Malicious employees and insider threats pose one of the biggest security risks to organizations, as these users have more access and permissions than cybercriminals attacking the organization externally.
It often seems that most organizations are not aware of the scale of these threats and do not prepare employees or distinguish guidelines for rooting out malicious and negligent employees in the way that employees usually receive training around spotting the signs of external hackers through phishing and vishing messages.
A recent report from DTEX highlighted that IP theft is at an all-time high because insiders are colluding with foreign governments. Uber’s breach just a few years ago, which involved an adversary purchasing access to an internal user account, demonstrates the detrimental impact that can arise from a lack of awareness and policy in place around internal threats.
Understanding the type of threats to look out for and putting the correct frameworks in place will help mitigate the likelihood of insider threats taking place.
There are several critical insider threats that organizations need to remain vigilant against. Denial-of-service (DoS) attacks are a common concern; often carried out by malicious employees who possess extensive knowledge of the company’s systems and networks, flooding it with illegitimate requests or attacking vulnerabilities that can cause it to crash or become unavailable to its users.
The risks associated with employees leaving the company with sensitive information or access credentials must be considered. A standard protocol should be in place to ensure access for former employees and their ability to compromise security after their departure is removed.
Malicious deletion of crucial systems or data by an insider can have a catastrophic immediate impact on a company. A loss of data or period of inactivity can lead to significant complications, including financial losses, damage to reputation and a loss of trust from clients and partners. Legal recourse may be available to address the employee’s actions but the damage will have already been done.
Not all insider attacks are caused by malicious employees; some may be due to negligence instead but pose just as many dangers. The rise in AI usage and LLM tools has increased the chances of negligent employees leaking information to cybercriminals through accidental disclosure.
Employees may post data into AI or LLM tools to carry out activities such as data sorting or code checking, which is likely to be ‘ingested’ by the AI learning model (often allowed and outlined in the T&Cs) and then used to provide answers to other users, leaking that sensitive information. For example, if a user uploads details of a confidential project to an LLM, the data in the system might be used to provide answers to other individuals who ask questions like “Tell me about Project X.” Companies need to make sure clear policies are in place when it comes to the use of AI and LLM tools for professional use.
Additionally, some LLMs are utilizing ‘add-ons’ that can be leveraged to exfiltrate data input into an AI or LLM tool, leading to similar data leakage issues, making it all the more critical that organizations have systems in place to limit unauthorized exposure of data.
Despite the rising sophistication of insider threats, many organizations still lack the necessary tools to detect or prevent employees from copying sensitive information to portable devices and leaving the premises. This fundamental vulnerability highlights a critical area where many organizations need to improve their security measures and monitoring capabilities to effectively combat insider threats.
To effectively root out malicious insiders, organizations must invest in comprehensive security tools and practices, such as robust monitoring systems, strict access controls and regular audits.
Additionally, fostering a culture of security awareness and implementing clear guidelines for reporting suspicious activities are essential steps in mitigating the risk posed by insider threats.
Implementing ISO 27001 and ISO 42001 into business operations are great ways to begin reducing the risk of insider threats. Both are valuable frameworks and help to establish rigorous procedures and controls.
It’s important to ensure these frameworks aren’t merely reduced to tick-box exercises and are fostered into daily operations.
ISO 27001 focuses on a systematic approach to information security management, emphasizing regular audits, access controls and comprehensive employee training.
Similarly, ISO 42001 provides a structured approach to occupational health and safety management, which can indirectly support security efforts by promoting a safer work environment.
The challenge is integrating these standards into everyday business practice, and ensuring they are enforced and updated. Organizations need to embed them into their operational practices, taking a proactive stance against insider threats and increasing security awareness among employees.
Martin Ellis, part of the founding team at CovertSwarm, also contributed to this article.