“If you don’t feel ordained by the Universe to do this job, do something else. The intelligence community has to shut down the gaping wound that is the insider threat epidemic we are experiencing right now.”
― James Scott

Insider Threat

‘Insider threat’ is the term used to describe a malicious threat to a business or organisation from someone who has inside knowledge. It’s one of the biggest cyber security threats that businesses face.

An insider threat most often comes from either a current or an ex-employee of your business.

The physical access your employees have — or had — to your systems and information can expose your business to a significant risk.

An insider threat can be someone who:

  • knows how your business infrastructure works. For example, they may know how your networks are set up, and how to access your computer system
  • understands the strengths and weaknesses of your infrastructure
  • has physical access to things like your servers
  • knows which of your employees have access to the kind of information they want
  • knows which employees are an easy target — in other words, they know which employees will give them any information they ask for without question.

It’s important to educate your staff on the risk of insider threat. Attackers will often use your employees to gain information and get access to your business. Your employees may not think anything of an attacker’s requests. They may provide information to an attacker thinking that it’s the right thing to do, or mention sensitive details in passing that could be overheard outside the office, for example in a cafe or bar. This is known as unwitting disclosure.

Current employees who pose a threat can also gather information through overheard conversations, or by shoulder surfing — watching over another employee’s shoulder to see login details or passwords, for example. They can use ex employees’ details to access things that they shouldn’t, like the HR or payment system.

Some of the reasons behind an insider threat attack are:

  • to commit fraud
  • to sabotage or cause harm to a business, and
  • revenge.

The risks for a business include:

  • a decrease in service availability, for example your website might go down
  • losing your trade secrets or intellectual property (IP)
  • a decrease in effectiveness
  • a decrease in your share price
  • public damage to your brand.

Preventing insider threat

Here’s how to manage the risk of insider threat to your business.

  • Have processes in place to ensure that when an employee leaves, their system logins and passwords are removed. If they have access to their emails from home, make sure that access is removed too.
  • Limit your employees’ access to the systems and processes they need to do their job and no more. This is known as the principle of least privilege.
  • Avoid access creep — as people move into different roles within your business, make sure that their access changes to match what they need in their new role. Remove access to anything they no longer need.
  • Where possible, split tasks between roles so that responsibility is shared by more than one person. For example, if it takes two people to approve an invoice (one to process the payment and another to authorise it) it’s less likely that anyone will be able to take advantage of the payment system.
  • Ensure that employees hand any devices, like iPads and phones, back when they leave, as well as any building passes they might have.
  • Don’t use generic passwords and logins — have a unique login for every user.
  • Make sure you back up your files regularly. This includes the files on your computers, phones and any other devices you have. You can:
    • do an ‘offline’ or ‘cold’ backup. Back up the data to an external hard drive and then remove the hard drive from your device
    • do a cloud backup to Dropbox or a similar online hosting service.

If you’re affected by insider threat

There are a number of things you can do if you’re affected by insider threat.

  • Review the access controls for your business or organisation. This means making sure that:
    • everyone you employ has access only to what they need
    • anyone who no longer works for you has their access to your network and systems removed.
  • Educate your staff about insider threat so that they understand the risk it poses to your business.
Visit CERT NZ for more information. 
Visit ACSC for more information.