You Can’t Eliminate the Insider Threat, But You Can Prevent the Damage

The standard representation of a cybercriminal in Hollywood is an elusive, highly skilled individual who compromises and takes control of an organization’s network remotely, writes Scott Leach of Varonis.

However, many chief information security officers (CISOs) are also concerned about the malicious actors closer to home: their own employees, who don’t necessarily need advanced security skills to cause damage. .

Although insider threats are not new, several recent developments have made them more problematic. On the one hand, the pandemic-induced surge in remote working and the trend of increased employee turnover have made it more difficult to identify and mitigate insider threats. Growing geopolitical instability can add fuel to the fire. To make matters worse, the ransomware gangs allegedly offered large bribes to prominent employees within target organizations to gain access to corporate networks.

The threat has become so significant that the Australian Security Intelligence Organization (ASIO) predicts that espionage will supplant terrorism as Australia’s main security threat over the next five years.

In 2019, a leading Australian biotech company lost thousands of documents containing highly sensitive intellectual property after an employee exfiltrated the information to secure a senior position with a key competitor.

The victim alleged that in the months leading up to his resignation, the employee repeatedly spoke to senior executives at the competing organization about taking sensitive information. The employee subsequently obtained a management position with the competitor and was accused of seizing trade secrets related to various products. More importantly, he was accused of sharing details of a top-secret treatment for common blood disorders, which is the lifeblood of the victim’s business.

The Critical Challenges of Insider Threat Detection

Detecting insider threats is not a simple task. First, insiders already have privileged access to the corporate network without needing to break in. They also inherently know what information is valuable and where to find it. Insiders can be employees, contractors, vendors, interns, or board members: anyone with higher-level access than the public.


Second, insider attacks are difficult to prevent with many commonly used security tools on the market, which are designed to protect against external threats. For example, corporate firewalls cannot prevent insiders from accessing sensitive files because they already have legitimate access.

Third, determining what is and what is not suspicious activity is also extremely difficult. Insiders need some degree of privileged access to do their job effectively, so it can be difficult to determine whether an attempt to access a sensitive file is legitimate or nefarious. Most security tools can’t tell the difference between someone downloading a confidential document to work on and someone sharing it with a competitor.

Finally, initiates can have powerful motivations depending on their situation. They may feel they were wrongfully fired. They may have ideologies opposed to what their organization does, or they may have joined an organization with the intention of causing harm. Attackers are increasingly bypassing proven methods like phishing emails, opting to pay disgruntled insiders for credentials that will gain access to the network, as seen in the LockBit 2.0 ransomware attacks.

Whatever the source of an insider threat, the impacts can be enormous. According to the Ponemon Institute Cost of Insider Threats in 2020 studythe global average annual cost of an internal data breach to an organization was US$11.45 million.

A three-step approach to blocking insider threats

Step 1 – Detect

What cannot be seen cannot be protected. Every organization must first understand where their sensitive data resides. Most organizations can’t confidently identify where all of their data resides, whether it’s on-premises, in the cloud, or scattered across both. Once the location of all data has been identified, the sensitivity level must be determined and assigned to each file. Next, organizations need to identify who has access to these files.

After completing these steps, organizations can track who regularly accesses the data and create a baseline model of each account holder’s typical activity, using specialized security software.

Step 2 – Prevent

The prevention step involves blocking malicious insider activities before they happen. The most critical action an organization should take at this point is to apply the “least privilege” model. Least privilege gives each account holder access to the data they specifically need for their role, regardless of that individual’s hierarchical level in an organization.

Additional recommended safeguards include deactivating an employee’s account upon termination of employment and implementing digital rights management where a set of policies are applied to each document specifying whether it can be printed, modified, emailed or copied.

Step 3 – Maintain

Steps one and two should not be one-time exercises. These policies and practices must be enforced at all times for effective security. Insider threat defense is an ongoing process that requires continuous monitoring of normal behavior patterns to detect anomalies.

Data that has not been accessed after a predetermined time should be automatically archived so that it is no longer accessible to insiders with malicious intent. Additionally, there must be systems in place that change an employee’s access rights when they change roles and remove all access rights when they leave the organization. These processes can be difficult and even impossible to maintain manually in a large organization, but security software can easily automate these tasks.

Conclusion and takeaways

COVID-19 has exacerbated the risks associated with insider attacks. With large organizations creating millions of new files every year, the only way to effectively protect them from malicious insiders is to use security software, which can analyze network activity at rates impossible for a human to match.

Scott Leach is the APJ Vice President of cybersecurity firm Varonis.

You Can’t Eliminate the Insider Threat, But You Can Prevent the Damage


lawyers weekly logo

Last update: October 20, 2022

Posted: October 20, 2022

Leave a Reply