Insider Threat

The insider threat of crime to organisations is always present and can manifest itself in many ways. This has become more apparent because of the recent social-economic climate change within the UK.

Experience has shown over the years that an over-reliance on technology without consideration of other factors can have disastrous results for managing the insider threats. One of the main concerns in relation to this area is that of an individual or individuals that would be aligned to cause illegal activities within the organisation. This has resulted in a large emphasis being placed on the identification of any potential harmful individuals.

Cappelli et al 2006 identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. There is an emerging risk presented by insiders within organisations.

Insider threats exist for all organisations, essentially, this threat lies in the potential that a trusted employee may betray their obligations and allegiance. It is thought that the threat posed by insiders is one most organisations neither understand nor appreciate. During 2008, The National Infrastructure Advisory Council (NIAC) which provides the United States of America’s President with advice on the security of the critical infrastructure sectors and their information systems produced a primary goal of to address the assigned tasks to develop policy recommendations to improve their security posture of the Nation’s critical infrastructure. NIAC produced a report during which they stated;

‘The insider threat….. is one or more individuals with the access and/or inside knowledge of a company, organization or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products or facilities with the intent to cause harm’ (NIAC, 2008, p. 12).

From research that was conducted during 2010 within the United States of America, Catranzos stated “All a hostile insider needs to carry out an attack are access to a worthy target, an open door, and a dark corner from which to study and strike”.

Insiders are not just employees; they can include contractors, business partners, auditors or individuals that work within the same locations (these present what can be called third party risks).

Employees, contractors and even temporary staff are usually provided with the same if not similar access within organisations (NIAC, 2008, p. 12). This access is usually legitimately required to conduct their work that they are being employed to do, but can be taken advantage of to commit ‘insider’ attacks. There are also individuals whose ambitions are to be employed within an organisation and have the sole purpose of conducting industrial espionage.

Insider threats cannot only destroy the infrastructure of an organisation but can also instil a sense of trepidation. It is an adversary that can provide assurance to the nearest competitor or ally, not only showing any flaws but more importantly highlighting their vulnerabilities.

Catranzos deemed it more important since the tragic events of 9/11 and the continuing aftermath during which it has been identified that risk and vulnerability assessments have propelled, with the federal subsidies promoting them, the security focus centred largely on the vulnerability of large populations to attack. Adversaries’ have typically been characterised as traditional attackers working as outsiders who generally approach their targets with the determination of succeeding in their objectives.

Such high profile insider acts as those at Barings, World-Com and Enron provide examples of what damage can be done. During 2006 an employee of Securitas the security company conducted surveillance whilst carrying out his legitimate role within the depot to facilitate a large scale robbery and kidnap utilising his ‘insider knowledge’ (BBC News Online, 21st February 2006 Securitas robbery). Also it was reported that an employee of the Northern Bank based in Belfast, Northern Ireland helped to plan the largest bank robbery within the UK of £26.5 million which was carried out on 20th December 2004. The alleged individual changed the staff duty rota to allow him to be on duty and have access to the vault key. It was stated that during the case the facts could be established to properly infer the robbers had “a high degree of inside knowledge,” and that it could only have come from a member of staff (Northern Bank robbery, 20th December 2004).

In a report titled ‘Human factors in information security; The insider threat – Who can you trust these days?’ written by Carl Colwill, (2010) identifies that organisations may not have the effective risk management regimes to deal with the speed and scale of change. Also he states that the lethal consequences of armed insiders turning against their colleagues was demonstrated in November 2009 to UK forces in Afghanistan and US forces at Fort Hood USA, both of these were reported upon by the BBC News in 2009.

Defining the insider threat

It can be argued that the lack of a consistent definition of an insider hinders research in the detection of threats from insiders. Many researchers have investigated the area surrounding the problem of insider threat, however most research conducted had failed to precisely define what is an insider threat- instead, it has been assumed that the end user inherently understand their own version of a definition.

In 2005, whilst Bishop was employed by British Telecom (BT) to enhance their security package he defined insider threat as “a trusted entity that is given the power to violate one or more rules in a given security policy… the insider threat occurs when a trusted entity abuses that power.” (Bishop, 2005). This definition identifies that there is a specific need to recognise that an insider must be determined with reference to some set of rules that are part of a security policy.

Hanley et al (2011, p. 1) stated that it is hard to give a definition of the insider threat, and that there is debate around whether contractors should be included into the definition as possible insider. Cappelli et al (2006) identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. Hanley et al also include debate around someone who may start as an ‘outsider’ but through gaining access by unauthorised means would then be deemed an ‘insider’, for example through hacking into a company network (2011, p. 1).

There have been numerous attempts to offer a definition of the term ‘insider’, with the majority providing various similarities with re-occurring themes.

Whilst conducting the review for established definitions the author identified his own version of an insider threat:

“as anything that is done to jeopardise the proper functioning of an organisation’s business whether deliberate or accidental by employees”.

For a generalised term, Shaw, Fischer & Rose (2009, p.1) stated ‘the risk that a trusted or authorized person will participate in a behaviour that causes damage to his or her employee’, this can be included and found within acts of fraud, terrorism, sabotage, theft, cyber-crime and espionage and also more importantly whether or not the acts where deliberate or accidental.

Understanding the nature of the insider threat

Hanley et all further noted that ‘insider cases are underreported’ (2011, p. 4) and cited the Cybersecurity Watch Survey (by Deloitte, the US SS, CSO Magazine and CERT) which stated that during their research 72 per cent of reported events were investigated internally without any legal or law enforcement involvement, (CSO 2010 cited in Hanley et al, 2011 p. 4). Cappelli et al (1991) stated within the insider IT misuse their needs to be clarification that separates an IT misuser from a person that uses the available resources in an acceptable way and for an approved purpose. Insider threat mitigation begins with a complete understanding of potential insider threats.

A 2003 survey by the FBI’s Computer Security Institute and Ernst and Young showed that nearly 60% of all security threats come from internal sources (Gupta, 2003). Cappelli et al (2006) identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. Hanley et al also include debate around someone who may start as an ‘outsider’ but through gaining access by unauthorised means would then be deemed an ‘insider’, for example through hacking into a company network (2011, p. 1). As identified earlier by Bishop (2005), an insider must be determined with reference to some set of rules that is part of a security policy and this is primarily represented by the access control rules employed by an organisation. An insider can therefore be defined with regard to two primitive actions:

• Violation of a security policy using legitimate access
• Violation of an access control policy by obtaining unauthorised access.

In Queensland in 2000, a wireless laptop was used to release untreated sewage by a previous employee who ‘was apparently taking revenge against former employer’s’ (Evans, 2005, p.76). It has been reported (Raywood, 2008) that the placing of moles by criminal gangs, especially in financial institutions is becoming more common. The Department for Business Enterprise and Regulatory Reform (BERR, 2008) concluded that after researching in the UK many organisations are still inapt at protecting themselves and their customers’ information: 52% do not carry out any formal security risk assessment; 67% do nothing to prevent confidential data leaving on USB sticks, etc; 78% of companies had computers with unencrypted hard discs stolen.

Why and how the threat is perceived

The National Infrastructure Advisory Council (NIAC) stated ‘preventing all insider threat is neither possible nor economically feasible’ (NIAC, 2008, p.13).

Companies or organisations that are at the receiving ends on such insider attacks are rarely confident in discussing the attacks because these acts can weaken or destroy public trust, share price value, and financial solvency, all of which are necessary for a company to operate (NIAC, 2008, p.14). In 2008, Cole stated “The insider threat is like a tumor. If you realise there is a problem and address it, you will have short-term suffering but a good chance of recovery. If you ignore it, it will keep getting worse and while you might have short-term enjoyment, it will most likely kill you”.

NIAC also stated: ‘awareness of the insider threat varies greatly among the critical infrastructure sectors. Strong examples include the Banking and Finance as well as Nuclear sectors, which have an excellent awareness of the threat and have a robust risk mitigation approaches to insider sabotage insider fraud. Other sectors have varying levels of awareness and risk mitigation programs’. (NIAC, 2008, p.18).

In 2007, the Computer Security Institute conducted a Computer Crime and Security Survey which recorded that corporate leadership understands that insider incidents occur, but it appears corporate leadership neither completely appreciates the risk nor realises the potential consequences. As a result, most companies do not actively manage their insider risks. (NIAC, 2008, p.18). Currently companies that have experienced insider incidents are reluctant to share this information because of the costs involved; insider incidents can cause lost credibility with shareholders, employees and customers, and negatively effect to shareholder values.

The 2007 E-Crime Watch Survey found that in cases where respondents could identify the perpetrator of an electronic crime, 31% were committed by insiders. These impacts can be devastating to the point where one employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor.

‘Human factors in information security; The insider threat – Who can you trust these days?’ written by Carl Colwill, (2010). Colwill further stated that security policies, controls, guidelines and training are lagging behind changes. Also he states that the lethal consequences of armed insiders turning against their colleagues was demonstrated in November 2009 to UK forces in Afghanistan and US forces at Fort Hood USA, both of these were reported upon by the BBC News in 2009.

What control measures are available to prevent this?

Why is it so hard to intervene and prevent an insider attack? There are several reasons why this can appear to be difficult. There are various whys development and deployment of approaches to addressing insider threats, particularly proactive approaches, are so challenging:

The lack of sufficient real- world data that has some real truth enabling subsequent verification and validation of proposed solutions;

The difficulty in distinguishing between malicious insider behaviour and what can be described as normal or legitimate behaviour;

The potential quantity of data, and the resultant number of ‘associations’ or relationships that may emerge produce enormous scalability challenges;

Despite ample evidence suggesting that in a preponderance of cases, the perpetrator exhibited observable ‘concerning behaviours’ in advance of the exploit.

(Greitzer and Hohimer, p.27)

Within Colwill’s report he stated that in his experience the best course of action is to develop information sharing relations via a trusted ‘broker’, this has many beneficial results to create new security standards and raise overall levels of protection. Also it is highlighted by Colwill that insider risks need to be moved up in importance and discussed in boardrooms prior to attacks, not just after the compromise.

Many forms of technology are available to protect information but this is generally applied to identify and restrict outsider access with ‘off-the-shelf’ products such as firewalls and intrusion detection systems. Outside threat attacks can be easier to detect and defend against, but the tools utilised to protect this are seldom scalable or cost-effective to apply to every employee who require access to the information or assets.

Education and awareness is needed to, not only generate necessary security investment by all parties but it is also important to create awareness and vigilance among the workforce. Education and awareness programs are a key component that can be utilised to generate an organisational shift needed to change the cultural obstacles that exist to insider threat mitigation. Awareness amongst all senior management of their employees is also beneficial to allow them to understand institutional forces, NIAC recommend that organisations should consider the following preconceptions:

Unquestioned and unverified trust of employees, after granting employment, especially for long-time employees;

Poor operator-workforce union relationships;

Employee expectations of rights and privileges versus obligations;

Inadequate computer and network ethics education and training;

Prevailing attitudes about management involvement in workers’ personal lives;

Suspicion for anything that looks like ‘big brother is watching’ –type monitoring programs;

Attitudes about corporate sensitivity information. (NIAC, 2008, p.22).

Due to the emergence of newer technology on such a large scale the threat of ‘Cyber Threat: State, Radical, Local, Mad Sad’, increases in the use of ‘smart-phones’ mobile telephones with the email capability to the issuing of personal laptops. This is a key area to be considered with the growing number of individuals that could potentially lose unsecured laptops or more importantly by losing memory sticks/storage devices whether encrypted or not. If this did happen, it could lead to negative media attention.

So therefore, when considering the best course of action in dealing with insider threat concerns and/or actions to assist organisations the best non-technical measures to aid in a preventative action various departments will need to establish and implement a comprehensive set of non-technical measures to combat insider threat including: policies, awareness, legal, HR and whistleblowing. (NIAC, 2008, p.6).

Insider Threat
By: Stephen Langley

Share63

63 Shares

Leave a Reply Cancel reply

Zelenskiy Denies Ukraine’s Involvement in Alleged Kremlin Drone Attack

Ukrainian President Volodymyr Zelenskiy has refuted Russia’s claims that Ukraine was involved in a drone attack on the Kremlin, which was allegedly aimed at killing Russian President Vladimir Putin. Zelenskiy stated that Ukraine fights and defends its territory, not attacking Putin or Moscow. The Kremlin reported that two drones were used in the attack but were disabled by Russian defenses.

Bodyguard Saves Japanese PM from Pipe Bomb Attack

A bodyguard has been hailed as a hero for his quick-thinking actions during a suspected pipe-bomb attack on Japanese Prime Minister Fumio Kishida. Video footage captured the bodyguard kicking away a metal object as it landed near Kishida
before positioning himself between the Prime Minister and the device, shielding him with a collapsible, handheld ballistics shield.

AlertEnterprise Reveals First-Ever Guardian AI Chatbot Powered by OpenAI ChatGPT

AlertEnterprise has unveiled its first-ever Guardian AI Chatbot powered by OpenAI ChatGPT. The chatbot will make its global debut at the ASIS Europe and ISC West trade events. Built on OpenAI’s GPT-3 platform, the Guardian AI Chatbot aims to provide security operators with instant access to critical physical access and security insights through quick questions and prompts.

Navigating the Complexities of Wi-Fi Installations

Wireless installations are often seen as an easy replacement for cables, particularly in situations where running wires or fiber optics is impractical or too costly. While wireless solutions can be convenient, even the simplest application of a wireless networking standard can come with challenges that need careful planning and troubleshooting. This article provides insight into the planning and deployment of a successful wireless installation.

Operating as a Commercial Sniper The Myths and Facts

To start with, let’s kill a central myth right off the bat. And that myth is that jobs for commercially employed snipers are widely available and accessible. That is not true. You will not do a sniper course and then be hired as a sniper in a war zone. You will not find any companies that are advertising such jobs. If they are, then I’d be dubious.

LIFE & WORK SKILLS: CONFLICT MANAGEMENT FOR PROTECTORS

Pop quiz: What do you think is greater, the number of executive protection agents who have been fired because their client got killed? Or the number that got fired because a client’s wife/manager/trusted advisor straight-up didn’t like them? I think anyone who has been around the industry longer than five minutes probably knows the answer to that question.

Size vs.Skills-a.k.a: The Unfair Advantage

However, this lesson sticks out because I still think about it and even use it to this day. My dad told me that every person on this planet has an ‘Unfair Advantage.’ Something God-given that a person does exceptionally well or better than anyone else. He told me that some people could naturally run fast or dunk a basketball without even really trying. Some can figure out complex equations in their heads like Einstein or even maintain a full head of hair well into their old age. Whatever gift you possessed that you did better than anyone else was your unfair advantage.

Church Security – The Five R’s of Venue Protection

People go to church for all kinds of reasons but almost no one goes to find trouble. The ones that do go for that purpose are the reason your church has a security team or ministry. Unfortunately, over the last twenty years “Trouble” has been finding its way into church for the simple reason that for the most part, we welcome it. Church is still the place that welcomes anyone in any condition to come to find help.

K9 in Private Protective Services

Since I am often employed as the agent in charge (AIC), you generally are assigned to the principal and the duties don’t lend themselves to be the K9 handler. You have a choice, either work the principal of work the K9, but rarely can you do both. However, that doesn’t mean there is not considerable opportunities for K9s and handlers in protective services.

Typically, these dogs fall into one or two categories. There are dogs that are single-purpose dogs, meaning they have one task they perform. While others are dual-purpose, meaning they are trained to perform a variety of tasks. The three biggest categories that they fall into are Apprehension, Detection and Search & Rescue.

Fit for Purpose – Motivation and Mindset

Struggle will be experienced by every single one of us, at differing intensities, durations, and …

Continue Reading about Fit for Purpose – Motivation and Mindset

Fire Safety in Executive Protection

Are you neglecting the planning for a serious threat? As I was pondering what would be the subject …

Continue Reading about Fire Safety in Executive Protection

Online Health Check for Protectors

Whether it is us or our clients, securing our online footprint is becoming increasingly important …

Continue Reading about Online Health Check for Protectors

How To: Secure Calls and SMS with Signal

There are various options out there for secure messaging and phone calls, ranging from expensive …

Continue Reading about How To: Secure Calls and SMS with Signal

The Relationship Between Protector and Venue Security

You notice him as he walks into the venue on autopilot. One of the security personnel walking, in a nonchalant manner, directly to his post. He looks down on the floor as if to locate his mark, the spot he is comfortable with, the spot that has been worn out …

Continue Reading about The Relationship Between Protector and Venue Security

FIVE THINGS YOU CAN DO TO MAKE YOUR HOUSE OF WORSHIP A SAFER PLACE

Never in the History of our country has it been more important to be aware of safety and security in a House of Worship. With our safe places under attack, and churches, temples and Mosques under attack, it is time for men and women to step up and do what is …

Continue Reading about FIVE THINGS YOU CAN DO TO MAKE YOUR HOUSE OF WORSHIP A SAFER PLACE

New Horizons

The truth is, the simulated communications you just read were not with a helicopter, but instead were between an Executive Protection team, and it’s FAA (Federal Aviation Administration) Licensed and experienced UAV (Unmanned Aerial Vehicle) Pilot. Executive Protection is evolving every day, and one of the areas out front is technology. Developing are new forms of detection, tactical hearing and visual aids, vehicle security and transport, radio systems, and now UAV’S.

Surveillance Detection

Surveillance Detection A key skill for security and counter-terrorism professionals History has taught us that certain kinds of activities can indicate terrorist plans are in the works, especially when they occur at or near high profile or sensitive sites, places where high profile individuals reside or work, or where large numbers of people gather like […]

Bodyguards at Iraq embassy told ‘not to speculate’ on death

Bodyguards at Australia’s embassy in Baghdad were told not to speculate about what occurred in a room where their colleague Chris Betts was fatally shot in 2016. The warning came after a shocked colleague, Patrick O’Keefe, described the wounds he …

Continue Reading about Bodyguards at Iraq embassy told ‘not to speculate’ on death

Why A Political Soloution With The Afghan Taliban Is So Important

We've all seen over the last few years just how quickly ISIL established themselves in a fractured Iraq and Syria. At this stage it really doesn't matter who or what caused the fracturing...but the lack of Government cohesion alone allowed the fight for a …

Continue Reading about Why A Political Soloution With The Afghan Taliban Is So Important

Pre-deployment Hostile Environment Training

The importance of conducting ‘quality’ pre-deployment hostile environment CP training The nature of the typical security contracts now being awarded to the many Private Security Companies (PSC’s) on the hostile environment circuit today, has seen a dramatic …

Continue Reading about Pre-deployment Hostile Environment Training

Tactical Vs Tacticool

The ‘tactical culture’ had flourished over the last few years, mainly due to the proliferation of video cameras and increasing engagement with social media platforms, which I believe is causing the lines between reality and the 'tacticool' entertainment world …

Continue Reading about Tactical Vs Tacticool

Working in the Maritime Security Industry

Working in the Maritime Security (MARSEC) Industry By Kevin ‘Knocker’ Whyte Maritime Security has become the new ‘Must Enter’ sector of the security industry, with long established MARSEC companies and new start-ups alike, picking up manpower intensive …

Continue Reading about Working in the Maritime Security Industry

Women in Maritime Security – An exclusive interview with Ruth Tiik

A female’s perspective of being a Maritime Security Operative in the HRA. I first met Ruth Tiik floating on a platform in the Red Sea where we and many others were stuck for several days waiting for our next task. I was then fortunate enough to sail with …

Continue Reading about Women in Maritime Security – An exclusive interview with Ruth Tiik

Are you a cut above your competition?

What would you do if your team was looking after a client or were working in a remote location and there was a serious road accident? Would you be able to get them out if they were physically trapped? Would you be able to rescue your clients or your team …

Continue Reading about Are you a cut above your competition?

How to Become More Employable

How to become more employable by specialising in pre hospital care Many close protection operators (CPO’s) are now identifying the value of becoming specialised in other aspects that surround the role. One of these specialist areas is Pre Hospital Care …

Continue Reading about How to Become More Employable

Buy The Latest Issue

Subscribe to the Newsletter

Latest Podcast Episode

Latest Issue

Issue 68