Combatting the malicious and unwitting insider threat

A blue color image of a person trying to log into a protected laptop.
(Image credit: Shutterstock/JARIRIYAWAT)

Adage tells us that a chain is only as strong as its weakest link. This maxim can be applied to many walks of life, but it feels particularly pertinent in the cybersecurity space as an organization's cyber posture is only as secure as its own employees. This is not to say that employees are always at fault for security lapses – staff can be a huge asset to their firm’s security posture when properly educated on best practice – but they can certainly be a vulnerability and are often seen by hackers as a potential chink in the armor of cyber defenses.

About the author

Dominic Trott is UK product manager at Orange Cyberdefense.

The significance of the human element means that its threat can never be overestimated. Innovative new technologies and cyber solutions clearly play an important part in warding off potentially devastating attacks, but it would all be rendered obsolete if not for the critical role played by employees at the front line of organizations' cyber defenses. While ransomware may have dominated the headlines in recent times, the risk posed by company insiders, both malicious and unwitting, should be just as much of a concern for the C-suite.

Unfortunately, mitigating the insider threat is enormously challenging. Broadly speaking, there are two types of risk posed by employees which organizations need to contend with. Malicious insiders, employees with malevolent intentions to inflict damage on their company from within, represent the overt form of insider threat – those who are intent on doing harm for vindictive or exploitative reasons. Unwitting insiders, on the other hand, are those who may not know what good security behavior looks like. These two types of insider threat create very different challenges, but both can be equally damaging. So, how can organizations tackle the risk posed by company insiders?

Cyber 101

Most critically, organizations must equip employees with the knowledge and cyber-centric mindset needed to make correct security decisions. This can only be achieved through ongoing education, training and awareness building, which should include teaching employees to recognize phishing attempts and any malicious activity aimed at exploiting human error. Essentially, this is about empowering employees to be the organization's first line of defense.

Something that is also directly related to the human element is identity. Organizations must make digital identity a core tenet of their defenses as it provides a double-edged opportunity for combating the insider threat. It offers greater protection when tools such as Privileged Access Management (PAM) and Multi-Factor Authentication (MFA) are incorporated within Zero Trust strategies on one hand; and boosts user experience through initiatives in areas such as Single Sign-On (SSO) and Customer Identity Access Management (CIAM) on the other hand.

Getting the basics right

Organizations should prioritize building out the processes and technological capabilities that will allow security teams to detect threats. Being able to flag and distinguish malicious activity in a timely manner is paramount to an organization's ability to stop insider threats in their tracks. Security teams should focus on harnessing insights, such as threat intelligence, as well as technologies such as AI and machine learning, which can help prioritize and triage risk.

Businesses also need to focus on technology that allows solid perimeter controls to be established. Getting the good, old-fashioned fundamentals in place is still as important as ever. Blocking and detecting malicious activity at the endpoint and network levels, and establishing a Zero Trust architecture, is essential to this.

In the event that the worst should happen, organizations must also ensure that a robust incident response process is in place to tackle security breaches when, not if, they occur. In doing so, organizations can limit any potential fallout, be it from a reputational, financial or legal perspective.

Keeping tabs on data

Organizations must ensure that they have full visibility of their data, tracking and managing the data lifecycle across internal networks and wider partner ecosystems. In doing so, organizations can adhere to compliance and regulation requirements through good data hygiene. With this visibility, security teams can block and detect malicious activity – such as ransomware – that preys upon poor data security approaches.

Coming to terms with hybrid work

Organizations must get to grips with the hybrid working patterns that have emerged and become the norm in the wake of the COVID-19 pandemic. The way we work has evolved enormously, with the office vs home paradigm essentially inverting compared to what it was prior to the pandemic. Acknowledging this shift and being flexible as working patterns continue to change will be crucial to ensuring security and business continuity. 

For most organizations, the current solution involves deploying a VPN to support remote working, but this only represents a fairly makeshift technological response to what is likely to be a permanent shift in working behavior. Going forward, it is essential that organizations adopt more end-to-end, transformational solutions, such as secure remote access through Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) approaches.

Like most things in cyber, the human element is an ever-present hazard for security teams to contend with. It is impossible to predict a rogue act from an employee, but there are certainly steps that organizations can take to ensure that any chinks in their armor are exposed as little as possible.

We've featured the best identity management software

Dominic Trott is UK product manager at Orange Cyberdefense.