insider attack at Stradis Healthcare as a former VP Finance carried out an attack that disrupted the delivery of personal protective equipment, and a data breach at Shopify as two employees stole merchant information.

Recently, Shopify became aware of an incident involving the data of less than 200 merchants. We immediately launched an investigation to identify the issue–and impact–so we could take action and notify the affected merchants.

Our investigation determined that two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants. We immediately terminated these individuals’ access to our Shopify network and referred the incident to law enforcement. We are currently working with the FBI and other international agencies in their investigation of these criminal acts. While we do not have evidence of the data being utilized, we are in the early stages of the investigation and will be updating affected merchants as relevant.

Source: Shopify Blog

The key to preventing insider threats is to identify the warning signs to stop an attack or breach before it happens. A critical component of creating a risk profile identifying potential insider threats is knowing who the likely perpetrators are, what data they may be targeting, and why. This will enable you to put greater restrictions on potential threat actors and more controls on vulnerable data. Some behavioral signs to watch out for include:

Using unauthorized devices
Searching for sensitive data or network crawling
Accessing data not associated with their job function
Data hoarding or copying sensitive files
Emailing sensitive data outside the organization
Any attempt to bypass security
Frequent off-hours office use
Displaying disgruntled behavior
Violations of other corporate policies
Discussions of resigning or other employment opportunities

Identifying these warning signs early can help minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Establishing insider risk policies allow your organization to define the types of risks to identify, and detect in your organization, including acting on cases and escalating cases as appropriate. Established policies may include:

Data theft by departing users
General data leaks
Data leaks by priority users
Data leaks by disgruntled users
General security policy violations
Security policy violations by departing users
Security policy violations by priority users
Security policy violations by disgruntled users

Users in the modern workplace have access to create, manage, and share data across a broad spectrum of platforms and services. In most cases, organizations have limited resources and tools to identify and mitigate organization-wide risks while also meeting user privacy standards. The threat exists in all organizations large and small. This year Tesla CEO Elson Musk said an insider was found making “direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive data to unknown third parties.”

If you are ready to protect your data from insider threats, we can help audit your current environment as well as implement and manage appropriate policies, data loss prevention (DLP), encryption at rest, identity and access management (IAM), behavioral analytics, tailored log and event management, along with other strategies to keep you from being the next victim and maintain compliance with HIPAA or PIC information security requirements.

Scott Anderson

Scott Anderson is Partner / CTO of Verus Corp. He works with mid- and large-sized companies to ensure that all of their managed IT service needs are met to their highest standards. Scott knows that giving customers exactly what they need requires flexibility and patience. He works with each department to carry out documentation and the processes of providing managed IT services. Every position that Scott has held has been largely focused on customer service. This expertise and experience means that you’ll be getting a holistic and customer-centered experience from Verus Corp, from installation to troubleshooting. Scott has provided services that have helped Verus Corp be named a Cisco Select Partner and WatchGuard Partner of the Year. Most recently, Verus Corp was named the second best place to work by the Minneapolis/St. Paul Business Journal. Scott has a Bachelor’s in Speech from St. Cloud State University.