Unfortunately, businesses, organisations, and institutions have often been “betrayed” by individuals of trust, also known as “insiders”.
The harm from such betrayal can be catastrophic. It can jeopardise sensitive data, compromise intellectual property, disrupt operations, and damage reputation. It can result in financial losses, legal ramifications, and loss of trust from customers and stakeholders.
For a long time, the insider threat has largely been ignored in favour of the external hacker.
The external hacker is easier to detect, easier to control, and is much more visible than the “enemy within”.
The reality is that insider threat activities have been occurring for a very long time and are still taking place today.
Since insider threat incidents occur within the organisation, they occur in “private”.
Private attacks by insiders are much easier to hide.
This brings me to the following point…Which poses the biggest threat to your business — cyber threats or insider threats?
In some ways, it is a loaded question.
For many years there has been much debate on who causes more damage — Insiders Vs. Outsiders.
While network intrusions and ransomware attacks can be very costly and damaging, so can the actions of employees sitting behind a firewall or remotely working from home.
Either way, cyber and insider threats pose significant risks to organisations. Still, it is challenging to determine which one is worse as their impact can vary depending on the specific circumstances and context.
Comparing the two threats is complex because they differ in nature and motivations.
While cyber threats can be launched from anywhere in the world, insider threats occur within the organisation’s own environment.
While cyber threats are often driven by financial gain, political motivations, or the desire to cause disruption, insider threats can stem from various factors, including personal grievances, financial pressures, negligence, or unintentional mistakes.
While detecting cyber threats can be challenging due to the external nature of the attacks and the evolving tactics used by cybercriminals. Insider threats can be relatively more difficult to detect as they originate from human behaviour and actions within the organisation’s trusted network.
While both cyber and insider threats can have severe consequences, the impact of a cyber threat can be immediate and widespread, affecting numerous organisations simultaneously. Insider threats, while potentially more localised, can be highly damaging due to their knowledge of internal systems and access to sensitive data.
While cyber threats are a technology challenge, insider threats are a people challenge.
Another problem is that Insider Threats live in the shadows of Cyber Threats and do not get the attention needed to fully comprehend the extent of the Insider Threat problem.
However, the focus of this article is not to determine which scenario is worse. Instead, it aims to show that by taking proactive measures to mitigate insider risk, you thereby strengthen your cybersecurity stance for your organisation.
It’s common to come across news about organisations being compromised or intruded upon, affecting customers, employees, government, and other stakeholders.
These attacks can come from within or outside the organisation and have severe consequences.
Often, external infiltration occurs due to intentional or unintentional vulnerabilities created by the organisation.
We know the cybersecurity landscape constantly evolves, but some things never change.
The current threat landscape bears the typical theme of malicious actors taking advantage of crises with a view to capitalising on them. This was no different during the COVID-19 pandemic and, more recently, with the tensions between Russia and Ukraine that could have cybersecurity implications globally.
As technology continues to evolve and many daily interactions are conducted in virtual space, this evolution continues to place unrelenting threats and challenges. Look no further than the introduction of artificial intelligence tools into our business.
The assets organisations need to protect, ranging from proprietary information and intellectual property to critical processes, research and development, exist largely in virtual space.
As a result, risks to those assets have taken on new meaning. Information has become a high-risk asset that can be readily extracted and exploited.
Furthermore, as business operations have shifted beyond the physical confines, mitigating threats outside their boundaries has added additional complications and vulnerabilities.
“What was in is now out. And what was out in now in.” We are all interconnected.
Although the business medium has changed to more virtual, mitigating cyber and insider threats must still utilise a holistic approach.
Risk landscapes are frequently developed to inform decision-making, shape prioritisation of the assessment, and mitigate risks.
Landscapes should, whenever possible, incorporate aspects of physical, cyber, and human risk elements, as shown by the image below.
In the above diagram, we illustrate how insiders have access to the use of technology, which can exist both internally and externally.
Physical security is very much interconnected with information technology security and cybersecurity.
You cannot look at what an individual does in the virtual world and ignore what goes on in the world of bricks and mortar.
You can’t have cybersecurity without considering your insiders interacting in the day-to-day business operations using technology, applications, and data.
To successfully manage your cyber risk landscape, you need to focus on insiders.
Business is conducted by people. People with beliefs, values, thoughts, aspirations, needs, etc. They behave and act in the manner that best serves them, whether passive, aggressive, ignorant, or even aggrandised.
Example: A Tesla employee thwarts an alleged ransomware plot
In 2020, a Russian agent tried to recruit an unnamed Tesla employee to plant the malware onto the Tesla network for $1 million. The goal was to steal data from the automaker and threaten to release it unless Tesla paid a ransom.
Luckily, the employee in question reportedly told Tesla about the Russian agent and the proposition. Tesla then contacted the FBI, who arrested the agent before returning to Russia.
The above example perfectly shows how cyber perimeter defences can be easily circumvented.
Cybersecurity defence is important, but the human-cyber-physical approach must be applied in tandem to reduce external threats.
Without a doubt, technology has become so integrated into the fabric of society that it can be difficult to see where the technology starts and ends.
In some cases, it makes it difficult to assess the risk of technology, especially if it is not clearly understood in the context of human behaviour.
Example: AT&T employees took bribes to install malware
The bribery scheme lasted from April 2012 until September 2017.
Initially, two Pakistani men bribed AT&T employees to unlock expensive iPhones so they could be used outside AT&T’s network.
They recruited AT&T employees by approaching them privately via telephone or Facebook messages. Employees who agreed received lists of IMEI phone codes which they had to unlock for sums of money.
Employees would then receive bribes in their bank accounts, in shell companies they created, or as cash, from the two Pakistani men.
A year into the malpractice, the Pakistani men had bribed other AT&T employees to install malware on the AT&T network so that it would collect data, employee details/credentials and reveal how their systems worked.
The second malware that they created was designed to use AT&T employee credentials to perform automated actions on AT&T’s internal application to unlock phones at the fraudster’s behest without needing to interact with AT&T employees every time.
By 2014, they bribed AT&T employees to install rogue wireless access devices inside the AT&T call centre. These devices provide remote access to AT&T internal apps and networks and continue the rogue phone unlocking scheme.
In short, the two Pakistani men paid more than $1 million in bribes to AT&T employees and successfully unlocked over two million devices.
One AT&T employee received $428,000 in bribes over a period of five years.
In 2018, the Pakistani men were arrested in Hong Kong and extradited to the US.
AT&T estimated it lost revenue of more than $5 million/year from Fahd’s phone unlocking scheme.
The above example clearly demonstrates the interconnectedness between the physical-cyber-human world. No amount of cybersecurity tools would have stopped this crime from taking place
Protecting the organisation’s assets in the current environment is not an exercise in just mitigating or preventing adverse effects but rather in reducing the impact of what is not understood or cannot be foreseen — uncertainty.
And what we don’t understand nor foresee very well is how human behaviour can potentially impact the organisation’s objectives, outcomes, and security.
People are dynamic.
Human behaviour is the result of “frames” (inner executive) that drive human actions. These frames drive their actions. They govern their state of mind and emotions.
When they go to work, they run their frames, which may at that time be positive or negative.
If your door to your office is broken because it refuses to close, you can always change the lock mechanism or even change the door. However, if the person slams the door, you must handle their behaviour.
Cybersecurity programs will encounter difficulties if they do not understand the interconnection and interrelation between insiders and the physical and logical world.
Mitigating cyber risk will be measured by how much uncertainty you can eliminate and how much uncertainty you can tolerate and still advise on business directions.
It is interesting to note that as human beings, we all need certainty, safety, stability, and predictability in our lives.
We like to feel secure in our jobs, in our homes, and our relationships. We want to avoid pain and assurances that our basic needs are being met.
Some people pursue this need for certainty by striving to control all aspects of their lives, including the projects they run and those who work for them.
Interestingly, when we lack certainty, we tend to panic and get stressed.
During the period when we had COVID-19 lockdowns, we faced new uncertainty. Shoppers began stocking up on basic household items — especially toilet paper. This buying frenzy led to shortages, even though, in most cases, there would have been enough to go around if people only purchased what they needed.
Enterprise risk management should be positioned to address uncertainties by shifting away from attention to avoiding failure, which is inevitable to understand the balance between decreasing levels of uncertainties.
As we noted earlier, robust and resilient cybersecurity programs stem from efforts to understand both internal and external happenings within the organisation. The two aspects go hand in hand.
The reality is that organisations cannot prevent all cyber incidents. The typical approach of spending more money and resources or buying the latest risk management technologies and tools rarely proves effective. One way to establish such capability is by implementing an insider risk management program.
An insider risk management program serves as the organisation’s designated and dedicated resource for mitigating and managing insider threats.
To effectively prevent, detect, deter, and respond to insider threats from insiders, the organisation must take appropriate risk management actions. The best time to develop a process for mitigating insider incidents is before they occur.
They should possess the following characteristics:
While a well-designed and effectively implemented insider risk management program cannot eliminate all internal risks, it can help reduce the likelihood of compromise and mitigate damage from internal incidents and external attacks.
Given today’s elevated-threat environment, protecting all assets at the highest level is impossible. However, by implementing an insider risk management program and integrating it with existing security practices, organisations can more effectively prevent, detect, deter, and rapidly respond to internal risks. This capability is integral to an effective cybersecurity practice and posture.