The cyber-threat you hired
By Kenrick Bagnall
There is a popular idiom that says, “better the devil you know than the devil you don’t.”
By Kenrick Bagnall
The problem with this, when it comes to insider threats, is that the devil you know also knows you. Sun Tzu, in the Art of War, said, “Begin by seizing something which your opponent holds dear; then he will be amenable to your will.” This is precisely what the insider attacker tries to do.
This individual who becomes a threat to your organization has two major advantages over a potential external adversary: they have access, both physical and logical. They can get into your brick and mortar facilities and login with approved credentials.
Insider threats are not born, they are made. In the vast majority of cases, people are interviewed and hired into companies where they have every intention of working hard and doing a good job. So what goes wrong?
An employee may develop disgruntled feelings if they are passed over for promotion, if they did not receive the credit that perhaps they feel they deserve for some work they did. Also, an employee may feel that they are the victim of office politics or even workplace harassment or bullying.
When any of these and/or a number of other factors are taken in isolation, it may not become an issue. However, when several of these issues combine and we also factor in human vulnerabilities and our susceptibility to social engineering, you have all the hallmarks of possible insider threat to your organization. Early detection of changes in behaviours could indicate that a staff member may be responding to external stressors, and may have been negatively influenced by a social engineer trying to take advantage of them.
Detection is often the first step towards prevention, so what can organizations do? There are mainstream technologies that can monitor user activity when it comes to account logins and resource access.
For example, a 9 to 5 employee working in manufacturing would be flagged if they tried logging on at 3 a.m. and attempting to access resources belonging to R&D.
From a human resources perspective, red flags should be raised when an employee exhibits emotional or aggressive behaviour that is out of the norm during the course of an interview, performance appraisal or their day-to-day job function.
Ideally, when HR personnel work collaboratively with IT security with a view to share anomalous information about concerning individuals, this can produce the best results and potentially stop an insider threat in its tracks. Using software tools and having well trained HR personnel is a great start. From an information security perspective, what makes this work is good governance and strict adherence to established best practices. To that end, well established onboarding policies and procedures for new staff can go a long way in protecting your organization. Written and signed policies for the expected use and ownership of systems, data and work product is essential. The International Standards Organization (ISO) 27001 guidelines include recommendations for Privileged Access Management. This framework includes controls to help your organization better manage privileged access to the crown jewel digital assets of your organization.
As always, your strategic partner when it comes to dealing with criminal offences that result from insider threats is your local law enforcement agency. If there are immediate life safety issues do not hesitate and call 911 to engage all emergency services. In a non-emergency and controlled situations, call the non-emergency number for your local agency. For the Toronto Police Service, the number is 416-808-2222.
For organizations large and small in public, private and non-profit sectors, the most valuable assets are their people. Finding better ways to manage human resources and efficiently use technology can go a long way toward developing efficient teams and reducing the risk of possible insider threats. Be safe, everyone.
Kenrick Bagnall is a Detective Constable with the Toronto Police Service Computer Cybercrime Unit (C3) @KenrickBagnall.
This story was featured in the Winter 2019 edition of Canadian Security.