Malicious employees and insider threats pose one of the biggest security risks to organizations, as these users have more access and permissions than cyber criminals attacking the organisation externally.
It often seems that most organizations are not aware of the scale of these threats and do not prepare employees or distinguish guidelines for rooting out malicious and negligent employees in the way that employees usually receive training around spotting the signs of external hackers through phishing and vishing messages.
A recent report from DTEX highlighted that IP theft is at an all-time high because insiders are colluding with foreign governments. Uber’s breach just a few years ago, which involved an adversary purchasing access to an internal user account, demonstrates the detrimental impact that can arise from a lack of awareness and policy in place around internal threats.
Understanding the type of threats to look out for and putting the correct frameworks in place will help to mitigate against the likelihood of insider threats taking place.
The main insider threats to businesses
There are several critical insider threats that organizations need to remain vigilant against. Denial-of-Service (DoS) attacks are a common concern; these attacks are often carried out by malicious employees who possess extensive knowledge of the company’s systems and networks, flooding it with illegitimate requests or attacking vulnerabilities that can cause it to crash or become unavailable to its users.
The risks associated with employees leaving the company with sensitive information or access credentials needs to be considered as well. A standard protocol should be in place to ensure access for former employees and their ability to compromise security after their departure is removed.
Malicious deletion of crucial systems or data by an insider can have a catastrophic immediate impact on a company. A loss of data or period of inactivity can lead to significant complications, including financial losses, damage to reputation, and a loss of trust from clients and partners. Legal recourse may be available to address the employee’s actions but the damage will have already been done.
Negligent employees pose a similar threat
Not all insider attacks are caused by malicious employees; some may be due to negligence instead, but pose just as many dangers. The rise in AI usage and LLM tools has increased the chances of negligent employees leaking information to cyber criminals through accidental disclosure.
Employees may post data into AI or LLM tools to carry out activities such as data sorting or code checking, which is likely to be ‘ingested’ by the AI learning model (often allowed and outlined in the T&Cs) and then used to provide answers to other users, leaking that sensitive information. For example, if a user uploads details of a confidential project to an LLM, the data in the system might be used to provide answers to other individuals who ask questions like “Tell me about Project X.” Companies need to make sure clear policies are in place when it comes to the use of AI and LLM tools for professional use.
Additionally, some LLMs are utilising ‘add-ons’ that can be leveraged to exfiltrate data input into an AI or LLM tool, leading to similar data leakage issues, making it all the more critical that organizations have systems in place to limit unauthorised exposure of data.
Organisations need to put the right tools in place to prevent insider threats
Despite the rising sophistication of insider threats, many organizations still lack the necessary tools to detect or prevent employees from copying sensitive information to portable devices and leaving the premises. This fundamental vulnerability highlights a critical area where many organizations need to improve their security measures and monitoring capabilities to effectively combat insider threats.
To effectively root out malicious insiders, organizations must invest in comprehensive security tools and practices, such as robust monitoring systems, strict access controls, and regular audits.
Additionally, fostering a culture of security awareness and implementing clear guidelines for reporting suspicious activities are essential steps in mitigating the risk posed by insider threats.
The first step to mitigating insider threat
Implementing ISO 27001 and ISO 42001 into business operations are great ways to begin reducing the risk of insider threats. Both are valuable frameworks and help to establish rigorous procedures and controls.
It’s important to make sure these frameworks aren’t merely reduced to tick-box exercises and are fostered into daily operations.
ISO 27001 focuses on a systematic approach to information security management, emphasizing regular audits, access controls, and comprehensive employee training.
Similarly, ISO 42001 provides a structured approach to occupational health and safety management, which can indirectly support security efforts by promoting a safer work environment.
The challenge is integrating these standards into everyday business practice, and ensuring they are enforced and updated. Organizations need to embed them into their operational practices, taking a proactive stance against insider threats and increasing security awareness among employees.
About the Author
Louis Blackburn is Operations Director at CovertSwarm. As Operations Director, Louis brings robust commercial cybersecurity and red-teaming experience to his role overseeing the company’s day-to-day operations. His focus is on optimizing the functionality of the company’s growing team of ethical hackers – known internally as the Swarm. He is also responsible for identifying evolving attack vectors crucial to advancing CovertSwarm’s groundbreaking Attack Surface Management Platform – the CovertSwarm Portal.
Previously, Louis led the internal Red Team at Lloyds Banking Group and served as a Computer Forensic Analyst at the Eastern Region Special Operations Unit.
Martin Ellis, is a Swarm Member at CovertSwarm. Part of the founding team at CovertSwarm, Martin is responsible for helping clients improve their security posture through offense review of application, guidance in best practices and training on security principles. Martin possesses a demonstrated background of working in the cyber security industry, with a focus on application testing.
