17 Sep 2024
Managing insider threats in cyber security
Article

Managing insider threats in cyber security

17 Sep 2024
  • Insider threats arise when individuals within a company, such as staff or contractors, compromise security, either intentionally or accidentally.
  • Recent data reveals that approximately 1 in 10 reported cyber incidents in Australia were caused by insider threats.
  • Businesses can manage the risk of cyber and data related incidents from insider threats before they occur, by prioritising workplace culture, ongoing training, and implementing strong data privilege and monitoring controls.

When we think of cyber security threats, we often imagine distant hackers breaching our systems. However, a significant risk lies closer to home.

Individuals with privileged access to an organisation’s sensitive data or critical systems can misuse their access, creating what's known as ‘insider threats’.

Insider threats are a growing concern in cyber security, stemming from both unintentional actions, like falling for phishing scams, as well as actions with deliberate malicious intent, including data and IP theft, or sabotage.

In the second half of 2023, 11% of reported cyber incidents in Australia were caused by a rogue employee or insider threat,1 highlighting the need for robust systems and procedures to address these risks.

While many security measures focus on technical defences, the human factor remains a significant vulnerability. Insider threats can come from any level within an organisation, making effective privilege delegation, monitoring and incident response planning essential.

Who are ‘insiders’ to an organisation?

Insiders refers to more than just employees – it’s anyone with access to an organisation’s sensitive data, platforms or network, such as:

  • Current employees
  • Contractors, developers, freelancers, volunteers, vendors or partners
  • Ex-employees who may have resigned, retired or been dismissed

What can cause an unintentional insider cyber breach?

Unintentional insider threats commonly arise from human error or poor security practices. Some examples include:

  • Accidentally clicking on a suspicious link
  • Sending sensitive information to an incorrect email address
  • Leaving a computer unlocked and unattended
  • Letting family or friends use work devices
  • Setting weak passwords and/or not updating or changing passwords
  • Not updating software
  • Using public WiFi without a company-approved VPN (virtual private network)
  • Bringing your own device (BYOD) into the corporate network, which may be unsecured
  • Losing or misplacing a device

What can cause an intentional (malicious) insider cyber breach?

An intentional or malicious insider threat is often caused by someone deliberately stealing data from an employer or providing cybercriminals with unauthorised access to a company’s network.

Ben Richardson, Cyber Product Lead for QBE Australia Pacific reveals that this behaviour is often motivated by a personal grievance or a perceived personal benefit.

“An example of a malicious insider threat could be an employee who’s been overlooked for promotion and is looking for new employment opportunities or is leaving the company on an involuntary basis having been let go,” said Richardson.

“They may be motived to ‘get even’ or start at their next employer with momentum, by stealing confidential client information or intellectual property.”

Another motivator is often financial stress, which can leave people more susceptible to accepting bribes, being coerced by cybercriminals to share sensitive data, or make use of their privileged position within the company to achieve financial gain.

What are the warning signs of potential malicious insider threats?

Insider threats can be difficult to spot, but there are often warning signs. It’s important for businesses to monitor and report on:

  • Employees accessing systems and networks from unfamiliar locations, outside of office hours, or at unusual times
  • Accessing sensitive information or data that is not required for their role
  • Performing large downloads or data transfers that are unusual and not aligned with their role
  • Exhibiting signs of being upset about not being promoted or given a pay rise or showing signs of unusual stress
  • Showing a reluctance to take time off or be away from their workstation for extended periods, which may indicate they don’t want something to be discovered
  • Installing and using unauthorized software and hardware

How businesses can protect themselves against insider threats

Insider threats can be challenging to identify and manage. As a starting point, businesses should focus on fostering an organisation-wide culture of cyber risk awareness and safety.

Businesses looking to reduce their risk of insider threats should focus on the following areas:

Man and woman looking at computer monitors

Access control and data protection

  • Strong access controls: Limit access to sensitive data and systems to only those who need it for their roles. Regularly review and adjust access permissions and privileged administrator account delegations as roles and responsibilities change.
  • Encrypt sensitive data and/or portable devices: In the event that a piece of hardware, such as a laptop, is misplaced or stolen, additional layers of protection in the form of encryption can prevent subsequent access to the company network and further data loss.
  • Disable portable storage devices: Unsecured portable storage devices pose risks for virus deployment, as well as a vulnerable path of data exfiltration outside of the network. Disabling devices and requiring dual sign-off for any necessary business use creates additional barriers for unauthorised data transfer.

Policies and procedures

  • Establish clear policies and procedures: Develop and enforce clear guidelines on the acceptable use of resources, data handling, and reporting suspicious activities. Ensure employees understand the consequences of violating these policies.

Employee education and culture

  • Employee training and awareness: Conduct regular training for employees on the risks and signs of insider threats, as well as the importance of reporting suspicious behaviour. Foster a culture where cybersecurity is everyone’s responsibility.
  • Simulated phishing exercises for staff: In addition to training, simulated phishing exercises are another great way to create a strong culture of awareness and further supplement existing training materials.
  • Encourage a positive work environment: Address employee grievances and ensure a fair and supportive workplace. Disgruntled employees are more likely to become insider threats, so maintaining a positive work environment can mitigate this risk.

Monitoring and incident response

  • Continuous monitoring and auditing: Use advanced logging and monitoring tools to track user activities, especially those involving sensitive data or systems. Conduct regular audits to identify and address any unusual or unauthorised activities.
  • Develop incident response plans: In the event of an insider-related cyber incident, having Incident Response Plans (IRP) and Business Continuity Plans (BCP) tailored to address these risks can make the difference between a minor disruption and a major event with significant financial and reputational consequences.
  • Terminate credentials for exiting employees: When an employee leaves the business, ensure their remote access is revoked as soon as possible to prevent any subsequent unauthorised access.

Make cyber protection a priority for your business

Human error and behaviour are two of the most often overlooked cyber security risk factors businesses face, and for companies with hundreds and thousands of employees, that risk is significant.

“It can be disheartening investing in extensive IT focused network security and risk management controls, only to be undone by a malicious insider threat or staff error. This is why a strong security minded culture, close consideration to privileged access, and ongoing education are paramount to mitigating this risk for all industry segments,” said Richardson.

“A robust cyber insurance policy can further help protect your business against the ever-present risks posed by human error and behaviour, by providing the business with support and coverage once a cyber incident does arise to mitigate the lasting impact," said Richardson.

QBE’s cyber insurance policy QCyberProtect can help protect against a range of risks associated with digital technology and can assist in providing 24/7 IT forensic and legal support in the event of a cyber event. Talk to your broker today for more information about our offering.

1 Australian Government OAIC, Notifiable data breaches report July to December 2023 report

This content is brought to you by QBE Insurance (Australia) Limited (ABN 78 003 191 035, AFSL 239545) (QBE) as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. QBE makes no warranty or guarantee about the accuracy, completeness, or adequacy of the content. Readers relying on any content do so at their own risk. It is the responsibility of the reader to evaluate the quality and accuracy of the content. Reference in this content (if any) to any specific product, process, or service, and links from this content to third party websites, do not constitute or imply an endorsement or recommendation by QBE and shall not be used for advertising or service/product endorsement purposes.