Please note! This essay has been submitted by a student.
Most people when in the midst of a discussion where the topic is regarding online security and the dangers of it, will probably mention that malware, virus, and so on are the worst attacks. The truth is that they are correct. But where do most malware, virus, the problem arise from? There must be a parent to all of this so the cyber attacks can be stopped. Most attacks nowadays are looked into to find where it came from, will show that it was an insider threat. It is known that 91% of cyber attacks today’s days are all caused by the insider threat.
The insider threat refers to the threat of an attack happening within an organization is coming from an insider, such as an employee working for that organization. Insider threats are broken down into two categories. There are malicious threats and non-malicious threats. A malicious insider threat is when the insider is motivated for whatever reason to cause damage, while as a non-malicious threat is where the insider may not even have known at the time of the attack that they are doing anything that may cause harm to the organization. Straight off the bat, many will think that a malicious insider threat is worse than a non-malicious threat. It is tough to determine that, as we will see later on.
The malicious category within an insider threat can be vast. It may be an employee that seems to be upset at the organization for a given reason, such as not getting the promotion they thought they deserved. Another employee may be going through a tough time in life financially, and someone offered them a sum of money to connect a USB drive to the server. There are many instances of a malicious insider threat, but they all have one common factor, they are motivated, for whatever reason to damage the organization. The non-malicious insider threat can be generalized where employees are just with the flow of daily life and opening links in emails without thinking twice or downloading a file from a website that might seem a bit off, but they don’t notice it. Many times, an employee may want to transfer data onto their USB drive so that they can work from home, but they don’t know that the disk contains a virus. By plugging it into their work PC, they have infected it and possibly the entire network. There are many scenarios of a non-malicious insider threat. But they all share the same factor that they do not know as to what they are doing, potentially causing a lot of damage to the organization, and if you would ask them, the truth might be that these employees would never even do these things willingly.
The biggest problem with the insider threat is how to keep in controlled and prevent it from happening. Most other threats and risks can be avoided and mitigated. For example, deploying a firewall and a robust IDPS can prevent many bot attacks and even a DOS attack. Most attack types have preventive measures. Yes, the insider threat has a precautionary measure as well, but they aren’t fully guaranteed as much as a robust firewall would be. But it is very different as we are dealing with humans. The human nature is meant to change as it goes. Meaning an employee loves for working for their organization and would never think of causing damage. But one morning they wake up with a thought and decides to download a virus on purpose onto their computer to infect the network. Or in a case of a non-malicious threat, an employee forgot to overlook a suspicious email twice before opening a link contained within it. Humans cannot be programmed to stop attacks and always follow through as software like an IDPS would do. This is what makes the insider threat, malicious or non-malicious, the most significant and toughest cyber threat to tackle nowadays.
As mention earlier, there are a few preventive measures that can be taken to reduce the chance of the insider threat causing damage. They key word here is “reducing” as entirely cutting it out is practically impossible. But steps need to be taken to keep it under control and hopefully keep fit from ever occurring. Let’s begin with the malicious aspect of an insider threat, where the employee is motivated. As mentioned above, many times an employee may be motivated due to not feeling treated correctly at the office and wants to cause harm, or if an employee is going through a rough patch in life and was motivated form an outsider to plug an infected USB to the server and so on. These categories should and can be reduced by keeping a good relationship with all employees, and by keeping an out for an employee acting unusually and out of the ordinary. For example, many employees will get upset and possibly motivated if and when they thought they thoroughly deserved a promotion that went to someone other than themselves. But if they were notified about it before, and it was discussed why it happened and how they can get that promotion in the future, it can prevent that employee from becoming motivated to do something that would cause harm to the organization. If an employee is seen acting out of the ordinary or if management does someone gets word that they are struggling with something, such as finances. They can bring that employee in to discuss it with and possibly help them with whatever the situation is. The employee will feel that the organization is trying to help and would perhaps throw away any thought of causing harm.
These are just a few preventive measures for a malicious insider threat, but the rest of them are similar. It is primarily about making sure employees don’t get thoughts of causing damage. This is done by treating employees with respect, giving them space when needed, lending a hand if and when personal issues arise, even if they conflict with work tasks, and so on.
The second category of the insider threat also has preventive measures which can be easily described in two words. Education and awareness. The most efficient way to reduce a non-malicious insider threat is to make sure your employees are very well trained and educated in the sneaky techniques that attackers use to lure in the less educated people. By training employees, they will know what to look for in a suspicious email; they will be able to notice a suspicious link from a mile away. Employees will also know that attackers are very creative and can make anything look real, but there will always be a way to determine if it is a scam or not. They need to be taught to be aware of phishing scams and false emails. Employees also need to be trained not to plug in an external USB drive into any machine connected to the organization’s network. As one of the newer attacks is where attackers purposely drop infected USB drives in a parking lot hoping a curious user will pick it up and plug it in to see what it contains. Once it is plugged in, the attackers are in. Training and awareness can eliminate these threats.
An additional measure that should always be taken, especially when an organization is being faced with a non-malicious insider threat, is to implement policies that won’t allow their users to get close enough that they might click on dangerous links or open a phishing email. This can be done by preventing external drives from being connected to all machines, personal emails cannot be opened, and a few other policies that will lock down the user, which will substantially prevent an insider threat from becoming a real attack. The problem with this is that it can and probably will inconvenience users. For example, implementing a little too robust password policy with two-factor authentication might upset users. Not being able to lug in a USB means that a given user that usually works from home cannot take home files. These are just some examples. The point here is that by implementing strong security measures may inconvenience users. This makes it hard to secure the network. That it is why the utmost importance to find the balance between security and user convenience or at least making sure the users understand the importance of the policies being implemented so they won’t feel inconvenienced knowing that they are helping keep the organization safe from attacks. The balance of security over user convenience will vary based on the organization.
The insider threat, malicious or non-malicious can cause plenty of damage to any organization, no matter how careful they are and no matter how many security measures are put into place. The problem is that it is tough to reduce the risk. But an organization must do their part to reduce it. Which is done by making sure employees are always on good terms with the organization as a whole, being on top that they are never on bad terms with anyone from management or any other employees either. If management does notice something off with an employee, action should be taken right away. There should periodic training regarding education and awareness that should be mandatory for all employees, no matter which department or title they have. It should even be mandatory for the CEO.
Trainings should often happen, as attackers get smarter as the days go on. Employees should be tested by IT sending out fake phishing emails to ensure that no one would fall for it. As I did mention that the insider threat doesn’t have any full guaranteed security controls, but an organization needs to do their part in making sure it won’t happen. It may not be easy, but it definitely is worth it.