In the cybersecurity sector, we’re usually focused on keeping the bad guys out of our networks. But what if there’s a bad guy on the inside? Such insider threats can put companies at an even bigger risk than an external attacker. Depending on the nature of the organisation, the threat can span beyond data breaches or leaking business secrets, to compromising critical infrastructure and even national security. Yet identifying and defending against insider threats is often not given the attention it warrants.
This is something that Israeli cyber espionage firm NSO Group is learning, as an ex-employee is reportedly being indicted for allegedly attempting to sell company secrets and software on the dark web for USD50M. Although the sale did not go ahead, this was not due to detective work by NSO Group. The company did not detect the incident themselves, rather they were allegedly alerted to the sale by the prospective buyer. Details of the software and data up for sale are being kept under wraps, and are protected by a gag order.
NSO Group isn’t the only organization to have trouble with internal threat actors. This year, Tesla announced that its code had been sabotaged by a disgruntled employee. In February, a California state department revealed that Social Security numbers from thousands of state workers had been breached by an employee.
The US Government had its own issues with insider threats to national security, namely Edward Snowden, whose whistleblowing took place when he was working as a computer systems administrator, and part of his job as a contractor for the National Security Agency (NSA).
The threat is real
A survey by Cybersecurity Insiders revealed that 52% of organisations confirmed insider attacks against their organisation in the previous 12 months. This all serves as a timely reminder that while external threats are certainly a worthy area of focus, organisations should do what they can to identify and prevent those from within the gates.
This can be managed through cyber security solutions and by observing employee behaviour, but effective permission management and network segmentation is often overlooked—particularly in cases where the insider has successfully taken data outside of the organisation.
One strategy that’s worthwhile is to employ a “zero-trust model”. This means that each employee should be given enough access to do their job, and no more than that. It’s good practice to review permissions regularly to ensure that staff turnover is accounted for—for example, permissions based on participation in certain projects may not be needed after the project has come to an end and should be rescinded.
Since it is often disgruntled employees at fault, organisations should make every attempt to know their employees, listen to them, and have open conversations, as Debi Ashenden, a professor of cybersecurity at the University of Portsmouth recently told Wired: “The only way to get to the truth is to have open conversations. A security professional once told me that when you have a relationship of trust with staff, they ‘fess up to things they’d never otherwise tell you.”
The key point to remember is that today, threats can come from any direction—both external and internal. Organisations must remain vigilant, protect their networks and educate their employees – or risk placing their most precious assets under threat, from the inside out.