The Threat Within

We previously posted this article a while ago but it’s still just as relevant today…..

But what exactly is the insider threat? What, or rather who, is an insider? Security professionals and government agencies all have their own definitions and all of these that I’ve read differ in their own little way, but fundamentally the meaning is the same.

I am not going to quote each and every definition but the important thing to remember is that an insider is a person to whom you have given legitimate access to your assets. In my opinion a former employee does not fall into this definition (and so is not an insider) as they no longer have legitimate access. In fact, their activities are likely to constitute a criminal offence in themselves.

In the counter terrorism arena we talk a lot about capability vs motivation. Terrorists have motivation in buckets but most lack the capability – for example they cannot access the materials to build an effective IED. On the flip-side the insider has the motivation but also the capability as they have the in-depth knowledge of your organisation and the way in which you go about your business.

Companies are understandably slow to come forward and admit about their insider incidents as it could demonstrate a weakness in their internal processes or systems. This weakness could lead to uncomfortable questions from shareholders and governing bodies. The majority of insider incidents are reported by co-workers who experience suspicious activity but many still go undetected.

An Insider can be anyone in your organisation, anyone from the part time cleaner right up to a member of senior management. There is no ‘one size fits all’ profile for the insider, but there are a number of warning signs which could identify that you have a problem. It is important to remember though that current staff can become an insider, so ‘Jim’ who has been at his middle management role for 6 years and has a clean record may have a sudden change in personal circumstances (he could fall into financial difficulties) and could become a threat!

There is a massive misunderstanding and a lack of experience when it comes to the insider threat and this stems from no one department taking responsibility for it. The HR department generally deals with pre-employment screening (although in our opinion the security team should), IT systems are taken care of by the IT geeks wearing sci-fi t-shirts and musical ties, and any resulting investigation is dealt with by the security team.

There are various different types of insiders and the threat they pose will be different to each of you but in general they are:
  • Single Action Groups (animal activists or swampy students) – to cause harm, damage or media coverage
  • Terrorists – to cause large scale harm and to maximise media coverage
  • The Lone Wolf – because they want to and can! They are not part of any other group
  • Journalists – to identify an loop hole and to sell more newspapers
  • Domestic or Foreign Intelligence Service
  • Competitors (corporate espionage) – trying to gain trade secrets, insider trading information or just to gain the upper hand over you
  • Disaffected Staff – revenge for not giving them that promotion/pay rise or someone who thinks they know better then the organisation itself.
  • 3rd Party Facilitation – helping somebody else to gain entry or supplying someone else with the data to commit crime, admin account login/password or giving them your building access card.
  • Unknown Pawns – exploited via various means but one way could be via social engineering or ‘water cooler talk’. Normally these types of insider are unaware of the information they are supplying others with.

Why do these people do what they do?

  • Kudos
  • Reward
  • Personal Mission
  • In the name of Public Interest
  • Identify an issue or wrong doing
  • Revenge
  • Intelligence
  • Facilitation of Crime
The effects of an insider can be far reaching but may include:
  • Reputational Damage – poor media coverage, loss of investment opportunities
  • Financial Loss – Loss of sales or fines imposed by the ICOor regulating authorities (e.g.: Ofcom or the FSA).
  • Physical Damage
  • Unrest Internally with Staff – potential a lack of trust between staff
  • Loss of Operational Service
  • Loss of IT Service (normally via denial of service attacks)
  • Theft
  • Fraud
  • Poor International Relations
I keep coming back to it, but the single most important factor to consider is that these people have legitimate access, but what does it mean?. For me, this means they have already bypassed the majority of your physical and electronic security measures which protect you. Insiders are placed into organisations for the long term to build your trust, to gain a very in-depth understanding of your processes and the assets they are interested in. Even law enforcement are concerned that people with clean records will join in entry level roles and will raise through the ranks in order to supply serious organised criminals with information to assist them in committing crimes.
There have been numerous incidents of insiders
There are many tools in organisations to prevent these threats and most fall under the security specialism of Personnel Security, some of these are:
  • A robust pre-employment screening regime (most potential insiders can be detected at this stage – especially journalists and people that have clearly lied on application forms or CV’s)
  • Having a staff exit (leavers) procedure
  • Having a positive security culture – where staff are aware of the security risks that your organisation is susceptible to
  • Good policies and procedures, which staff are aware of and read
  • Awareness of the potential warning signs
  • Support from the board and senior management
  • A robust security audit process including auditing 3rd party providers (make sure all contracts include a ‘right to audit ‘clause)
  • Utilising the electronic tools you have in place – system logs, forensic tools etc
Whatever approach you decide for your business, it must be risk-based and targeted. Each organisation’s risk appetite will be different, but one thing for sure is you ‘will’ experience an incident as a direct impact from insider action – it is purely a matter of when, and how significant the impact is.
The insider threat is a vast subject and something that is impossible to cover in a single blog post. Expect the unexpected, these people are very difficult to detect but are easier to prevent.

For more information about me please checkout my Linkedin profile at

Tagged with: , , , , ,

This site uses Akismet to reduce spam. Learn how your comment data is processed.