Getting your house in order: minimising the insider threat

By Dominic Trott, UK product manager, Orange Cyberdefense

The dangers posed by external threat actors have become increasingly evident in recent years. Surging ransomware incidents have helped make cybersecurity a household topic. However, while it is vital for businesses to protect their valuable assets from malevolent third-parties, mitigating the risk posed by company insiders can take a back seat as a result. Employees can make or break a business’ security posture as no matter which or how many defences are put in place, they can often be subverted by a malicious link being opened or an insecure device being connected to the corporate network.

It’s important to note that there are two different classes of insider risk. First, there are malicious insiders, employees who intend to inflict damage on their company from within for vindictive or exploitative reasons. However, there are also unwitting insiders, employees who may not know what good security behaviour looks like. These unwitting insiders undermine security controls unintentionally, but the end result can be equally damaging.

Businesses must take steps to defend against both malicious and unwitting insider threats. If adequate action is not taken to reduce the risk posed by insiders, they can be exploited by cybercriminals as they present a weak point in a business’ defences, or can cause damage of their own making. Unfortunately, the issue is enormously challenging. As genuine users, insiders possess genuine credentials for accessing often private or sensitive information. There is also the challenge of protecting against any threat staff may pose without hindering their work by removing access or erecting additional digital barriers.

However, there are some key steps that can be taken to combat insider threats.

Prevent and protect

It is vital that security teams invest in getting the basics right first, which includes being able to protect against security breaches, or even to prevent them from happening at all. Perimeter controls such as endpoint protection, network firewalls, web content filtering and email gateways represent a first layer of defence.

These tools work by, for example, applying security policies to prevent insecure behaviour and/or by blocking ‘known threats’ for which security companies have already developed signatures. In this way, large amounts of security good practice can be automated, reducing the burden of expectation on genuine users – who generally are not security specialists – to understand and consciously exhibit good security hygiene behaviour.

Detect and respond

As a next step, organisations should adopt security approaches that detect unusual, unwanted, and outright malicious activity. Detection-based solutions often rely upon machine learning (ML) and artificial intelligence (AI) to analyse large data sets of security logs and feeds to detect activity classified as outside the baseline of ‘normal’ activity.

A key theme for detection and response solutions is automating resource-intensive elements of the workflow to provide skilled security analysts with additional time to conduct investigations or analyse how and why attacks are occurring to prevent them in the future. However, it is important to remember the response side of the equation, not just the detection part. Therefore, it is important that detection feeds into response in a timely manner

Detection is only step one. If malicious activity is discovered, security teams must have robust incident response processes in place to address any breaches or attacks that do occur. Rapid response is crucial to minimise any potential reputational, financial and legal damage that might otherwise be incurred.

Identity: security’s post-perimeter front-line

While it’s vital that security teams are prepared to react to malicious activity, the priority should be preventing it from occurring at all. Classic perimeter controls are geared towards this, but rising digital transformation means the concept of a corporate perimeter is increasingly porous. Attack surfaces are growing and diversifying thanks to, for example, the rollout of IoT devices and the convergence of IT and OT environments. Meanwhile, cloud migration and remote access means that ever more applications and data are hosted within (and accessed across) cloud infrastructure.

Therefore, digital identity increasingly represents the first line of defence for the enterprise. Ensuring that only authorised users can access the network and the sensitive information it holds is key to stopping insider threats. Solutions such as Privileged Access Management (PAM) and Multi-Factor Authentication (MFA) are important tools for achieving these goals.

However, some of these approaches can cause friction for users, so solutions such as Single Sign-On (SSO) and Customer Identity Access Management (CIAM) need to be incorporated to reduce friction where possible. This is especially pertinent when adopting a Zero Trust approach.

A Zero Trust architecture uses “never trust, always verify” as its guiding principle, requiring users to verify their credentials to access the corporate network, every time. While Zero Trust excels at blocking malicious activity at the endpoint and network levels – which is vital as staff continue to work remote – it requires users to re-authenticate whenever they connect to corporate assets.

Adapting to hybrid work

Two years into the pandemic, organisations across the globe have successfully adapted to hybrid working patterns. However, there is no avoiding the fact that hybrid work opens the door to malicious activity, with cybercriminals eyeing un-patched endpoints and staff letting their guard down in their home environments. Acknowledging that hybrid working increases exposure to risk, and responding accordingly, is crucial for business continuity and security.

Much has been made of the use of VPNs to support remote working, but this is a basic technological response to what has become a permanent shift in working behaviour. Organisations need to move towards more transformational solutions, including Zero Trust and Secure Access Service Edge (SASE) approaches to secure access.

Training and awareness

While security teams may implement all the recommended tools, it only takes one insider to cause a breach. To minimise the threat and prevent an unwitting employee from causing damage, organisations must equip staff with the knowledge required to make the correct security decisions. By offering ongoing training and awareness building, security staff can empower employees to be an extension of their team, identifying and reporting threats such as phishing and minimising the risk of human error.

Third-party data

Finally, it is not just employees that have the power to bring down a business from the inside. Third-party partners and other organisations that are privy to a business’ valuable assets need to be taken into account. To do this, businesses need to prioritise data visibility across their entire partner ecosystem and manage the data lifecycle accordingly. Only by maintaining visibility of data throughout their organisation’s entire ecosystem can security teams and the tools they’ve invested in block and detect malicious activity within even unstructured data.

While attention must be paid to mitigating the threat of malicious external actors, security teams can’t afford to underestimate the human element of cybersecurity. The insider threat can be hugely damaging to a business so it must also be a priority for security teams. Whether that is through additional training or prioritising secure network access with approaches such as Zero Trust, it is possible to reduce the vulnerabilities posed by employees, both malicious and unwitting, with the right actions. -


By Richard Melick, Director, Product Marketing for Endpoint Security at Zimperium.
By James Hunnybourne, Cloud Solutions Director, Ultima
By Chris Vaughan, Area VP and Technical Account Management, EMEA at Tanium
By Zachary Malone, Systems Engineering Manager at Palo Alto Networks.
By Tim Wallen, Regional Director UK&I at Logpoint
By John Smith, Founder, and CTO at LiveAction.
By Gal Singer, Security Researcher at Aqua Security
By Dave Russell, VP, Enterprise Strategy, Veeam