The Good, the Bad, and the Ugly Insider Threats

Sensitive information is most at risk when it leaves the enterprise perimeter, and is typically subject to far less stringent controls
Sensitive information is most at risk when it leaves the enterprise perimeter, and is typically subject to far less stringent controls

Organizations must balance the need to access information for conducting business with protecting this information from unauthorized misuse by trusted personnel. Unauthorized access to sensitive information is routinely considered as an external threat, yet surveys such as the one conducted by Symantec in late 2010 have found that the most serious security breaches are caused by trusted employees (insiders) with authorized system access.

There is no simple checklist for identifying a potential insider threat, but there are some definite signs to look for, including the open threat from disgruntled employees, indicators in background checks, and an employees’ ideology. This article will address how new privacy laws are impacting the realm of insider threats, how these threats are affecting organizations in today’s rapidly changing landscape, and ways that an enterprise organization can effectively address the growing insider threat challenge.

In order to conduct business effectively, it is essential that employees with various responsibilities in an organization be given access to the information and technical resources necessary to carry out their assigned functions. These employees will normally have access to both corporate information and the information systems and procedures employed to monitor them. This arms an insider with sufficient authority and knowledge to potentially become a formidable threat in terms of compromising the information and systems that they have access to on a regular basis. The insider threat takes two forms: accidental and malicious. Both can compromise corporate assets, including its information.

Oh, My Bad…

Risky practices – such as walking away from a workstation without locking a session, not securing passwords, or misuse of system procedures due to improper training – are examples of unintentional threats that can lead to more serious compromises. Stolen or misplaced laptops and mobile devices can also be added to this list, as was the case with the US Department of Veterans Affairs, which paid $20 million to settle a class action lawsuit that resulted from an employee’s laptop being stolen.

"Security policy and procedures need to be developed with privacy rules in mind"

Securing mobile devices – and their interaction with enterprise networks – presents an additional challenge to information security executives. “Increasingly, personal mobile devices like tablets and smartphones are being brought into corporate infrastructures at a rate that is outpacing many organizations’ ability to secure and manage these devices and protect the information they access”, says Robert Hamilton, senior manager of product marketing at Symantec. “Enterprises need to balance internal demand for mobile devices with concerns about protecting valuable intellectual property. To do so, these devices need to be well-managed, and enterprises need to know what confidential data is being used on and transmitted to and from them.”

The ‘good’ aspect of this subject is that most enterprises have recognized the threat and are investing more in the area of security. Also reassuring is the fact that the general public is much more security-savvy than in the past, thanks to ubiquitous use of such things as online banking, e-commerce, and social networking.

With Malice toward Some

Disgruntled employees can often compromise information in ways that do not require much technical sophistication. These methods run the gamut: unauthorized release of company information; compromising access codes; introducing viruses, worms or trojans into company networks; and disabling workstations and associated networks. This is why identity and access management controls, in addition to audit and accountability, are essential components in any organization’s security strategy.

Sensitive information is most at risk when it is transferred outside of the corporate network, where internal controls and procedures may not exist or be enforced. This requires organizations to work with external business and information sharing partners to ensure that intended controls remain in effect as the information is shared. Sensitive information stored in a protected file can be compromised by insiders through email, instant messaging, or other internet transmissions. Sensitive information is also put at risk if it can be easily transferred outside of an organization’s network to portable devices, compact disks, or any manner of storage device.

"Personal mobile devices…are being brought into corporate infrastructures at a rate that is outpacing many organizations’ ability to secure and manage these devices"
Robert Hamilton, Symantec

A threat may also occur when an outside entity approaches an insider with a bribe in order to gain access to information they are not entitled to have. Instances of this kind of breach have been well documented over the years, and the threat is still real today. Organizations must continue to pay attention to this very problematic area by constantly reassessing procedures in the areas of employee awareness and training, access control, and audit and accountability.

Access policies must be specific enough to ensure that users have access to only that information necessary to perform authorized functions. Once this has been defined and enforced, an oversight function and supporting procedures must be in place to ensure that trusted employees adhere to the security policy.

A Private Matter

Related to the problem of the insider threat is the emphasis being put on privacy laws that require notification and disclosure to individuals whose information has been compromised. Two key concepts of privacy are: (1) The right of a person acting on his/her own behalf to determine the degree to which he/she will interact with their environment, including the degree to which he/she will share information about themselves with others, and (2) the right of individuals to control or influence what information related to them may be collected and stored, and by whom, and with whom that information can be shared.

Under common law in the US, invasion of privacy is a tort for which the wronged party may seek compensation. A key area of privacy in the US is personally identifiable information (PII) included in health records and transactions. As a result, the Health Insurance Portability and Accountability Act (HIPAA) includes substantial provisions for the privacy of PII (Privacy Rule).

Also in the US, California was the first state to require that companies notify customers living in California of computer security breaches that might have resulted in a customer’s personal data being acquired by an unauthorized person. Over the last few years, disclosure has become common practice by financial institutions and retailers that have had customer credit card information compromised or potentially compromised.

In the US, there have historically been fewer privacy restrictions on private entities than on government institutions. However, the European Union has imposed much more stringent regulations – via the Data Protection Directive – on the sharing of private information. Since we are in a global economy, this caused some friction between the US and its European business partners, hence the ‘Safe Harbour’ agreement that provided a framework to harmonize its privacy laws with other countries.

"A clean background check is no guarantee against future malicious behavior"

Canada has two overall privacy laws in place: (1) The Canada Personal Information Privacy and Electronic Documents Act and (2) The Privacy Act. In terms of enforcement, both Canadian laws are broader than their US counterparts. All of this means that as the global economy moves forward, to combat the insider threat enterprises must be careful to address the privacy rights of employees and other partners with respect to privacy legislation. Security policy and procedures need to be developed with privacy rules in mind.

To help avoid privacy violations and the associated penalties (notification and possible monetary compensation or litigation), organizations should have a comprehensive information security program in place, including the following:

  • Access Control: Provide access control authority based on a business ‘need-to-know’ for information and information systems, thereby eliminating excessive and unnecessary privilege assignment.
  • Audit: Invest in effective software and/or development of auditing tools with effective monitoring and analysis capability.
  • Background Checks: Conduct pre-employment background checks on potential hires with recurring checks at predefined intervals. Work with human resource departments to identify and address disgruntled employees.
  • Physical Access: Control physical access to corporate assets (facilities and buildings).

Emerging Tools

An emerging concern regarding privacy is the area of social networking. There is some evidence that social networks and the supporting tools tend to place more emphasis on security than privacy, although both are important. This emphasis on security over privacy is directly related to a real threat to the existence and growth of social networking. They include measures to address application layer attacks, denial of service attacks, authentication and account control management, and better malware detection mechanisms.

The proliferation of sophisticated mobile devices is also having a substantial effect on information security within organizations, especially in the area of budget prioritization and allocation. Information security professionals are struggling to accommodate the increased number and type of mobile devices being used in the enterprise, most of which have internet capabilities and gateways to enterprise systems. In such an environment, use of passwords and encryption can be employed to help mitigate some of the risk.

Follow the Signs

There is no single indicator that can be used to identify an insider who is a potential threat, but some indicators that should be considered include:

  • The Open Threat: Employees who are disgruntled are usually very vocal in expressing their discontent, often in search of a compassionate ear. Employees at all levels should be trained to take such talk seriously. An open-door policy on the part of company executives and line management is a good way to foster an environment where employees feel free to anonymously report questionable behavior without fear of exposure and/or retribution.
  • Background Checks/History: Background checks and review of employee/potential employee history may reveal important information regarding the person’s character. The old adage ‘history repeats itself’ is more than apropos when looking at behavior. Organizations need to have a proactive strategy – and the appropriate technology – in place to support prevention or early detection of inappropriate insider activity. It should be noted that a clean background check is no guarantee against future malicious behavior.
  • Ideology: Employees with very strong personal values that may be in conflict with an organization’s culture, mission and policies may find it difficult to reconcile their ideology with the goals of the organization. The way in which they choose to address these differences may pose an insider threat if access to corporate information and systems becomes part of their strategy to express this dissatisfaction in a way that is destructive to the organization. Some employees have been known to exploit company trade secret information for their own financial gain. Employee training on ethics, interpersonal communication and effective conflict resolution can be useful in avoiding such behavior.

The insider threat has been – and continues to be – very real. Although organizations recognize the problem, budgets reflect that insufficient attention is being given to making sure that effective controls are being implemented to prevent, detect and mitigate insider threats.

These types of threats need to be treated as both real and sustained, equal to that of external threats such as hackers. This is true especially in the current environment of exponentially expanding use of mobile devices, social networking and rapidly advancing technology.


Members of the Bureau include federal IT security experts from government and industry. John R. Rossi, CISSP-ISSEP, was the lead author of this peer-reviewed article.


What’s hot on Infosecurity Magazine?