What is an insider threat?
People are an organisation’s biggest asset, but they also pose the greatest risk. An insider threat is one that arises out of either a mistake or a malicious intention by someone who works within the company. This person could be a full-time or part-time employee, a contractor, a volunteer or someone in the supply chain. An insider threat might also deliberately seek to join an organisation to exploit access.
The most common insider threat happens in error
According to the Centre for the Protection of National Infrastructure (CPNI), an insider threat includes a member of staff who unwittingly causes a breach of security, data or infrastructure – physical or digital – without meaning to do so. News headlines frequently focus on external attacks, but mistakes and negligent actions made by unaware or untrained staff can be a far greater threat.
Most commonly, a threat is created from the simple action of clicking on a link in a phishing email. The Cyber Security Breaches Survey 2020 reported that the most common cyber security threat was fraudulent emails. Of the 86% of businesses who reporting phishing emails, 67% highlighted this risk by also reporting that these attacks were the most disruptive breach they had responded to.
Phishing emails attempt to convince the recipient to click on dangerous links and attachments. Without the necessary security controls in place, clicking on these links may result in the download of malware, or theft of sensitive information. At an organisational level, you might get caught up in a mass campaign, or it could be a targeted attack against your company. Often called spearphishing due to the targeted nature, an attacker will use information about employees and senior staff so that the email looks more credible. Tactics may be deliberately deployed to put members of staff in an uncomfortable position, such as the threat of losing their job or letting the company down.
The CPNI urges organisations to create a company culture that supports the workforce to make good choices. An information security management system (ISMS) Such as the IASME Governance standard is a documented systematic approach that addresses people, processes and technology. SMEs in particular will find the IASME Governance certification accessible and affordable. The implementation of such a comprehensive security standard will help embed good security awareness, knowledge and behaviour within an organisation as business as usual.
The malicious insider threat is still a risk
Supporting and training staff will certainly reduce mistakes, however, the intentional insider threat is still a very real prospect. According to the Cyber Security Breaches Survey 2019, 75% of businesses and 76% of charities that identified breaches stated that their most disruptive threat was intentional.
Malicious insider threats could be from an existing member of the workforce acting for their own benefit, or an ex-member of the workforce abusing their former access. It could even be caused by an existing member of your workforce being coerced or recruited by a third party into conducting an insider act.
Research conducted by the CPNI has shown that the reasons a staff member would attempt to intentionally threaten a company are complex. A disgruntled employee might find that they can exploit their access to systems, deliberately abuse their position, or form a desire to get revenge for mistreatment or on behalf of an ideological cause.
The single largest factor that determines whether a member of staff is compelled to become a threat is company culture. Employee dissatisfaction with the organisation may have intensified during the pandemic, due to increased strain on everyday life, furlough policies and new ways of remote working.
There is a clear link between malicious insider threat and vulnerable weaknesses in an organisation’s security and management processes. According to CPNI, positive and visible board level support for protective security is vital to the value placed on people, security policies and procedures. Low level of line management oversight, for example, can lead to undetected early signs, allowing opportunistic feeling to intensify.
Create more personnel measures to mitigate against insider threat
One way to create a framework that mitigates against an insider threat is to minimise the risk of recruiting staff who are likely to present a security concern. The other way is to minimise the likelihood of existing employees becoming a security concern.
With 28% of incidents taking place out of working hours, and with 28% of incidents happening from a remote location, tackling the insider threat can also be a case of actively creating the working conditions that help to stop it. This could mean setting up face-to-face or screen-to-screen reviews, as well as ensuring robust line-management to create effective reporting mechanisms. This goes together with assessing the work-life balance of staff at an organisation, a particular concern during the COVID-19 pandemic.
A strong security culture provides a deterrent to harmful insider activity. When a workforce has a good level of security awareness, they are less likely to become unwitting insiders and more likely to report concerning behaviour when they recognise it. In addition to technical controls, an open and transparent company culture where security is actively promoted as the responsibility of all staff is a key part of security.
Oversight contributes significantly to insider threat
While there is a link between poor company culture and an intentional insider threat, research by CPNI also shows that a clear motivation is financial gain. The rise in awareness of fraud among the charity sector since the 2018 alert from the National Fraud Intelligence Bureau (NFIB),is a clear sign that financial motivation is being overlooked by lack of controls, oversight and procedures.
The Charity Commission Annual Report highlights the way charities do not always know how vulnerable they are. The Report shows that the gap between awareness and practical action is a threat to valuable funds, as well as public trust, and charities still need to put basic checks and balances in place to protect themselves. Most charities (85%) thought they were doing everything they could to prevent fraud, but almost half didn’t have good-practice protections in place. Many incidents go undetected due to lack of proper data control measures.
According to the Charity Commission Annual Report, 53% of charities affected by fraud knew the perpetrator. The report found these threats were enabled by a combination of poor oversight, no internal controls, and too much responsibility placed in one person.
Oversight in particular is a large factor in enabling insider threat. Certainly in the charity sector, insider fraud can pose a greater threat than external fraud due to differing access levels to proprietary personal data and knowledge of the small organisation’s inner workings. In a sector that relies on trust and goodwill, this can be easily exploited by fraudsters. A strong counter-fraud culture can be developed to encourage the willingness to challenge behaviour and use prevention controls. The insider risk that exists in charities shows the importance of putting clear policies and procedures in place alongside robust financial controls.
Counter Fraud Fundamentals (CFF) is a scheme that was developed by a team of counter fraud experts in partnership between IASME and Open Banking Implementation Entity. The scheme helps any organisation that deals with financial transactions to demonstrate that they have put the fundamentals in place regarding fraud detection, prevention and investigation.
Charities can certify to Cyber Essentials to reassure their donors that they have the basic cyber security controls in place. Check out the Cyber Essentials Readiness Tool to see if you are ready to certify.
During the week 8 – 12 November, IASME is offering a discount to charities applying for the Cyber Essentials certification. As part of our Charity Cyber Security Awareness week, we have developed specific guidance for charities to help you complete the Readiness Tool.
Please note, this blog may contain guidance and information that is outdated.
On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements.