Malicious Insiders: The Threat Within

Posted on 25 October 2020

You’ve boarded up the windows to keep the hordes out, but what do you do when the threat is coming from inside the house? Reader beware, malicious insiders could be lurking within your organisation, waiting for the right moment to pounce.

Last Halloween, we put together a spooky selection of cyber-threats to watch out for. This year, we’re zeroing in on a particularly spine-chilling threat that could be haunting your organisation without you even knowing.

Cybersecurity often revolves around protecting against external threats – such as hordes of hackers or phishing scammers galore – and naturally, employees, have a huge part to play in fortifying your castle against these threats. But while some well-meaning staff can regrettably fall foul of a scam, there are those employees putting your data at risk on purpose.

What Are Malicious Insiders? 

Malicious insiders (AKA Internal Threats) can be current or former employees, contractors, or any kind of business associates who have legitimate access to your organisation’s systems and data, and who use this power for evil.

While this may sound like the stuff of nightmares, this isn’t Elm Street: malicious insiders tend to blend in and can do a lot of damage without a bladed glove or scary puzzle boxes.

Nefarious parties use the access they’re been entrusted with to steal, destroy, or sabotage data and systems; what could motivate this appetite for destruction, you ask? The likes of revenge, coercion, ideology, and financial gain.

Regardless of motive, the goal is usually the same: cause serious reputational damage to an employer and make money doing it. Most often, this is via a scam, ransomware attack, or a fraudulent transfer of funds.

What’s worse is that there might even be more than one. Mischievous employees can work as part of a larger group of ghouls, or totally alone. But while individuals can get swept up in the machinations of a group, lone wolves aren’t born, they’re made; this type of malicious insider usually starts off as a disgruntled employee that becomes ever more disillusioned over time, until their lust for revenge takes over.

Alternatively, hackers have been known to approach staff of a target company with a quid pro quo offer, with some employees willingly making a deal with the devil. Cybercriminals slowly tempt employees over to the dark side with the offer of riches; all it will cost them is their employer’s head on a plate. Chilling, no?

Detecting Internal Threats 

While no one wants to believe that a trusted teammate could play both Jekyll and Hyde, protecting your organisation means being suspicious, unmasking villains before they strike.

Although they may think they have you fooled, malicious insiders aren’t invisible men. You can spot their suspicious activity easily if you know where to look. Here are some disturbances in the force to look out for: 

  • Suspicious activity at unusual times (no full moon necessary)
  • Excessive downloading of data 
  • Unusual logins, especially numerous failed admin login attempts 
  • Repeated use/attempted use of unauthorised apps or other resources 
  • Unusual employee behaviour 

Protecting Your Organisation from the Inside 

You don’t need a crystal ball to find out what insidious activity is taking place within your organisation.

First things first, rely on trusted managers and your own keen eye to spot suspicious employee behaviour. Thankfully, though, you won’t have to rely entirely on intuition, as there are some nifty tech solutions that can help – and they’re a bit more reliable than a Ouija board. 

A Security Information and Event Management (SIEM) solution such as Microsoft Azure Sentinel can serve as your eyes and ears. Sentinel uses the data collected by your current cybersecurity measures to spot unusual behaviour, such as sudden user profile changes, invalid login attempts, altered or deleted objects, and other suspicious abnormalities. This empowers your team to assess disturbances and act on them quickly.

Elsewhere, it’s possible to limit user access via a Privileged Access Management (PAM) solution. By ensuring that users have the minimal amount of access they need to perform their jobs, user access to sensitive corporate information can be restricted. This also helps to narrow down the list of suspects, should the worst occur. 

The final piece of the puzzle is, of course, staff satisfaction. Disgruntled employees can become your worst enemy, as they’re likely to seek revenge for any perceived grievances they’ve suffered.

Promote cultural changes within your workplace, educate your employees around security issues, and ensure that HR handles any complaints sensitively. Robust security isn’t just about know-how, but also about attitudes and beliefs; an open and communicative workplace can disarm a disgruntled employee before they even become a threat.

While traditional security measures tend to focus on external threats, malicious insiders are just as risky – if not more so – for your organisation. Insider threat incidents have created real life horror-shows that rocked businesses to their core, but organisations and users can learn from these scary stories to tell in the dark.

Although recovery is possible, like most things, prevention is better than cure – and the formula for success is as simple as a silver bullet: robust security technology, strong identity and access management, and, of course, a great HR policy.

For more information on how we utilise the latest technology to unmask malicious insiders and exorcise any other digital demons that may be haunting you, please contact a member of our dedicated ghost-busting team.

A few people we've already done it for