Malicious Insiders can be employees, former employees, contractors or business associates who have legitimate access to your systems and data, but use that access to destroy/steal data or sabotage your systems. It does not include well-meaning staff that accidentally put your cyber security at risk or spill data.
There are many reasons an insider can be or become malicious including revenge, coercion, ideological dispute, ego, or seeking financial gain through intellectual property theft or espionage. They could:
- impact the popularity and views towards your enterprise
- prevent your systems from functioning properly
- steal or sell business trade secrets or intellectual property (IP)
Cyber adversaries can use employees whose trust they have gained to access your business systems and accounts. Employees could provide information to a Malicious Insider unknowingly, or mention sensitive details in trust.
How do I recover from a Malicious Insider attack?
Report illegal activities to the police.
Recovering from a Malicious Insider depends on the damage they have done. If they have damaged your Facebook page, installed malware, or otherwise stopped your systems from functioning properly, you can put in place technical solutions to those problems.
However, if they have stolen data, there is very little you can do to recover it. However, this will not recover the stolen data. That is why prevention is the key.
How do I prevent a Malicious Insider threat?
How to protect your organization against Malicious Insiders will depend on your organization’s systems, culture, and business processes, and how well this is communicated and understood by staff.
A Malicious Insider‘s system access and knowledge of your business processes (particularly its checks and balances) can make them hard to detect. But there are practices you can put in place to reduce the risk of a Malicious Insider in your organization.
Require strong passwords and multi-factor authentication
Requiring strong passwords and using multi-factor authentication means that even if a Malicious Insider gets hold of a employee’s user id, it is difficult for them to get access to that account to perform malicious actions.
Deactivate access
When an employee finishes with your organization or their role changes make sure their access to your business resources is deactivated at the same time.
Any shared passwords the person knows should also be changed. For example:
- shared office Wi-Fi password
- bank account passwords
- shared email accounts
- Administrative or privileged user accounts.
To help in this process, keep a checklist of all systems a staff member potentially has access to so that the access removals and password changes can be systematically checked and actions can be taken as per need. Keep the list updated as new systems are added and the task of keeping it up to date should not be too onerous.
Auditing and logging
Many business information systems will log, monitor and audit staff network activities. You should investigate what logging capabilities your system has, especially for high-risk systems, such as ones that authorize payments.
To make it effective, you need to make sure audits of your system are regularly reviewed and unusual activities are followed up. Make sure your staffs know of your auditing and review process, so they are deterred from considering any unauthorized activities[1]
Focus on your culture
The culture of your organization and overall contentment of your staff is important in mitigating the Insider Threat. The more integrity and transparency you have in your work environment, the harder it is to act dishonestly. Additionally, happy, valued and challenged staff members are less likely to act to harm your organization.
Collaboration can also help discourage Malicious Insiders, by discouraging a culture of lone operators and reducing the incentives and opportunities for staff to work against your organization.
An active approach to staff welfare will help you support your staff, and provide early warning signs of changes in their circumstances which might put them, and your organization, at risk.
Business processes
Personnel security
For all employees, irrespective of their system access, pre-employment and background checks are a good first step.
Be clear with new starters on how you can and will verify pre-employment information and conduct background checks. You should also include a dispute process after identifying incorrect information from these checks.
Identity should be established using a recognized form of identification, such as a National Identification Document (NID). [Identity or Identification process?]
You can check referees and previous places of employment.
You could also consider ongoing and periodic checks to ensure that your employees’ situations haven’t changed.
Improve staff education
Make staff cyber security awareness a priority in your organization.
Documenting and training staff in business activities helps drive a clear and shared understanding of expectations and culture. Educating staff on the business and the risk environment it operates in is key to this outcome.
Cybersecurity documentation loses its value if staffs are not made aware of its existence and use.
Make staff aware that they are responsible for activities under their logon and the importance of protecting their logon credentials from misuse.
For example, staff should be made aware of the importance of:
- choosing a strong password
- not sharing their password/login details with others
- either remembering their password or ensuring it is securely stored so others cannot access it
Do this section after translating other parts