Insights from our insider threat webinar

Bypassing external defences, insider threats pose a complex challenge to organisations, and the magnitude of these potential threats is not always front of mind.

These threats range from corruption, infiltration, and organised crime exploiting insiders to access sensitive data, to disgruntled or financially distressed employees engaging in fraud or theft of company resources. Additionally, individuals in positions of trust or authority may abuse their power for predatory behaviours such as sexual harassment, while the heightened threat from hostile state actors makes intellectual property and data vulnerable to exploitation.

While it’s often the case that risks stem from negligence and accidents, not just malicious intent, the impact of insider threats can be devastating.

In our latest webinar Protecting Against Malicious Insiders, we gathered a panel of experts to explore this extensive and profound threat, what’s driving it, and how we can better protect against it.

In the following article, we share key insights from the discussion. You can also rewatch the full webinar below.

Chaired by our Director of Intelligence and Investigations Matt Horne (a former government and policing law enforcement leader), the panel included:

• Detective Superintendent Tony O’Sullivan, Head of Counter Corruption Command, Department of Professional Standards, Metropolitan Police
• Tracey Carpenter, Insider Threat Manager, Cifas
• Dean Haydon QPM, Former Deputy Assistant Commissioner, Former Senior National Coordinator, Counter Terrorism Policing
• Jayne Cowell, Defence industry security expert

Impact of home working and social media

Insider threats are multifaced, but they are also fast-evolving. Panellists highlighted the shift toward remote working as creating new vulnerabilities, such as unsecured conversations and lax data security practices.

“I think everyone will agree that we work in a very different space now, and with that come a huge amount of vulnerabilities,” said Jayne, highlighting a case of insider trading, where the husband of a BP employee pleaded guilty to making £1.3 million in illegal profits after overhearing a conversation about an impending deal.

Remote working also presents a potential lack of oversight over anomalous employee behaviour and activities which could reveal signs of disgruntlement preceding an offence. Vulnerabilities to exploitation by malicious actors, such as isolation, mental health issues, and financial pressures, can be missed. “We’re constantly seeing in the news about the increased use of people being vulnerable, and activities such as gambling and that’s creating so many opportunities for individuals to be dishonest,” said Tracey.

Secondly, advancements in technology and the continued prevalence of social media have opened new attack vectors, enabling perpetrators to target and blackmail employees online, thereby amplifying the risks associated with insider threats.

Highlighting an extreme case of how social media can make people vulnerable to exploitation and attacks, Dean referenced the use of social media by ISIS to research and target UK and US individuals in the military, police, and government.

Why vetting cannot be an ‘MOT check’

There was little doubt over the importance of a rigorous vetting process, although its application must be proportionate to specific roles and responsibilities.

“Robust vetting principles are key to a successful management of business risk…” said Tony, adding that various types of checks, including reference, identity, criminal, financial, and social media screenings, offer valuable insights, provided they are conducted within legal and ethical parameters.

Given the global nature of modern workforces, international hires may necessitate vetting procedures that extend beyond domestic records. It’s also important to ensure that gaps in vetting standards do not slip within contractor relationships and the broader supply chain.

However, it is essential to acknowledge that vetting alone is insufficient; it must be complemented by ongoing monitoring, thorough investigations, and the cultivation of a security-aware organisational culture. “Vetting cannot be that mot check that is done and then it is left for four or five years,” said Tony, “It is an ongoing process”.

Dean agreed, that despite counterterrorism professionals being vetted to the highest level, “we have still seen many examples of individuals that have either deliberately tried to leak information to either other states or into the media.”

A finely tuned intelligence capability is essential

The significance of investigations and intelligence in mitigating insider threats cannot be overstated, particularly in today’s complex and interconnected organisational environments. Organisations require “a finely tuned intelligence capability to sift through all the data all the information to identify those threats early on,” said Tony.

This involves monitoring changes in behaviour, access patterns, and connections to external events, enabling proactive responses to emerging risks. Effective intelligence efforts must encompass both internal scrutiny of systems and data, as well as external assessments of broader risks and factors influencing employee behaviour.

In cases of significant concern, deploying more proactive and covert investigative tactics, such as undercover operations, may be necessary to uncover severe insider risks that traditional methods might miss. Dean described using undercover officers to investigate a case of a former Royal Navy submariner trying to leak nuclear secrets, showing how covert investigations can be necessary in serious cases.

Gathering information from diverse sources, including technology monitoring, external partners, and staff reports, is crucial for developing a comprehensive intelligence picture. Additionally, maintaining robust investigation processes coupled with awareness and education initiatives ensures proper incident handling, and contributes to a proactive security posture within the organisation.

Your questions answered

We welcomed questions from our audience; however, we couldn’t answer all of them during the live webinar. Below, Matt Horne has responded to your questions based on his expertise and opinion.

Q: How safe are organisations that rely solely on security clearance without HR involvement in employee relations or hiring processes?

The vetting of employees is important and should be proportionate to the threat and risk profile of an organisation. Higher standards and deeper levels of vetting will be needed when the risk is high, or where the consequences of a security breach are high.

However, while vetting is important it is only a snapshot of the risk posed by that employee in a moment in time. Therefore, vetting should be combined with aftercare, which should in my view take a 360-degree view of the person and include the fusion of all available sources of information and the involvement of all relevant departments including HR, Occupational Health and line management. All can assist with both supporting employees and identifying emerging vulnerabilities or risk factors.

Q: How frequently do IT/cybersecurity staff become malicious insiders?

While I lack specific data on this issue, it’s important to recognise that any employee has the potential to become a malicious insider, although thankfully the vast majority do not.

It is to be expected that where competent threat actors are seeking to access sensitive or proprietary systems and data within a target organisation, they will consider a broad range of options for exploitation, social engineering or coercion. IT or Cyber Security staff, among other personnel, are likely to be a target in these cases.

Q: Is social media considered a viable intelligence source?

In my opinion, insider threat risk management and mitigation should be proportionate to the threat posed and the consequences of malicious activity.

But that can and often will include the use of open-source intelligence (OSINT) capabilities to manage and mitigate such risks. It is equally important that all relevant insider threat data, intelligence and material, including that obtained from social media, is managed, linked and subject to analysis within a suitable core platform to successfully achieve the operational aims, avoiding the risks of intelligence failure when the dots are not joined up.

Q: What are your thoughts on employing a Covert Human Intelligence Source (CHIS) approach within an organisation?

In terms of the use of covert assets such as CHIS, my opinion is this would be dependent on the level of threat, the consequences of a breach and the proportionality of using such methods. When proportionality and legislative framework enable it, CHIS and all the other covert tactics associated with complex intelligence-led operations can be very effective in insider threat operations, alongside the fusion of data and intelligence.

Would you like to learn more about using Clue to detect, investigate and prevent insider threats? Contact Matt Horne, our Director of Intelligence and Investigations, for a conversation via this form.