How to recognize and counteract an insider threat?

The law, of course, protects your business from theft of trade secrets, but it does it after the fact, when the money is finally lost, and the reputation can no longer be saved. The experts at the University of New Mexico's cybersecurity laboratory divide the insider attacks into two types: situational, that is, single information leaks that occurred due to negligence or due to a system failure and planned. In other words, one way or another having a malicious intent. Anyone can be a “mole”: your “right hand” or another economist whose name you don’t even remember.

According to the December report of Secure Automatic Technologies, 99% of European organizations at least three times in the history of their existence experienced financial losses resulting from insider activity. 53% of the surveyed respondent companies have experienced at least one insider attack in the past 12 months. The report of the American Association Insider Threat 2019 says that today 61% of bankruptcies in the United States are caused by insiders, and the threat becomes especially acute during the conclusion of large contracts.

In November, experts of the Russian audit and consulting agency EY in an interview with newspaper “Kommersant” said that “almost every fourth Russian employee steals data one way or another” and journalists found the real names of the famous “Salisberet tourists” Petrov and Boshirov, merged by their colleagues from the GDS (General Directorate of the General Staff), quote: “not from a good life”.

An “Insider” is one of the organization’s employees who has access to information that is closed to the general public. It can use the available information both to the detriment of business, and for its own enrichment.

“Fantastic Beasts and Where to Find Them”

Anyone can become an insider (that is, anyone at all), however, behavioral psychology and personnel profiling can calculate the mole at the interview stage or prevent data theft in the already existing team. Personnel psychologists distinguish six types of insiders, these are: negligent, manipulated, offended, disloyal, “moonlighting” and implemented employees. It is very situational who can be considered the least dangerous link in this scale. “Negligent” employees may allow information leakage due to negligence (and it may turn out to be irreparable), while the activities of “introduced” gentlemen are aimed directly at undermining your business.

  • A “negligent” insider is the most common type of business pest, also called “careless”. As a rule, this is an ordinary employee serving “low intellectual” mechanical work. Violations of the security policy are unmotivated in nature, mainly - the unintentional removal of information from the digital circuit of the organization and its transfer to an unprotected USB-drive. The incident itself is not terrible, but the threat will increase if sensitive data falls into the wrong hands. Another issue is careless handling of e-mail or a sticker with data for entering the corporate network account, carefully glued to the monitor of a working computer.
  • Manipulated” insider or “Pinocchio”. The main problem of this type of workers is naivety and excessive credulity. Everything is against the manipulated worker: from colleagues, ending with what is now called “social engineering” (and in fact, it is a banal scam). Imagine: a bell rings, the voice on the other end of the wire is presented by the director of a really existing branch of the company and describes in detail the problem and asks bypassing the existing commercial security policy, to send him a critical email important documents. Without even thinking about a possible threat, our "Pinocchio", rubbing his hands from the anticipation of a solid premium, sends a file with “gold coins” directly to an email to a competitor. Done - the drain took place.
  • Offended” (“saboteur”). This type of employee does not seek to steal information about your company, he does not care about the value of intellectual property and the practical benefits of unauthorized use of databases. He seeks to do harm as best he can. Resentment driving such an employee can be anything: insufficient salary, lack of appreciation in the team, inappropriate place in the office hierarchy. An employee does not intend to leave the company; he will remain in the shadows until the last he causes maximum damage. For example, he can falsify or destroy important documents, steal office utensils, and sit back at the workplace. Based on his own ideas about the value of information, this employee determines what data makes sense to steal and to whom to transfer it. Often, these are the press or shadow structures.
  • Disloyal” insiders. Most often they coincide with the “offended” type, but who are determined to change their jobs or open their own business and become a competitor. For some reason, it has become customary that an employee leaving the commercial department takes away with him a copy of the client base, and from the economic one financial. This is the Soviet habit of “leaving souvenirs from the desktop,” you need to get rid of it. The most common method of theft is “production necessity”. Disloyal employees differ from “offended” insiders in that, having stolen the information, they do not hide the fact of theft, and sometimes use it as a guarantor of a comfortable dismissal with compensation and positive recommendations.
  • The "part-time" insiders, that is, the type that EY experts spoke about, are employees, maybe not bad, but in dire need of money. In fact, the most capacious type of insiders. This includes people who have decided to earn a couple of thousand, as well as those who were unwittingly involved in the insider, due to blackmail, extortion, or the influence of third parties. Depending on the conditions, they can imitate the production need, and in the most difficult cases go to hack or bribe other employees.
  • Introduced” insiders or spies from the Hollywood thrillers of the Cold War. As an example, one of the latest Falcongaze cases: the campaign was engaged in the production of piece goods using NC machines (numerical control). The customer suspected the development department in the “discharge” of technical documentation, namely, the drawings to competitors. The difficulty was that these were not just drawings, but programs, according to the algorithms of which the machines worked. Software was loaded into the equipment through a local network directly from the office of the company. In the machine itself, it was sorted into folders, from where the operators had already taken them and loaded them into the processing software. The nuance was that the machine racks were tightly closed and sealed, only the monitor, mouse and keyboard came out. It was physically impossible to connect the reader directly to the computer. It turned out that the mouse is connected to the machine via USB. An employee found a similar device and mounted the trimmed USB-hub inside the mouse, into which they plugged a spy flash drive. For a month, a spy device stole information, and after that it went to a competitor. SecureTower discovered the cause of the leak at the test use stage.

“Never was, and here again” - how to counter the insider threat

If you divide employees into those who are already over and who can still be saved, the Falcongaze HR group recommends that your HR department pay close attention to “negligent” and “manipulated” employees. Perhaps they simply lack a skill of information security. They do not realize the harm that their thoughtless gesture can do to your business, while you should get rid of “offended”, “disloyal” and “introduced” as soon as possible. To a greater extent - from the “offended” - you will never have any benefits from them.

Install the DLP system. The software will create a powerful secure digital circuit around your organization’s internal network and will signal all attempts to transfer sensitive information outside the enterprise. The system provides filtering and analysis of traffic according to statistical and semantic meaning, which makes the search for disloyal employees, in fact mishandled by insiders and employees, undermining the economic security of your business automatic. Acting within the framework of the set security policy, DLP will notify authorized personnel of violation of established protocols, whether it is an email of dubious content or sending confidential documents for printing.

Keep an eye on outdated accounts. Often, the cause of information leakage is retiring employees with still valid credentials to enter the corporate network. However, sometimes they are far from committing a violation - logins and passwords can fall into the hands of existing employees who commit illegal actions from within the organization and avert suspicions from themselves. To identify such persons, use the bait and pay attention to the “traces” of their work. Conscious insiders tend to delete large volumes of files in an attempt to disguise their activities.

A common method for identifying insiders is fishing for live bait. An attacker is constantly “scouring” the corporate network for critical information. You can “leave” in the public domain an array of extremely valuable files and see who sends the archive to USB, to the cloud or to print.

How to recognize an insider

In addition to the functionality of DLP systems in itself, it is possible to recognize an insider even at the interview stage; for this, similar universal tools are applicable - interviews and experiments. An interview means a survey processed using the method of sociometry. The same methods can be applied in the already existing team. Samsung HR-Service analyzes the corporate personnel for risks using a simple oral questionnaire: “Who would you not take on a business trip from your employees” or “Who would you share a new creative idea with”. For the reliability of the information, you can conduct repeated polls, but use other questions. By observing an individual’s choices, one can study his typology of social behavior in a group. Carrying out a sociometric technique does not require more than 15 minutes.

The experiment consists in the intentional creation of special conditions for the observed, in order to determine from his actions in certain situations:

how self-centered he is, whether he can empathize with other people. By hiring a person for a probationary period, you can agree in advance with an old trusted employee to provoke a newcomer by offering additional income in an unfair and unlawful way.

In conclusion: it should be understood that insider activity does not threaten your business only if you are an individual entrepreneur. Remember that confidential information in the conditions of wide access, like an ice cube - at each stage of ice everything is less and your hands are in water. Install the DLP system, invest in security services and HR, regularly conduct trainings and seminars on information security and do not worry that “moles” have rummaged through your business garden.

Important publications

What is UBA? 6 August 2019
What is DLP systems? 13 February 2019