Skip to main content

Q&A – How can organisations defend against insider threats?

(Image credit: Image Credit: Sergey Nivens / Shutterstock)

How dangerous are malicious insiders? 

Malicious insiders pose just as much of a threat as external attackers – and indeed can inflict even more damage as they are often harder to detect. Unless the company is equipped with the tools to identify their activity, an opportunistic rogue can easily steal thousands of sensitive and critical files to sell to competitors or to criminals. A disgruntled employee with an axe to grind can also cause serious harm by using their access to commit major acts of sabotage, editing, deleting or leaking large amounts of private and essential data, or interfering with critical systems.

Alongside the classic case of an opportunistic or resentful employee acting against the company, the insider threat also encompasses the risk of external attackers exploiting stolen login credentials. Armed with a set of login details acquired from a database leak or phishing attack, an intruder can gain instant access to the network and move about as though they were a genuine employee.

Even a relatively small-scale breach can still have serious legal and regulatory repercussions for the organisation if the privacy of customers or patients was breached. Under the GDPR for example, a company could face heavy fines if it is judged they did not put sufficient measures in place to prevent the breach.

How difficult is it to successfully spot a rogue insider before it’s too late?

Unless you are looking for the tell-tale signs of insider activity, it can be almost impossible to spot a rogue before the damage is done. Unless they happen to be sitting at their desk twirling their moustache and cackling maniacally, there are unlikely to be any obviously external signs. The good news is that even the most cautious malicious users will leave signs in their digital activity that can be used to spot a potential threat and identify the culprit.

Nevertheless, companies that are not equipped to spot these signs can end up completely blind to the presence of a rogue in their midst. There have been many high-profile cases of employees abusing their access to systemically steal confidential data over long periods of time before being caught.

What are the tell-tale signs of a malicious insider?

There are four key signs that can point towards a malicious insider at work:

  • Strange file access. An employee that is searching for, viewing or copying data that is not relevant to their job role should be taken as a strong sign of malicious intent. Whether they are planning a data heist or are simply being nosy, this can lead to serious security or privacy issues, particularly where data such as customer or patient records are concerned.
  • Accessing, saving or printing large amounts of information. The most dangerous insiders are those with privileged access who are acting within their job role. However, they can still give themselves away by attempting to exfiltrate too much data at once. If a large number of files are saved externally or printed, it could be a sign they are planning to take them to another job or sell them to a third party.
  • Unusual activity out of hours. It’s common to find an organisation’s working hours extending well beyond the normal 9-5 these days, with employees often logging in at night or over the weekend. If an individual’s activity shows sudden and drastic changes however, it might be a sign they are trying to cover up illicit activity, or that a criminal is accessing the account with stolen credentials.
  • Network ghosts. Organisations often overlook admin tasks such as deleting the accounts of users who have left the company. These ghost accounts can often be accessed by the former employee using their old credentials and are also vulnerable to discovery and exploitation by criminals.

What can organisations do to mitigate the damage that a rogue employee can inflict?  

Organisations can greatly reduce the potential threat posed by malicious insiders by making sure network access is granted on a least-privilege basis, which means all users only receive access to files and systems relevant for their job roles. It’s common to find that a company will give employees far more access than they need by default. In fact, research from Varonis has found that 41 per cent of companies have at least 1,000 sensitive files open to all employees.  

The problem has been exacerbated by the use of cloud-based applications and network tools. The popular use of hybrid setups that combine onsite networks with cloud-based systems can easily result in a company losing track of where key files are saved and who can access them. Ensuring that all essential data is kept locked down will mitigate the threat from both rogue insiders and external intruders using stolen credentials.

Can machine learning capabilities help organisations detect the insider threat? 

While strong privilege policies will close off the majority of insider threats, it will not help with users who have the privileges needed to access the files and are technically within the boundaries of their job role.

This means that organisations must also be equipped with the ability to monitor how their users are accessing and using files, particularly when it comes to mission critical systems and data. Behavioural analytics powered by machine learning can build a profile of what normal user behaviour looks like, and automatically identify users acting outside this standard who might be acting maliciously.

As employees become more cyber savvy does this pose an increased cyber threat to organisations?

The most difficult rogues to identify and stop are those who have a higher level of knowledge of how the company’s security capabilities. They can take pains not to stray outside of their expected job role, as well as attempting to mask their activity through steps such as only accessing or copying small amounts of data at a time.

Unfortunately, this means that having more cyber savvy employees can actually increase the risk of insider threats, even as it mitigates other threats such as phishing attacks. 

However, even the most canny and careful of rogues will have a difficult time erasing all evidence of their illicit activity and can still be caught out with a sufficient combination of access policies and behavioural analytics. Perceptive employees can also help to reduce the threat by being more adept at spotting unusual activity from colleagues before it’s too late.

Matt Lock, Director of Sales Engineers (UK), Varonis  
Image Credit: Sergey Nivens / Shutterstock

Matt Lock
Matt Lock, Director of Systems Engineering (UK) at Varonis, has 17 years’ security experience, specialising in risk assessment, risk management, policy compliance, security reviews and managing network behaviour anomaly systems.