Home Digitaledge In Focus

Keys to thwarting insider threats

Nurdianah Md Nur
Nurdianah Md Nur9/28/2022 11:30 AM GMT+08  • 6 min read
Keys to thwarting insider threats
Insider threats, malicious or unintentional, are on the rise. How can APAC organisations deal with them effectively? Photo: Unsplash
Font Resizer
Share to WhatsappShare to FacebookShare to LinkedInMore Share
Scroll to top
Follow us on Facebook and join our Telegram channel for the latest updates.

Asia Pacific (APAC) countries spent an average of US$11.9 million ($17 million) to deal with an insider threat incident this year, according to the 2022 Ponemon Cost of Insider Threats report. Common insider threats include employee or contractor negligence, malicious insiders and credential theft.

Shawn Thompson, senior manager for global insider risk services at the cybersecurity firm Mandiant, tells DigitalEdge more about insider threats and how APAC organisations can deal with them effectively.

What are the common types of insider threats today?

At Mandiant, we dissect insider threats by types, motivations and attack tactics.

Motivation is hard to assess and often not established until later in an investigation. Motivation may include ego, revenge, financial gain, intelligence gathering, praise, or to gain favour.

Finally, we see these broad classification types of attack tactics: Intellectual property theft, espionage, fraud and workplace violence.

See also: 2023 observability trends and predictions

Here are some insider threat personas that businesses should take note of:

  • Leakers who take actions that harm the business are protesting the organisation itself, a specific action, or obtaining personal notoriety at the organisation’s expense.

  • Disgruntled individuals who have experienced certain adverse events that impacted their current view of the organisation or their particular role in the company. They allow those events to manifest hostility towards the organisation by serving as triggers for harmful actions. These individuals may be the most difficult to identify based on the ubiquitous nature of the underlying causes themselves.
  • See also: Reflecting on digital transformation in 2022

  • Thieves are motivated by profit. In addition to information theft, they will also steal tangible corporate property — such as comput￾ers, supplies, electronic devices, or other corporate-owned assets — for their gain.
  • Why are APAC organisations struggling with insider threats?

    Organisations are more reactive to insider attacks than proactive because they have no guidelines to manage insider threats. This lack of guidelines is exacerbated by the lack of insider threat definitions and proper governance framework. Privacy, legal and cultural factors also contribute to the difficulty of addressing the insider threat problem.

    Most organisations might be familiar with the traditional outcomes of falling prey to an insider threat — such as loss of intellectual property or client data — but other risks are also present. These additional risks are not always obvious and might come in avenues the organisation did not anticipate.

    For example, the US State Department issued an advisory in May on attempts by remote North Korean IT workers to obtain employment while posing as non-DPRK (Democratic People’s Republic of Korea) nationals.

    The advisory warns that “hiring DPRK IT workers poses many risks, ranging from theft of intellectual property, data and funds to reputational harm and legal consequences, including sanctions under both US and United Nations authorities.”

    Additionally, Mandiant has observed insiders posing as external attackers and attempting to extort their employers by claiming to have access to sensitive digital information.

    To stay ahead of the latest tech trends, click here for DigitalEdge Section

    Can you share some best practices to mitigate insider threats?

    The first step is to conduct a full insider threat capability assessment, which will identify existing gaps and areas of improvement that can support the development of a resilient and mature insider threat programme (ITP).

    Next, they should define the scope of their insider risk management efforts. They should apply an accurate risk model — assessing asset impacts, threats, and vulnerabilities — that will promote a tailored and proactive application of resources on areas of most significant impact, intentional or unintentional.

    Resources are needed to build an effective ITP to improve their overall security posture. However, most of those capabilities are entirely reactive and largely ad hoc. The existing functional components operate independently with minimal formal collaboration. The goal is to leverage those resources in a cross-functional manner to optimise value.

    It is also essential to ensure that their ITP balances privacy with security. The former includes ensuring that employees are not subjected to invasive intrusions that breach their reasonable expectations of privacy. The latter involves protecting the organisation’s assets — including people, information, facilities, intellectual property and brand reputation.

    Companies must view each step symbiotically as both are essential components of an effective ITP. Privacy policies must not be overly restrictive but must strike the proper balance between protecting employees without unnecessarily restricting legitimate and tailored security efforts.

    Similarly, security must be tailored and pursue the least restrictive means methodology to strike the proper balance between protecting an organisation’s assets without unnecessarily impacting the legitimate privacy interests of employees.

    Organisations should also apply role-based access control policies. Employees having more access to information than they need to do their job increases the risk of compromise.

    Role-based or rule-based access policies allow companies to enforce the need-to-know policy across the organisation. Pre-defined access grants for each organisational unit can be applied and enforced through a robust role-based access control solution or similar access control paradigm.

    To supplement that, organisations can segment networks and observe principles of least privilege. That way, a malicious insider who might be an administrator will not have free reign over the entire infrastructure but relatively privileged access over only the portions of the infrastructure they are responsible for maintaining.

    Failing to monitor insider behaviours properly and limit data interactions significantly increases the organisation’s risk of compromise. As such, organisations should have visibility into how insiders interact with data to help with data loss prevention, and the level of network activity to monitor for behaviours indicative of insider threats.

    Besides the IT and cybersecurity team, what else can the rest of the organisation do?

    Corporate investigations and HR play a large part in reducing insider risk and handling incidents, along with the cyber operations teams.

    For instance, the HR team must ensure that a thorough background check is part of the hiring process. Organisations can also monitor the dark web for threat actors selling access to their information or networks using tools such as Mandiant’s Digital Threat Monitoring.

    Since education and training are essential yet often overlooked components, organisations should also play out insider threat scenarios with tabletop exercises that can help evaluate a company’s cyber crisis processes, tools and proficiency when responding to cyberattacks.

    This article has been edited for clarity and length

    Loading next article...
    The Edge Singapore
    Download The Edge Singapore App
    Google playApple store play
    Keep updated
    Follow our social media
    Subscribe to The Edge Singapore
    Get credible investing ideas from our in-depth stock analysis, interviews with key executives, corporate movements coverage and their impact on the market.
    © 2022 The Edge Publishing Pte Ltd. All rights reserved.