Infosecurity Europe
4-6 June 2024
ExCeL London

Five Ways to Tackle Insider Threats

Insider threats are on the rise, and organisations must have robust plans in place to prevent and respond to these incidents

Insider threats, made mainstream by high-profile cases like the Edward Snowdon national security leaks in 2013, are a large and present threat to businesses.

Research has shown that data breaches perpetrated by employees have ramped up in recent years, fuelled by trends such as remote working and increased staff turnover.

Insider threats come in a variety of forms including disgruntled employees stealing data to sell to malicious actors; those carrying out industrial espionage; and staff manipulated online into giving away sensitive information, such as romance scams.

To raise awareness, every September marks National Insider Threat Awareness Month (NITAM). 

Infosecurity has collated five key strategies for organisations to mitigate the risk posed by insider threats:

1. Access Management

Restricting employee access to only the data and systems they require to do their job is an important principle in cybersecurity generally, and a core component of zero trust architecture.

Access management is an ongoing process, requiring constant monitoring and updating for starters, movers and leavers. This is vital in reducing the risk of insider threat activity, with those leaving the business at higher risk of engaging in data theft – for example to get ‘revenge’ on their former employers or to bring important information across to a new role at a rival firm.

Businesses must properly segregate their networks to prevent any unauthorised access to sensitive data, and undertake periodic checks and controls to ensure security policies are being enforced.

2. Monitoring of Behaviour and Activity

Organisations should develop mechanisms for monitoring their employees’ behaviours and online activities, in a non-intrusive manner.

Threat actors often target employees via legitimate social media platforms and the dark web to trick or financially incentivise them into leaking sensitive data. As a result, businesses should monitor such channels for chatter about their company, cyber-criminals looking for insider knowledge, or disgruntled employees making unsavoury comments.

Organisations should also be observant of any suspicious behaviours among employees, such as attempting to access and download large amounts of data. Focus should be on people who are at higher risk of engaging insider threat activity, such as those who have handed in their notice or have been informed that their job is at risk in a company restructure.

Well-designed company whistleblowing programs can be integral in such behavioural monitoring.

3. Staff Well-Being

Many insider threats are not maliciously motivated – rather they are driven by factors like financial issues and stress.

Organisations are at a heightened threat of insider data breaches during difficult economic times.

Creating employee well-being and assistance programmes can help ensure staff are not driven to the point where they are tempted by financial offers from malicious actors. In addition, treating employees well will mean they are unlikely to develop a grievance towards the business, reducing the chances of malicious insider attacks.


4. Employee Education and Training 

Organisations must ensure employees understand the social engineering techniques used by threat actors to trick or entice them into becoming insider threat agents. Such awareness programs should be continually updated as attackers adapt their approaches and the types of platforms they use to communicate with workers.

In addition, staff should be made aware of the potentially severe consequences of such activities, and that accessing sensitive data for anything other than work purposes is illegal.

5. Insider Threat Incident Response

Experts and national agencies have urged organisations to adopt specific incident response roles, responsibilities and processes, to deal with insider threat breaches.

Businesses must establish processes that utilise internal and external resources to enable investigation and remediation as quickly and efficiently as possible.

As with other incident response strategies, these processes should be practiced on a regular basis, assessing any gaps in response.

Enjoyed this article? Make sure to share it!

Looking for something else?