Month: October 2023

Protecting against insider threats

Robert Broxup

When discussing insider threats, we refer to security risks posed by individuals within businesses with access to sensitive data and systems – intentionally or unintentionally, misusing the access and compromising security.

These threats can come from employees, third-party contractors, or even disgruntled business partners. Insider threats are particularly challenging to detect and prevent because insiders often have legitimate access to systems and data. Segregating duties within businesses is a crucial countermeasure as it forces collusion (less likely to happen if fraud requires more than one person).

I considered writing this article while reminiscing over my days at the University of Teesside (now rebranded as Teesside University). In the first semester back in 1993, our class was broken into teams of 4 or 5 and given topics to research and prepare a 30-minute presentation; ours was computer crime.

I recall concluding with the importance of hiring trustworthy staff. I referred to Gus Gorman, played by Richard Pryor in Superman III, who collected all the ½ cents from everyone’s salary after rounding down to the nearest cent. He added them to his salary and bought himself a new car. Background checks are at the top of my list of countermeasures, including verification of the following:

  • Employment History – the investigation into employment history will vary from role to role. At a minimum, it must include verification of the start and end dates of employment, job titles, and responsibilities. Speaking with referees will add additional insights such as:
    • Validation of candidate claims such as achievements and awards
    • Overall attendance records
    • Reason for leaving
    • Job performance
  • Academic qualifications and professional certifications – academic institutes, professional bodies, and product vendors offering degree courses, certificates or certifications allow a third party to verify a candidate’s claim, either online or offline. If the human resources onboarding process involves these checks, someone is unlikely to lie about qualifications and get away with it.
  • Financial checks – it may seem unfair to deny or deprive someone of an opportunity for work because they have poor finances; the job itself would probably make their problems disappear. However, from a risk perspective, hiring someone with significant financial issues could leave them susceptible to accepting bribes or open to blackmail in cases where someone could lose their job if their employer found out about large debts.
  • Disclosure and Barring Service (DBS) – these checks differ depending on the role. Most employment opportunities should only require a basic DBS check, but positions involving children involve a more comprehensive background check. Depending on the type of check, the DBS check returns details of an individual’s criminal record, including spent and unspent convictions, cautions, and any reprimands or final warnings. The DBS certificate can also include soft intelligence held by police that they consider relevant to the role.

Hiring the right people is at the top of my list, but:

  • The wrong people might still slip through the net.
  • The right people can still become disgruntled over time.
  • People do become disillusioned or disenfranchised over time for many reasons.

We must consider a more comprehensive suite of countermeasures to mitigate insider threats. Here is a selection:

  • Training and awareness – implement a security awareness programme that:
    • Includes educating employees about the risks of insider threats
    • Encourages reporting of suspicious activities
  • Access control
    • Implement strong access controls.
    • Use the Principle of Least Privilege (PoLP) to limit access to systems and sensitive data based on job role and need to know/access.
    • Implement Privileged Access Management (PAM) to control and monitor privileged access.
    • Enable Multi-Factor Authentication (MFA) for access to critical systems and data.
    • Immediately revoke access to systems when employees leave the business.
    • Control physical access to sensitive areas within the business.
    • Conduct regular use access audits.
  • User activity monitoring – log and monitor user activities to detect suspicious or unauthorised behaviour. Consider using behavioural analysis tools to identify unusual behaviour patterns.
  • Data Loss Prevention (DLP) – deploy a DLP solution to monitor and restrict the movement of sensitive data.
  • Segregation of Duties – prevent errors and fraud by ensuring that no individual controls all aspects of any critical financial or operational process. As mentioned earlier, segregating duties forces two or more persons to conspire to carry out fraudulent activities, reducing the risk of it happening.

There is no single countermeasure to provide complete protection against insider threats. An effective strategy involves a combination of:

  • Technical solutions
  • Employee education and reporting suspicious activity
  • Proactive monitoring
  • Auditing control effectiveness and strengthening countermeasures

Psychological support also plays an essential role in preventing insider threats, and any number of personal difficulties could be a trigger that leads to malicious behaviour.

Proliferation and mitigation of Shadow IT

Robert Broxup

Shadow IT is the use of unsanctioned systems and technology:

  • Individual employees or departments typically adopt it to meet a specific need.
  • It is introduced to enhance productivity or to resolve immediate problems and challenges but gradually becomes embedded into the business.
  • The deployment bypasses a formal IT procurement and approval process.
  • Often, it becomes part of a business-critical process without awareness within the IT or Information Security departments.
  • Documentation is not always readily available, if it exists at all.

The proliferation of Shadow IT introduces many risks:

  • Information security is a significant concern with Shadow IT as unapproved software and services may not adhere to the implemented security standards and leave data vulnerable to cyber-attacks.
  • Shadow IT can result in non-compliance with industry regulations and legal requirements, leading to fines and reputational damage. Uncontrolled IT systems could, for example, bypass data retention policies.
  • The IT and Information Security departments lose visibility and control over technology, and that can disrupt troubleshooting, security monitoring, and ongoing maintenance.
  • Unsanctioned IT solutions can lead to unexpected expenses such as:
    • Needing to find specialised skills because of staff turnover
    • Replacing the system with an approved alternative
    • Integrating processes into existing solutions
  • When employees use unapproved software tools, it can lead to:
    • Information stored in multiple locations without managed data backups
    • Data fragmentation or data loss, and consequently, the use of incorrect versions of data or incomplete data sets to make decisions.

Countermeasures for addressing Shadow IT include:

  • Raise awareness throughout the business about the risks to ensure employees understand the importance of IT policies and procedures.
  • Develop and communicate clear IT policies and guidelines for requesting new software solutions.
  • Implement IT governance that involves key stakeholders in the decision-making process for IT purchases.
  • Maintain an inventory and assess the IT environment to identify unauthorised software or services.
  • Work closely with business units to understand their needs and make it easier for employees to use approved alternatives that fulfil their requirements.
  • Encourage open communication between IT and other departments to understand their needs and challenges.
  • Implement robust security measures to mitigate Shadow IT risks.
  • Provide training and support for employees in using approved IT solutions to reduce the motivation to seek or develop unauthorised alternatives.