Insider threats: 4 vulnerabilities you’re missing

By Force 3

The next insider threat won’t be a malicious mastermind, he or she may not even be an employee. Are you prepared?

When we think of insider threats, we inevitably picture the faces of Edward Snowden and Chelsea Manning—employees turning against their employers, leaking confidential information for malicious or ideological reasons. But there are other more prevalent and harmful types of insider threats at play.

Granted, the more malicious, Snowden-esque threat is the easiest to understand: It has a face and clear motivations. Unfortunately, with our intense focus on malicious threats, we risk missing other potential insider threats—two in particular.

First, there’s the negligent insider threat: an end-user who is either lazy or lacks vigilance. The negligent threat creates an insecure environment without even knowing, whether by opening malicious links or carelessness with credentials. Then you have the compromised threat (often an evolution of the negligent threat). In this case, an outsider secures internal access by tricking an insider through phishing or other scams.

Either of these threats creates numerous liabilities. Here are four insider threat vulnerabilities that are undervalued and what we can do about them.

1. Leadership

The business side of the C-Suite is tasked with managing development, strategic decision making and, ultimately, organizational success. As such, cybersecurity policies are often seen as a barrier to progress and action. Unfortunately, securing an organization against insider threats requires buy-in from the entire leadership team, not just the CSO. So, what can you do?

CSOs need to work with the rest of the C-Suite to convince them of the business case for tackling negligent and compromised insider threats. Only then will secure decision making filter down through the ranks.

2. Recruitment

Insider threats can be fought on multiple fronts—including early in the recruitment and hiring process. Hiring leaders should look beyond the standard criminal background checks, and dig, into a prospect’s history to look for anything that might render them susceptible to blackmail or bribery. This means understanding credit history, outstanding debts and anything else that could be used as leverage.

Recruiters also need to ensure that new hires have a competent grasp of your security culture. Human error, after all, accounts for 90% of all cyber attacks. And while you should maintain a rigorous cycle of training modules and consistent IT updates, you can greatly improve the effectiveness of these measures by hiring the right individuals in the first place.

3. Bad (or non-existent) BYOD process

Millennials make up the largest portion of the U.S. workforce today, and Gen Z will be your next generation of employees. These generations are beyond comfortable sharing their personal information. Meanwhile, stopping them from using their personal devices is impossible, nor should it be necessary.

Personal devices don’t have to be inherently risky, but they do require organizations to have a thoughtful, comprehensive bring your own device (BYOD) policy. This means thinking about how the future of the workplace looks: people working on the go, for example. Help employees avoid the risks of public WiFi with a VPN or hotspot, and lower the risk of lost information by keeping business files in a secure cloud, which makes it unnecessary to store such data on personal devices.

4. A lack of visibility

You’d be surprised how many organizations have little to no visibility when it comes to network activity. But, lacking the ability to monitor user behavior and file movement, you’ll find yourself blindsided when it comes to insider threats. When developing a proactive insider threat plan, CSOs need to be asking, “How much network visibility do we have?”

There is now technology that can establish baseline activity for user behavior, monitor for anomalies, and even automate appropriate actions by, for example, sandboxing the user in question. Take advantage of this ability to know what is on your network, or else risk finding out about an attack after the fact.

The insider threat can be slippery. Attacks can originate on numerous fronts, and dealing with them all is daunting. Meeting the challenge requires organizations to cultivate a company culture that values security and to invest in the proper tools to support that culture.


Pete Burke is a senior technical consultant at Force 3. This article was originally published by CSO Online.