• Skip to primary sidebar
  • Skip to content
  • Skip to footer
  • Home
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

Circuit Magazine

For Security & Protection Specialists

The insider threat of crime to organisations is always present and can manifest itself in many ways. This has become more apparent because of the recent social-economic climate change within the UK.

Experience has shown over the years that an over-reliance on technology without consideration of other factors can have disastrous results for managing the insider threats. One of the main concerns in relation to this area is that of an individual or individuals that would be aligned to cause illegal activities within the organisation. This has resulted in a large emphasis being placed on the identification of any potential harmful individuals.

Cappelli et al 2006 identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. There is an emerging risk presented by insiders within organisations.

Insider threats exist for all organisations, essentially, this threat lies in the potential that a trusted employee may betray their obligations and allegiance. It is thought that the threat posed by insiders is one most organisations neither understand nor appreciate. During 2008, The National Infrastructure Advisory Council (NIAC) which provides the United States of America’s President with advice on the security of the critical infrastructure sectors and their information systems produced a primary goal of to address the assigned tasks to develop policy recommendations to improve their security posture of the Nation’s critical infrastructure. NIAC produced a report during which they stated;

‘The insider threat….. is one or more individuals with the access and/or inside knowledge of a company, organization or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products or facilities with the intent  to cause harm’ (NIAC, 2008, p. 12).

From research that was conducted during 2010 within the United States of America, Catranzos stated “All a hostile insider needs to carry out an attack are access to a worthy target, an open door, and a dark corner from which to study and strike”.

Insiders are not just employees; they can include contractors, business partners, auditors or individuals that work within the same locations (these present what can be called third party risks).

Employees, contractors and even temporary staff are usually provided with the same if not similar access within organisations (NIAC, 2008, p. 12). This access is usually legitimately required to conduct their work that they are being employed to do, but can be taken advantage of to commit ‘insider’ attacks. There are also individuals whose ambitions are to be employed within an organisation and have the sole purpose of conducting industrial espionage.

Insider threats cannot only destroy the infrastructure of an organisation but can also instil a sense of trepidation. It is an adversary that can provide assurance to the nearest competitor or ally, not only showing any flaws but more importantly highlighting their vulnerabilities.

Catranzos deemed it more important since the tragic events of 9/11 and the continuing aftermath during which it has been identified that risk and vulnerability assessments have propelled, with the federal subsidies promoting them, the security focus centred largely on the vulnerability of large populations to attack. Adversaries’ have typically been characterised as traditional attackers working as outsiders who generally approach their targets with the determination of succeeding in their objectives.

Such high profile insider acts as those at Barings, World-Com and Enron provide examples of what damage can be done. During 2006 an employee of Securitas the security company conducted surveillance whilst carrying out his legitimate role within the depot to  facilitate a large scale robbery and kidnap utilising his ‘insider knowledge’ (BBC News Online, 21st February 2006 Securitas robbery). Also it was reported that an employee of the Northern Bank based in Belfast, Northern Ireland helped to plan the largest bank robbery within the UK of £26.5 million which was carried out on 20th December 2004. The alleged individual changed the staff duty rota to allow him to be on duty and have access to the vault key. It was stated that during the case the facts could be established to properly infer the robbers had “a high degree of inside knowledge,” and that it could only have come from a member of staff (Northern Bank robbery, 20th December 2004).

In a report titled ‘Human factors in information security; The insider threat – Who can you trust these days?’ written by Carl Colwill, (2010) identifies that organisations may not have the effective risk management regimes to deal with the speed and scale of change. Also he states that the lethal consequences of armed insiders turning against their colleagues was demonstrated in November 2009 to UK forces in Afghanistan and US forces at Fort Hood USA, both of these were reported upon by the BBC News in 2009.

 

Defining the insider threat

It can be argued that the lack of a consistent definition of an insider hinders research in the detection of threats from insiders. Many researchers have investigated the area surrounding the problem of insider threat, however most research conducted had failed to precisely define what is an insider threat- instead, it has been assumed that the end user inherently understand their own version of a definition.

In 2005, whilst Bishop was employed by British Telecom (BT) to enhance their security package he defined insider threat as “a trusted entity that is given the power to violate one or more rules in a given security policy… the insider threat occurs when a trusted entity abuses that power.” (Bishop, 2005). This definition identifies that there is a specific need to recognise that an insider must be determined with reference to some set of rules that are part of a security policy.

Hanley et al (2011, p. 1) stated that it is hard to give a definition of the insider threat, and that there is debate around whether contractors should be included into the definition as possible insider. Cappelli et al (2006) identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. Hanley et al also include debate around someone who may start as an ‘outsider’ but through gaining access by unauthorised means would then be deemed an ‘insider’, for example through hacking into a company network (2011, p. 1).

There have been numerous attempts to offer a definition of the term ‘insider’, with the majority providing various similarities with re-occurring themes.

Whilst conducting the review for established definitions the author identified his own version of an insider threat:

“as anything that is done to jeopardise the proper functioning of an organisation’s business whether deliberate or accidental by employees”.

For a generalised term, Shaw, Fischer & Rose (2009, p.1) stated ‘the risk that a trusted or authorized person will participate in a behaviour that causes damage to his or her employee’, this can be included and found within acts of fraud, terrorism, sabotage, theft, cyber-crime and espionage and also more importantly whether or not the acts where deliberate or accidental.

Understanding the nature of the insider threat

Hanley et all further noted that ‘insider cases are underreported’ (2011, p. 4) and cited the Cybersecurity Watch Survey (by Deloitte, the US SS, CSO Magazine and CERT) which stated that during their research 72 per cent of reported events were investigated internally without any legal or law enforcement involvement, (CSO 2010 cited in Hanley et al, 2011 p. 4). Cappelli et al (1991) stated within the insider IT misuse their needs to be clarification that separates an IT misuser from a person that uses the available resources in an acceptable way and for an approved purpose.  Insider threat mitigation begins with a complete understanding of potential insider threats.

A 2003 survey by the FBI’s Computer Security Institute and Ernst and Young showed that nearly 60% of all security threats come from internal sources (Gupta, 2003). Cappelli et al (2006) identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. Hanley et al also include debate around someone who may start as an ‘outsider’ but through gaining access by unauthorised means would then be deemed an ‘insider’, for example through hacking into a company network (2011, p. 1).  As identified earlier by Bishop (2005), an insider must be determined with reference to some set of rules that is part of a security policy and this is primarily represented by the access control rules employed by an organisation. An insider can therefore be defined with regard to two primitive actions:

• Violation of a security policy using legitimate access
• Violation of an access control policy by obtaining unauthorised access.

In Queensland in 2000, a wireless laptop was used to release untreated sewage by a previous employee who ‘was apparently taking revenge against former employer’s’ (Evans, 2005, p.76). It has been reported (Raywood, 2008) that the placing of moles by criminal gangs, especially in financial institutions is becoming more common. The Department for Business Enterprise and Regulatory Reform (BERR, 2008) concluded that after researching in the UK many organisations are still inapt at protecting themselves and their customers’ information: 52% do not carry out any formal security risk assessment; 67% do nothing to prevent confidential data leaving on USB sticks, etc; 78% of companies had computers with unencrypted hard discs stolen.

 

Why and how the threat is perceived

The National Infrastructure Advisory Council (NIAC) stated ‘preventing all insider threat is neither possible nor economically feasible’ (NIAC, 2008, p.13).

Companies or organisations that are at the receiving ends on such insider attacks are rarely confident in discussing the attacks because these acts can weaken or destroy public trust, share price value, and financial solvency, all of which are necessary for a company to operate (NIAC, 2008, p.14). In 2008, Cole stated “The insider threat is like a tumor. If you realise there is a problem and address it, you will have short-term suffering but a good chance of recovery. If you ignore it, it will keep getting worse and while you might have short-term enjoyment, it will most likely kill you”.

NIAC also stated: ‘awareness of the insider threat varies greatly among the critical infrastructure sectors. Strong examples include the Banking and Finance as well as Nuclear sectors, which have an excellent awareness of the threat and have a robust risk mitigation approaches to insider sabotage insider fraud. Other sectors have varying levels of awareness and risk mitigation programs’. (NIAC, 2008, p.18).

In 2007, the Computer Security Institute conducted a Computer Crime and Security Survey which recorded that corporate leadership understands that insider incidents occur, but it appears corporate leadership neither completely appreciates the risk nor realises the potential consequences. As a result, most companies do not actively manage their insider risks. (NIAC, 2008, p.18). Currently companies that have experienced insider incidents are reluctant to share this information because of the costs involved; insider incidents can cause lost credibility with shareholders, employees and customers, and negatively effect to shareholder values.

The 2007 E-Crime Watch Survey found that in cases where respondents could identify the perpetrator of an electronic crime, 31% were committed by insiders. These impacts can be devastating to the point where one employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor.

‘Human factors in information security; The insider threat – Who can you trust these days?’ written by Carl Colwill, (2010). Colwill further stated that security policies, controls, guidelines and training are lagging behind changes. Also he states that the lethal consequences of armed insiders turning against their colleagues was demonstrated in November 2009 to UK forces in Afghanistan and US forces at Fort Hood USA, both of these were reported upon by the BBC News in 2009.

 

What control measures are available to prevent this?

Why is it so hard to intervene and prevent an insider attack? There are several reasons why this can appear to be difficult. There are various whys development and deployment of approaches to addressing insider threats, particularly proactive approaches, are so challenging:

The lack of sufficient real- world data that has some real truth enabling subsequent verification and validation of proposed solutions;

The difficulty in distinguishing between malicious insider behaviour and what can be described as normal or legitimate behaviour;

The potential quantity of data, and the resultant number of ‘associations’ or relationships that may emerge produce enormous scalability challenges;

Despite ample evidence suggesting that in a preponderance of cases, the perpetrator exhibited observable ‘concerning behaviours’ in advance of the exploit.

(Greitzer and Hohimer, p.27)

Within Colwill’s report he stated that in his experience the best course of action is to develop information sharing relations via a trusted ‘broker’, this has many beneficial results to create new security standards and raise overall levels of protection. Also it is highlighted by Colwill that insider risks need to be moved up in importance and discussed in boardrooms prior to attacks, not just after the compromise.

Many forms of technology are available to protect information but this is generally applied to identify and restrict outsider access with ‘off-the-shelf’ products such as firewalls and intrusion detection systems. Outside threat attacks can be easier to detect and defend against, but the tools utilised to protect this are seldom scalable  or cost-effective to apply to  every employee who require  access to the information or  assets.

Education and awareness is needed to, not only generate necessary security investment by all parties but it is also important to create awareness and vigilance among the workforce. Education and awareness programs are a key component that can be utilised to generate an organisational shift needed to change the cultural obstacles that exist to insider threat mitigation. Awareness amongst all senior management of their employees is also beneficial to allow them to understand institutional forces, NIAC recommend that organisations should consider the following preconceptions:

Unquestioned and unverified trust of employees, after granting employment, especially for long-time employees;

Poor operator-workforce union relationships;

Employee expectations of rights and privileges versus obligations;

Inadequate computer and network ethics education and training;

Prevailing attitudes about management involvement in workers’ personal lives;

Suspicion for anything that looks like ‘big brother is watching’ –type monitoring programs;

Attitudes about corporate sensitivity information. (NIAC, 2008, p.22).

Due to the emergence of newer technology on such a large scale the threat of ‘Cyber Threat: State, Radical, Local, Mad Sad’, increases in the use of ‘smart-phones’ mobile telephones with the email capability to the issuing of personal laptops. This is a key area to be considered with the growing number of individuals that could potentially lose unsecured laptops or more importantly by losing memory sticks/storage devices whether encrypted or not. If this did happen, it could lead to negative media attention.

So therefore, when considering the best course of action in dealing with insider threat concerns and/or actions to assist organisations the best non-technical measures to aid in a preventative action various departments will need to establish and implement a comprehensive set of non-technical measures to combat insider threat including: policies, awareness, legal, HR and whistleblowing. (NIAC, 2008, p.6).

 


Insider Threat
By: Stephen Langley

 

Tweet
Share
Pin
Share63
63 Shares

Buy The Latest Issue

Sign Up For News and Updates

We respect your privacy and will not share your information with anyone.
We will only message you when we have something relevant and of value to share with you.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Latest Issue

Circuit Magazine - Issue 66 - AI Armageddon

Issue 66

Buy Now

Latest Newsletter

Newsletter Sign Up

What you don't know CAN hurt you!

SUBSCRIBE

Latest Industry News

Ugandan Minister Killed by Bodyguard in Apparent Wage Dispute

A Ugandan government minister, Charles Engola, was shot and killed by his bodyguard early Tuesday in an apparent private dispute over wages, according to the army and local media. Engola, a retired army colonel, served as the junior minister in charge of labor in President Yoweri Museveni’s government.

Event

News - Circuit Magazine

Zelenskiy Denies Ukraine’s Involvement in Alleged Kremlin Drone Attack

Ukrainian President Volodymyr Zelenskiy has refuted Russia’s claims that Ukraine was involved in a drone attack on the Kremlin, which was allegedly aimed at killing Russian President Vladimir Putin. Zelenskiy stated that Ukraine fights and defends its territory, not attacking Putin or Moscow. The Kremlin reported that two drones were used in the attack but were disabled by Russian defenses.

News taken from Issue 65 of the Circuit Magazine

Bodyguard Saves Japanese PM from Pipe Bomb Attack

A bodyguard has been hailed as a hero for his quick-thinking actions during a suspected pipe-bomb attack on Japanese Prime Minister Fumio Kishida. Video footage captured the bodyguard kicking away a metal object as it landed near Kishida
before positioning himself between the Prime Minister and the device, shielding him with a collapsible, handheld ballistics shield.

News from Issue 65 of the Circuit Magazine

AlertEnterprise Reveals First-Ever Guardian AI Chatbot Powered by OpenAI ChatGPT

AlertEnterprise has unveiled its first-ever Guardian AI Chatbot powered by OpenAI ChatGPT. The chatbot will make its global debut at the ASIS Europe and ISC West trade events. Built on OpenAI’s GPT-3 platform, the Guardian AI Chatbot aims to provide security operators with instant access to critical physical access and security insights through quick questions and prompts.

Executive Protection/Secured Transportation Profession

COVID-19 and the Executive Protection

As practitioners, our responsibilities are many: protection of the client from physical harm, protection of the client from self-embarrassment, etc. Now, that the restrictions in the post COVID-19 era are starting to be lifted in some areas, Clients, and other high-net-worth individuals will be more aware of the area in which they are located, lodging, and traveling to.

James Bore's Cyber Security

Ways to See the Threat Before it Happens

Threat modelling is widely in use, whether knowingly or not, across every walk of life – and has been used since time immemorial to prioritise security defences. The only difference between the well-known risk assessments carried out by everyone and threat modelling in cyber security is the attempt to document and systemise it. I am hoping that this idea of formal threat modelling will be a useful tool for you to use in your future arsenal of available resources as a CP operator.

Close Protection advice

Keeping Your Edge: Building a Solid Foundation

Longevity, consistency and remaining relevant are some primary goals of all protectors. These factors are important when establishing a new contract and providing services for a new client. But what is equally important is the mindset that goes into those first days and weeks on the assignment. As such, I wanted to get the personal perspective of Vantrell Wilson, a close protection agent who I have trained with and worked alongside of for years now.

Global Risk Updates

Global Situation Report - November 2021

Global Situation Report – November 2021

Each issue our global geopolitical partner, Stratfor, provides an in-depth analysis of global incidents via in-house experts, cutting edge technology and through a comprehensive globally sourced network. Here is your summary from the last 30 days.

Popular Tags

armed attack Bodyguard business Celebrity client clients Close Protection Communication cp Crime Elijah Shaw EP Executive Executive Protection firearm firearms government gun Intelligence Law Enforcement Media Medical military News online police Prevention professional protect protection Risk Safety Security SIA Social Media Surveillance Technology terror Terrorism terrorist Threat Training VIP weapon

On The Frontline

Manners Maketh Man

The proverb ‘manners maketh man’ derives from a shared understanding that courtesy and good manners are essential to the preservation of human interaction and relationships. 

Good manners can be applied to several aspects of human life, including how we speak, the words we use, the tone of our voice, our gestures and our actions. 

Suited for Duty

When it comes to a wardrobe fit for duty rule number one, you don’t buy it, you acquire it over time.  In most cases, unless you have unlimited resources this will be a slow build for most agents.  To help you in developing a detail ready wardrobe I offer the below considerations for both fit and function. 

Personal Security in Hotels

Why is personal security in hotels important? Over the years I have stayed and worked in a wide variety of hotels from five-star to minus-star and boutique to roach houses. The standard of security in most hotels is very low and it is not hard for non-hotel residents to go up to the hotel floors. It’s concerning that most travelers expect and believe the hotels they are staying in to be secure. I tell my clients they should take the same precautions inside hotels as they would on the street.

Follow us

  • Email
  • Facebook
  • Twitter

From The Archives

Education

Lose the Fear, Love a Process!

I totally understand why even the thought of undertaking any kind of education fills security …

Continue Reading about Lose the Fear, Love a Process!

Mike Gillette Interview – Speaker, Author, Inventor and Peak-Performance Coach

Mike Gillette’s bio describes him as a “Speaker, Author, Inventor and Peak-Performance Coach with a …

Continue Reading about Mike Gillette Interview – Speaker, Author, Inventor and Peak-Performance Coach

Church Security the New Frontier Part 3

I have many happy memories as a child going to church regularly being with my friends and family.  …

Continue Reading about Church Security the New Frontier Part 3

Industry News

Industry News

We cast our eye over the main stories impacting the security industry. Here's what's appeared on the …

Continue Reading about Industry News

Promoted Event

International Security Expo

Latest Podcast Episode

Latest Issue

Circuit Magazine - Issue 66 - AI Armageddon

Issue 66

As AI armageddon comes closer, the global challenge is discerning the line between innovation and oversight, particularly concerning decision-making biases and security implications.

Buy Now

Follow us

  • Email
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • Home
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

© 2023 Circuit Magazine · Rainmaker Platform

This website or its third-party tools use cookies which are necessary to its functioning and required to improve your experience. By clicking the consent button, you agree to allow the site to use, collect and/or store cookies.
I accept