As much as we would like to think that we can trust all our colleagues and employees, Insider Threat is a large concern. People within a company - employees, management, and contractors - are given access to information and assets as a trusted member of our organization. This access gives them the capability and opportunity to make negative choices by either stealing something of value, or sabotaging to cause harm.
Creating a close knit community within your organization is critical to success. As a company, we want to believe that all of our employees can be trusted, but based on the numbers, we know that not everyone can be. A 2015 study conducted by IBM Security found that 55% of attacks were carried out by individuals with internal access to the organizations’ systems. With this in mind, how can you protect your organization from the inside out?
Know Your Employees (This is Critical)
It is critical to screen potential new hires in all levels of the organization, especially those individuals with access to sensitive information. Background checks should be done on every employee, but they only provide for an understanding of an individual at one moment in time, and people change.
Personal circumstances, attitudes, behaviors, and motivations all have an effect on a person’s decisions. Changes in the performance of an employee should be noted, especially if they are subjected to a performance improvement plan or similar. Disgruntled employees on the way out the door can be a problem. Changes in behavioral patterns at work should also be observed and noted. e.g.:
- Logging into or using different computers
- Creating or connecting to cloud based storage systems such as Google Drive, DropBox, OneDrive, etc.
- Utilizing cloud based computing services such as Amazon Web Services or Microsoft Azure
- Increased use of USB portable drives or burning CDs or DVDs
- Increased number of external email conversations, especially if the emails have attachments
- Use of FTP, SCP, or other file transfer protocols that were not previously used
- Changes in project assignments or responsibilities, especially those that require access to sensitive material
Create A Culture Around Security
Lack of employee awareness is one of the internal security challenges faced by employers. When employees enter into a company, it is essential to provide them with computer security training and education on company policies in place to protect company assets. Continuing education is critical as well. Without reinforcement, it's human nature to forget and when security is not considered, it's easy to unintentionally put the company at risk. Employees will be more concerned about compliance if they are held accountable for knowing security policy and practices.
Monitor Elevated Risks (in a sea of data)
A key step in dealing with Insider Threat is the identification of abnormal behavior that may be a precursor to malicious actions. Some of the foremost research on Insider Threat is done by the smart folks at the CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon University. In a recent technical research paper, they note that the info security community "currently lacks a standardized method of expression for indicators of potential malicious insider activity". To address this, they present a formalized way of expressing these concepts and their interrelationships by using ontologies that contain assertions about the individuals or within the enterprise.
Knowing that an individual is at elevated risk of Insider Threat due to a change in their behavior can provide opportunity to reduce or prevent damages from an insider with malicious intent. Analytics of user behavior, normal and abnormal, plus their access to sensitive information or critical systems can provide insight to potential Insider Threat.
Insider Threat Indicator Ontology
As noted in their paper, CERT chose to implement their ontology using Web Ontology Language (OWL), which is a mature and widely used standard. If you're wondering how to apply these ontologies in your real-world security operations, take a look at DarkLight™ which also leverages OWL to more effectively analyze potential malicious activity before it become a real threat.
It is important for every organization to have a plan to address Insider Threats. What are YOU doing to protect your company?
 An Insider Threat Indicator Ontology, CMU/SEI-2026-TR-007, Software Engineering Institute, Carnegie Mellon University