Employers strive to recruit and hire people with desirable personal characteristics, such as loyalty, trustworthiness, and dedication, for the benefit of any business or organization. Acquisition of potential candidates within government and many corporations normally includes background security screenings for criminal records and financial standing, as well as personal assessment interviews and consideration of designated security clearance levels. Reliability and trust are paramount to business operations, in order to ensure a company’s growth, expansion, and financial success. Employers and employees must collaborate with a mindset of team solidarity so they can attain the highest level of group success and organizational prosperity.
That being said, any employee that has trusted access to infrastructure or information can also be a potential insider threat. Inadvertent threats can include misplacing a mobile device or removable media, granting other unauthorized employees’ access to sensitive information, mishandling sensitive information, or forgetting to apply the appropriate security permissions. Malicious insider threats, however, are deliberate actions by an employee that knowingly uses their position to exploit information with the intent to cause harm or achieve personal gain. An insider threat may be based on any number of possible motives, which may include:
Revenge: Employees that feel unappreciated or mistreated based on a lack of job advancement, or the future potential to be laid off, may commit deliberate damage to their employer as they believe their motivation and dedication has been undervalued or taken for granted.
Extortion: Employees that have committed a harmful ‘one-time’ action with the intent for personal gain, may find themselves subject to blackmail or extortion, to ensure the continual passage of information in favour of the threat actor. If the employee refuses to continually cooperate, the threat actor is in the position to report the employee to local law enforcement.
Personal gain: Employees suffering from personal or financial difficulty (substance addiction, marital and domestic issues, or financial crisis), may have accessibility to highly valued information based on their employment position — information which may be of benefit to an interested third party that is willing to pay for it.
Collaboration: Collaborators are employees that cooperate with a third party, such as a business rival, and use their access to intentionally cause harm from within, such as using their access to steal intellectual property, customer information, or to intentionally disrupt normal business operations.
Lone wolf mentality: Lone wolves are employees which operate in an entirely independent and malicious capacity without external influence or manipulation, based on their personal principles and opinions. They are prepared to commit unsympathetic actions towards their employer or organization. Lone wolves are particularly dangerous when they have elevated levels of privilege, such as a system or database administrator within a highly sensitive operations area; and
Ideology: Personal ideologies may inspire an employee towards radicalization, whether motivated by political or religious beliefs or informed by conspiracy theories. During the COVID-19 pandemic, conspiracy groups such as the QAnon movement, anti-maskers, and anti-vax demonstrators, have increased regional protests while proclaiming their lack of trust towards the Canadian government. Radicalized followers employed in sensitive positions have the capability to release insider information on social media networks and private chat groups. Secondary motives may include malicious intent, egotistical satisfaction amongst peers, or deliberate acts of support in favour of an accepted or embraced socio-political belief.
Detecting an insider threat is extremely difficult, as the insider already has legitimate access to the business or organization’s information and assets. They possess the insider knowledge required to locate their potential target, acquire the means to successfully penetrate organizational safeguards, and successfully accomplish their intended operation. The insider threat may attempt to conceal their actions by altering detection programs or deleting audit records. Employees with unnecessarily high access privileges can present serious threats, therefore businesses and corporations should ensure that employees have access to information that is on a need-to-know basis, which supports their specific employment position and designated functions.
Insider Threats: Common Indicators
Insider threats vary in degree based on subjective behaviour, fundamental beliefs and personal fortitude. To intentionally operate as an insider threat, with full knowledge of the potential consequences if exposed, the insider threat may demonstrate certain behavioural indicators that may be considered potential warning signs:
Digital warning signs:
· The downloading or accessing of substantial amounts of electronic data.
· Accessing sensitive data not associated with the insider’s job function.
· Accessing data that is outside of the insider’s unique behavioral profile.
· Multiple requests for access to resources not associated with the insider’s job function.
· Using unauthorized storage devices (USB drives, floppy disks, compact discs).
· Network crawling and deliberate searches for sensitive data.
· Data hoarding or copying files from sensitive folders.
· Emailing or sharing sensitive data outside the organization.
Behavioural warning signs:
· Deliberate attempts to bypass security protocols (both cyber and physical).
· Frequently in the office during off-hours.
· Display disgruntled behaviour toward co-workers or senior staff.
· Deliberate violation of corporate security policies.
· Unusual social media activity
· Personal discussions of resigning or the potential for new employment opportunities.
· Acting withdrawn or in an unusual manner.
Insider Threats: Prevention
The mitigation of the insider threat necessitates a top-down methodology, in which senior leadership must endeavor to maintain a continuous security-based philosophy woven into the corporate mindset. Employers and employees must take security protocols seriously and work together to ensure their organization is protected from within. Insider threat prevention measures may include (although are not limited to), the following:
Policies and procedures: Organizational policies should be clearly defined in relation to the organization’s security requirements and expected employee behaviour when utilizing internal networks, systems, or information.
Background checks: The screening of employees that will handle sensitive information.
Employee exit plans: Implementing tailored internal moves and departure/retirement plans.
Security training: Provide mandatory training and internal security awareness activities.
Risk awareness: Provide instructional topics such as phishing, malware exposure, and social media risks.
Threat concentrations: Tailored security training specifically designed to address organization-specific threats and security control protocols.
Security enforcement: The preservation of security contracts and arrangements with partners and third parties.
Geopolitical legalities: Ensure organizational data is located within Canada and under the protection of Canada’s legal jurisdiction.
Data tracking: The continual monitoring and tracking in relation to an employee’s electronic data access and log-in actions.
Reliability assessment: Facilitating long-term and trusted relationships with employees, partners and third parties.
Access control: An employee’s access to system networks and data should be restricted through various internal control methods. Access should only be permitted to conduct the employee’s specific position or occupational function.
Access privilege: Enforcing the principles of ‘least privilege’ or ‘need-to-know’, when allocating administrative privileges and information access.
Two-factor authentication: Implementing two-factor or multi-factor authentication methods through password and cryptographic hardware, to authenticate and authorize access.
Rescinding access: Rescind or revoke an employee’s account access and administrative privileges when no longer required, based on transfer, departure, or retirement.
Audits: Audit logs provide information in relation to employees and user’s action when unusual behaviour is detected or suspected. Audit logs provide time/date stamps, administrative account changes, and the capability to track corporate owned mobile devices.
Data loss prevention: Software developed to detect and prevent data from leaving the business or organization’s control, as the software alerts, denies, or encrypts data prior to release.