Torsion Information Security Blog

Exploring the business and technical implications of information security.

Being aware of the ‘insider’ threat to cybersecurity

Of all information security threats, the ‘insider’ security threat usually isn’t the image that people’s minds go to first. Teenage hackers or offices full of reclusive geniuses, hacking away at the behest of their government, maybe but the costliest form of information security incident is none of these things. It is the incidents caused by regular, every day staff members, acting mainly accidentally or obliviously to the damage they could cause by their actions, or lack thereof.

Shred-it’s 2019 Data Protection Report found that 43% of C-Suite executives (C-Suites) and 8% of small business owners (SBOs) admitted their organisation had suffered a data breach. Of those organisations that have suffered a data breach, C-Suites and SBOs cite human error or accidental loss as a main cause for the breach – whether by an external source or by an employee/insider.

Defining the ‘Insider’

We’re talking about regular, every day staff members working in the business. We’re also talking about external partners with whom information is shared.

Why the Insider Threat is Different

Most other information security threats stem from gaps in the IT landscape. They tend to warrant predominantly technical responses at the network perimeter, such as firewalls, DMZs, intrusion detection, etc.
The insider security threat is different, and deserves to be thought of separately to external hacking-type threats.
It tends to occur at granular level, one document-at-a-time – not entire systems or networks at a time. This means that effective solutions (and useful conversations about them) are much closer to the business than they are to the IT teams responsible for technology. Our most vulnerable systems are those which store the documents – our collaboration, cloud storage and file sharing systems such as Microsoft 365, Sharepoint, FileShares or Microsoft Teams.

And insider incidents have a much higher likelihood of actually occurring, and often go undetected for months. Our tendency to focus on stopping ‘the big incident’ overlooks the fact that the sum total impact of the smaller incidents, occurring on a regular basis, can have a far greater negative impact on the business.

The Nature of the Insider Security Threat

Information Management is the professional discipline concerned with connecting people with the information they need to do their jobs. So, when it comes to the nature of the insider threat, we need to take into account: people constantly joining, moving, leaving, external partners / customers / suppliers, a massive and exponentially growing volume of data, data in many different forms, including documents, emails, images, databases, printouts, constant business change – new customers, old partners, departments starting, offices closing, strategies and priorities shifting, organisational structures changing, mergers and acquisitions, working practices becoming increasingly flexible and collaborative, information scattered across multiple platforms of varying maturity and capability, the rise of the cloud – bringing powerful capabilities more cheaply, but also downsizing of IT teams, skills and budgets, the rise of mobile devices and workforces – everything is available everywhere, anytime and many security solutions and vendors competing for market share.

As with any risk, the insider threat can be stated as the likelihood of an incident, crossed with the potential severity of an incident. So, any effective solution for minimising insider security threat needs to sit with as many of these areas at once, reducing the likelihood and severity of any incident. Solutions which focus too narrowly on only one or two of these areas are only ever going to have limited overall effectiveness.