The insider threat of crime to organisations is always present and can manifest itself in many ways. This has become more apparent because of the recent social-economic climate change within the UK.
Experience has shown over the years that an over-reliance on technology without consideration of other factors can have disastrous results for managing the insider threats. One of the main concerns in relation to this area is that of an individual or individuals that would be aligned to cause illegal activities within the organisation. This has resulted in a large emphasis being placed on the identification of any potential harmful individuals.
Cappelli et al 2006 identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. There is an emerging risk presented by insiders within organisations.
Insider threats exist for all organisations, essentially, this threat lies in the potential that a trusted employee may betray their obligations and allegiance. It is thought that the threat posed by insiders is one most organisations neither understand nor appreciate. During 2008, The National Infrastructure Advisory Council (NIAC) which provides the United States of America’s President with advice on the security of the critical infrastructure sectors and their information systems produced a primary goal of to address the assigned tasks to develop policy recommendations to improve their security posture of the Nation’s critical infrastructure. NIAC produced a report during which they stated;
‘The insider threat….. is one or more individuals with the access and/or inside knowledge of a company, organization or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products or facilities with the intent to cause harm’ (NIAC, 2008, p. 12).
From research that was conducted during 2010 within the United States of America, Catranzos stated “All a hostile insider needs to carry out an attack are access to a worthy target, an open door, and a dark corner from which to study and strike”.
Insiders are not just employees; they can include contractors, business partners, auditors or individuals that work within the same locations (these present what can be called third party risks).
Employees, contractors and even temporary staff are usually provided with the same if not similar access within organisations (NIAC, 2008, p. 12). This access is usually legitimately required to conduct their work that they are being employed to do, but can be taken advantage of to commit ‘insider’ attacks. There are also individuals whose ambitions are to be employed within an organisation and have the sole purpose of conducting industrial espionage.
Insider threats cannot only destroy the infrastructure of an organisation but can also instil a sense of trepidation. It is an adversary that can provide assurance to the nearest competitor or ally, not only showing any flaws but more importantly highlighting their vulnerabilities.
Catranzos deemed it more important since the tragic events of 9/11 and the continuing aftermath during which it has been identified that risk and vulnerability assessments have propelled, with the federal subsidies promoting them, the security focus centred largely on the vulnerability of large populations to attack. Adversaries’ have typically been characterised as traditional attackers working as outsiders who generally approach their targets with the determination of succeeding in their objectives.
Such high profile insider acts as those at Barings, World-Com and Enron provide examples of what damage can be done. During 2006 an employee of Securitas the security company conducted surveillance whilst carrying out his legitimate role within the depot to facilitate a large scale robbery and kidnap utilising his ‘insider knowledge’ (BBC News Online, 21st February 2006 Securitas robbery). Also it was reported that an employee of the Northern Bank based in Belfast, Northern Ireland helped to plan the largest bank robbery within the UK of £26.5 million which was carried out on 20th December 2004. The alleged individual changed the staff duty rota to allow him to be on duty and have access to the vault key. It was stated that during the case the facts could be established to properly infer the robbers had “a high degree of inside knowledge,” and that it could only have come from a member of staff (Northern Bank robbery, 20th December 2004).
In a report titled ‘Human factors in information security; The insider threat – Who can you trust these days?’ written by Carl Colwill, (2010) identifies that organisations may not have the effective risk management regimes to deal with the speed and scale of change. Also he states that the lethal consequences of armed insiders turning against their colleagues was demonstrated in November 2009 to UK forces in Afghanistan and US forces at Fort Hood USA, both of these were reported upon by the BBC News in 2009.
Defining the insider threat
It can be argued that the lack of a consistent definition of an insider hinders research in the detection of threats from insiders. Many researchers have investigated the area surrounding the problem of insider threat, however most research conducted had failed to precisely define what is an insider threat- instead, it has been assumed that the end user inherently understand their own version of a definition.
In 2005, whilst Bishop was employed by British Telecom (BT) to enhance their security package he defined insider threat as “a trusted entity that is given the power to violate one or more rules in a given security policy… the insider threat occurs when a trusted entity abuses that power.” (Bishop, 2005). This definition identifies that there is a specific need to recognise that an insider must be determined with reference to some set of rules that are part of a security policy.
Hanley et al (2011, p. 1) stated that it is hard to give a definition of the insider threat, and that there is debate around whether contractors should be included into the definition as possible insider. Cappelli et al (2006) identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. Hanley et al also include debate around someone who may start as an ‘outsider’ but through gaining access by unauthorised means would then be deemed an ‘insider’, for example through hacking into a company network (2011, p. 1).
There have been numerous attempts to offer a definition of the term ‘insider’, with the majority providing various similarities with re-occurring themes.
Whilst conducting the review for established definitions the author identified his own version of an insider threat:
“as anything that is done to jeopardise the proper functioning of an organisation’s business whether deliberate or accidental by employees”.
For a generalised term, Shaw, Fischer & Rose (2009, p.1) stated ‘the risk that a trusted or authorized person will participate in a behaviour that causes damage to his or her employee’, this can be included and found within acts of fraud, terrorism, sabotage, theft, cyber-crime and espionage and also more importantly whether or not the acts where deliberate or accidental.
Understanding the nature of the insider threat
Hanley et all further noted that ‘insider cases are underreported’ (2011, p. 4) and cited the Cybersecurity Watch Survey (by Deloitte, the US SS, CSO Magazine and CERT) which stated that during their research 72 per cent of reported events were investigated internally without any legal or law enforcement involvement, (CSO 2010 cited in Hanley et al, 2011 p. 4). Cappelli et al (1991) stated within the insider IT misuse their needs to be clarification that separates an IT misuser from a person that uses the available resources in an acceptable way and for an approved purpose. Insider threat mitigation begins with a complete understanding of potential insider threats.
A 2003 survey by the FBI’s Computer Security Institute and Ernst and Young showed that nearly 60% of all security threats come from internal sources (Gupta, 2003). Cappelli et al (2006) identifies insider threats as “current or former employees or contractors who targeted a specific individual or affected the security of the organisation’s data, systems and/or daily business operation”. Hanley et al also include debate around someone who may start as an ‘outsider’ but through gaining access by unauthorised means would then be deemed an ‘insider’, for example through hacking into a company network (2011, p. 1). As identified earlier by Bishop (2005), an insider must be determined with reference to some set of rules that is part of a security policy and this is primarily represented by the access control rules employed by an organisation. An insider can therefore be defined with regard to two primitive actions:
• Violation of a security policy using legitimate access
• Violation of an access control policy by obtaining unauthorised access.
In Queensland in 2000, a wireless laptop was used to release untreated sewage by a previous employee who ‘was apparently taking revenge against former employer’s’ (Evans, 2005, p.76). It has been reported (Raywood, 2008) that the placing of moles by criminal gangs, especially in financial institutions is becoming more common. The Department for Business Enterprise and Regulatory Reform (BERR, 2008) concluded that after researching in the UK many organisations are still inapt at protecting themselves and their customers’ information: 52% do not carry out any formal security risk assessment; 67% do nothing to prevent confidential data leaving on USB sticks, etc; 78% of companies had computers with unencrypted hard discs stolen.
Why and how the threat is perceived
The National Infrastructure Advisory Council (NIAC) stated ‘preventing all insider threat is neither possible nor economically feasible’ (NIAC, 2008, p.13).
Companies or organisations that are at the receiving ends on such insider attacks are rarely confident in discussing the attacks because these acts can weaken or destroy public trust, share price value, and financial solvency, all of which are necessary for a company to operate (NIAC, 2008, p.14). In 2008, Cole stated “The insider threat is like a tumor. If you realise there is a problem and address it, you will have short-term suffering but a good chance of recovery. If you ignore it, it will keep getting worse and while you might have short-term enjoyment, it will most likely kill you”.
NIAC also stated: ‘awareness of the insider threat varies greatly among the critical infrastructure sectors. Strong examples include the Banking and Finance as well as Nuclear sectors, which have an excellent awareness of the threat and have a robust risk mitigation approaches to insider sabotage insider fraud. Other sectors have varying levels of awareness and risk mitigation programs’. (NIAC, 2008, p.18).
In 2007, the Computer Security Institute conducted a Computer Crime and Security Survey which recorded that corporate leadership understands that insider incidents occur, but it appears corporate leadership neither completely appreciates the risk nor realises the potential consequences. As a result, most companies do not actively manage their insider risks. (NIAC, 2008, p.18). Currently companies that have experienced insider incidents are reluctant to share this information because of the costs involved; insider incidents can cause lost credibility with shareholders, employees and customers, and negatively effect to shareholder values.
The 2007 E-Crime Watch Survey found that in cases where respondents could identify the perpetrator of an electronic crime, 31% were committed by insiders. These impacts can be devastating to the point where one employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor.
‘Human factors in information security; The insider threat – Who can you trust these days?’ written by Carl Colwill, (2010). Colwill further stated that security policies, controls, guidelines and training are lagging behind changes. Also he states that the lethal consequences of armed insiders turning against their colleagues was demonstrated in November 2009 to UK forces in Afghanistan and US forces at Fort Hood USA, both of these were reported upon by the BBC News in 2009.
What control measures are available to prevent this?
Why is it so hard to intervene and prevent an insider attack? There are several reasons why this can appear to be difficult. There are various whys development and deployment of approaches to addressing insider threats, particularly proactive approaches, are so challenging:
The lack of sufficient real- world data that has some real truth enabling subsequent verification and validation of proposed solutions;
The difficulty in distinguishing between malicious insider behaviour and what can be described as normal or legitimate behaviour;
The potential quantity of data, and the resultant number of ‘associations’ or relationships that may emerge produce enormous scalability challenges;
Despite ample evidence suggesting that in a preponderance of cases, the perpetrator exhibited observable ‘concerning behaviours’ in advance of the exploit.
(Greitzer and Hohimer, p.27)
Within Colwill’s report he stated that in his experience the best course of action is to develop information sharing relations via a trusted ‘broker’, this has many beneficial results to create new security standards and raise overall levels of protection. Also it is highlighted by Colwill that insider risks need to be moved up in importance and discussed in boardrooms prior to attacks, not just after the compromise.
Many forms of technology are available to protect information but this is generally applied to identify and restrict outsider access with ‘off-the-shelf’ products such as firewalls and intrusion detection systems. Outside threat attacks can be easier to detect and defend against, but the tools utilised to protect this are seldom scalable or cost-effective to apply to every employee who require access to the information or assets.
Education and awareness is needed to, not only generate necessary security investment by all parties but it is also important to create awareness and vigilance among the workforce. Education and awareness programs are a key component that can be utilised to generate an organisational shift needed to change the cultural obstacles that exist to insider threat mitigation. Awareness amongst all senior management of their employees is also beneficial to allow them to understand institutional forces, NIAC recommend that organisations should consider the following preconceptions:
Unquestioned and unverified trust of employees, after granting employment, especially for long-time employees;
Poor operator-workforce union relationships;
Employee expectations of rights and privileges versus obligations;
Inadequate computer and network ethics education and training;
Prevailing attitudes about management involvement in workers’ personal lives;
Suspicion for anything that looks like ‘big brother is watching’ –type monitoring programs;
Attitudes about corporate sensitivity information. (NIAC, 2008, p.22).
Due to the emergence of newer technology on such a large scale the threat of ‘Cyber Threat: State, Radical, Local, Mad Sad’, increases in the use of ‘smart-phones’ mobile telephones with the email capability to the issuing of personal laptops. This is a key area to be considered with the growing number of individuals that could potentially lose unsecured laptops or more importantly by losing memory sticks/storage devices whether encrypted or not. If this did happen, it could lead to negative media attention.
So therefore, when considering the best course of action in dealing with insider threat concerns and/or actions to assist organisations the best non-technical measures to aid in a preventative action various departments will need to establish and implement a comprehensive set of non-technical measures to combat insider threat including: policies, awareness, legal, HR and whistleblowing. (NIAC, 2008, p.6).
By: Stephen Langley