Intentional vs. malicious insider threats

Notably, not all insider threats are intentional, the majority stem from complacency and carelessness.

Fundamentally, insider threats can lead to substantial risks to our National Security, loss of intellectual property, theft, fraud, and sabotage. An insider attack on a critical infrastructure facility can cost up to $15 million per event; costs may be compounded by the loss of intellectual property and sensitive data to threat actors, combined with hefty legal penalties due to non-compliance with regulations such as GDPR.

While malicious insider threats can stem from disgruntled employees with their agenda, they are often connected to the wider threat ecosystem, which requires comprehensive approaches to mitigation and counteraction.

Organised crime groups and state actors often play a role in insider threats, leveraging insiders to facilitate access or theft within organisations. Similarly, activists, journalists, or competitors may manipulate insiders to advance their agendas, highlighting the diverse motivations behind insider threats.

Global events and evolving tactics can influence the dynamics of insider threats. Geopolitical conflicts can heighten the risks of espionage and sabotage by state actors, while the rise of remote work introduces many
security vulnerabilities.

How insider threats are evolving

The risk posed by insider threats is continually evolving. Remote work and emerging technologies like AI are reshaping the landscape, introducing new vulnerabilities and challenges such as unsecured networks and sophisticated social engineering tactics.

Remote Working

The transition to remote work during the pandemic has significantly amplified insider threat vulnerabilities. As Jayne explains, “When working remotely, there are not the same strict security guidelines as working on-site.” This shift can lead employees to grow complacent in their home environments, potentially trusting family members and continuing work in their presence. “We tend to forget the overseeing and overhearing when at home or in a coffee house,” Jayne adds. The case of Tyler Loudon exemplifies these risks; he exploited the opportunity to eavesdrop on his wife’s remote work conversations, leading to engagement in securities fraud, as she was a BP executive.

Moreover, the proliferation of BYOD (Bring Your Own Device) and the practice of using devices in public spaces exacerbate the risks of data exposure and equipment loss or theft.

Social Media

Social media exacerbates the insider threat landscape by fostering a culture of oversharing personal details and emotions across multiple platforms. The blurred boundaries between personal and professional realms online create openings for inadvertent data leaks, rendering such information invaluable to threat actors targeting specific organisations.

On platforms like LinkedIn, employees may inadvertently disclose sensitive information, including security clearance details. While it’s natural for individuals to take pride in their work and achievements, excessive sharing on LinkedIn can make them prime targets for threat actors.

Furthermore, engagement in “think tanks” and commenting on related discussions can unintentionally lead individuals to disclose more information than is advisable, thereby heightening the risk of exploitation.

AI and Deepfakes

“AI is potentially going to cause additional and complex problems,” warns Jayne.

AI and deepfake technology could pose new challenges for managing insider threats. Malicious insiders can fabricate incriminating evidence or impersonate key personnel convincingly, complicating detection and mitigation efforts. Traditional authentication methods may prove inadequate against AI-generated forgeries, highlighting the need for advanced detection and response strategies.

Insider threat examples

The following real-world examples from high-profile organisations underscore the various ways insider threats can materialise due to both careless and malicious actions, along with the substantial potential financial and reputational repercussions involved.

An employee from a global aerospace company inadvertently emails sensitive data.

An employee inadvertently compromised sensitive data by emailing a spreadsheet containing the personal information of approximately 36,000 coworkers to a non-employee. This breach, intended to resolve formatting issues, circumvented security protocols and exposed employee IDs, birthplaces, and social security numbers. The affected organisation offered affected employees two years of free credit monitoring, incurring an estimated cost of £5 million.

A disgruntled employee from a healthcare manufacturer retaliates.

An employee retaliated after being furloughed during a challenging period. They accessed the company’s systems through a secret account and deleted critical data, adversely impacting operations.

Former electric vehicle company employee steals intellectual property.

A former employee downloaded thousands of files related to the organisation’s program onto their personal device before joining another company. This act of theft could have furnished a competitive advantage to the new employer, potentially resulting in losses for the organisation, which subsequently pursued legal action.

12 steps to develop an insider threat mitigation strategy

While certain industries are more vulnerable, every organisation faces insider threat risks. Despite their potential impact, awareness of these threats remains inadequate.

“I see so many people concentrating on physical and cybersecurity and missing personnel security. You need to cover all these areas as they are interdependent of each other. CEOs and other senior executives need to recognise, understand and own the threat,”  says Jayne. “And it’s not rocket science, it’s just common sense response.”

Social Media

Mitigating insider threats demands a comprehensive approach, emphasising awareness and proactive measures. Organisations should prioritise insider threat awareness training, establish robust security policies, conduct regular risk assessments, and utilise technology solutions for detection and response.

Jayne recommends implementing these mitigation tactics across all organisations.

1. Conduct thorough risk assessments to pinpoint critical assets, areas, and personnel. Foster internal collaboration with key stakeholders such as HR, Legal, HSE, Ethics, Cyber, and IT to identify and monitor risks regularly, employing appropriate mitigation strategies and ensuring ongoing review.

2. Establish a transparent governance framework with clear ownership from senior leadership to effectively manage the risk. Leverage established frameworks such as those provided by the National Protective Security Authority (NPSA) or Industry Personnel Security Assurance (IPSA) to benchmark best practices and enhance security measures.

3. Develop explicit policies for employee vetting, monitoring, and incident response to promote transparency and accountability. Ensure ongoing support and care for existing employees, fostering collaboration with HR, HSE, and Legal departments.

4. Implement a robust pre-employment screening process, supported by trained security and HR/Recruitment staff, to facilitate secure and effective hiring practices.

5. Define clear roles and responsibilities for investigating incidents and disciplinary procedures, ensuring prompt, fair, and thorough resolution. Integrate security into these processes seamlessly.

6. Develop response plans for insider events, conduct regular drills, and ensure all responders receive adequate training.

7. Consider deploying anomaly detection tools on networks to proactively identify abnormal user behaviours and potential data breaches.

8. Implement a third-party reporting system for anonymous incident reporting and maintain comprehensive records of internal and external intelligence, facilitating appropriate briefings and debriefings.

9. Establish a centralised repository for personnel, security, and legal records to streamline information management and access control.

10. Strengthen supply chain security measures to manage third-party risks effectively and enforce adherence to security protocols.

11. Maintain collaborative ties with external groups to stay abreast of emerging risks and tactics, enabling proactive adaptation to evolving threat landscapes. Establish connections with organisations like the NSPA, the National Cyber Security Centre (NCSC) within the UK Government Communications Headquarters (GCHQ), and local law enforcement agencies for valuable insights.

12. Implement a comprehensive ‘Security Culture’ programme, including education and awareness initiatives such as inductions, refresher courses, and specialised seminars. Provide tailored security awareness training to different employee cohorts to recognise and mitigate insider threats effectively. Additionally, train supervisors and managers on their responsibilities regarding insider threats.

Navigating the risk of insider threats

Insider threats will persist, posing even greater challenges for organisations. Remote work arrangements, technological advancements, and geopolitical shifts will shape the future threat landscape. Staying ahead requires organisations to remain vigilant, adapt their security strategies, and foster a culture of security awareness at all levels.

While acquiring buy-in for preventative approaches can be challenging, convincing organisations to invest in insider threat mitigation requires highlighting the real risks and consequences. Presenting statistics, demonstrating the interconnectedness of insider threats with broader security priorities, and leveraging resources from organisations like NPSA & NCSC can help build the investment case. Proposing comprehensive risk assessment and mitigation programs, tailored to the organisation’s needs, can further underscore the importance of proactive measures. “It’s a long-term investment, and you will reap rewards later on,” says Jayne.

However, “you can only really reduce or mitigate an insider threat,” she adds. “Very rarely can you remove a risk completely, especially where people are concerned. People are our greatest assets but can also be our greatest vulnerability”.

“Insider Threat is a pressing risk for organisations large and small, with the sources of risk proliferating and the potential damage to organisations increasing exponentially. Technology, geopolitical fractures, cost of living pressures, as well as trends in organised crime, fraud and espionage all contribute to a complex threat which requires real effort to counter effectively. At Clue we are focused on bringing technology to bear in the important work of mitigating insider threat risk for our customers and our communities. I’d like to thank Jayne for her expert guidance, advice and insights shared in this article.” Matt Horne, Director Intelligence and Investigations, Clue Software

If you’d like to learn how technology can support an effective Insider Threat mitigation strategy, contact our Director of Intelligence and Investigations, Matt Horne, via this form.