This brief post is part 2 in the series on insider risk. Here we will cover some of the reasons the ‘insider threat’ / ‘people risk’ can be realised. This is critical to not only understanding how to monitor for and prevent incidents, but also to ensure the response is appropriate.
The aim of this post is to highlight the numerous different types of ‘insider threat’. This will hopefully not only get you thinking about the ways this could manifest in your environment, but also why in the majority of cases a term other than ‘insider threat’ is likely more appropriate.
What different actions and causes can lead to the risk being realised? To my mind there are several concerns in this space, all of which can lead to data loss, data corruption or system downtime.
Some examples of these are;
- Accident – e.g. emailing the wrong person, incorrect data entry
- Good intention; Unaware of the policies and rules – e.g. emailing work to personal email in order to complete on the train
- Good intention; Aware of the policy and rules, as above but with known intent to break the rules. This is still likely someone who does not want to cause harm, they are just prepared to knowingly break the rules in order to get things done
- Compromised individual – e.g. being coerced or blackmailed
- Bad intent – e.g. sending data out to sell, or changing data in the favour of a friends business. This is the classic malicious insider, and the main example where the term ‘insider threat’ is most accurate.
- Compromised account – e.g. social engineering, shared credentials etc. While technically not actions performed by an insider, these will appear to be an insider as they will be acting on systems in the context of the compromised user account.
While the tools / capabilities / processes that mitigate these risks may be similar, understanding the intent and the outcome is critical to know how to remediate.
For example where colleagues are circumventing the rules in order to deliver results, the best course of action would likely be to understand there needs and provide a secure way of meeting them.
The most serious breaches will likely be related to compromised individuals, compromised accounts or malicious individuals. However by far the most frequent issues will be related to users either making mistakes or trying to be efficient and work in the best way for themselves.
The next posts will cover some of the key ways we can mitigate this risk. Despite my keen interest in technology, we’ll find that some of the most important and effective controls are related to people and processes such as user awareness training, JML processes, 4 eyes processes etc. Strong technical controls around access, DLP and behavioural monitoring are also critical.