Insider Threats - Part I

Chris Cassell, Technical Team


  • Security Blog

I hate to be the one to have to tell you this…

But one of the people that work in the human resources department in your office is actually a Russian spy sent to steal all your company's secrets! They were planted as a mole years ago to become naturalised and they‘re out to get you!

Okay it's highly unlikely that you really have spies of any nationality in your company, though if you distribute this around your company and someone from HR does quit you can thank me later. The above is the most extreme possible example of an Insider Threat and has actually been true in the past for some government departments back in the Cold War days.

In recent times, the profile of your average Insider Threat is actually someone who took employment legitimately, who has worked for a reasonable amount of time perfectly well, does their job and isn‘t a threat at all. Until something tips them over the edge.

It can be something major like a series of redundancies destroying morale, making them lose loyalty to the company and in that time of ’Likely to be me next‘ they may choose to strike first. Or it can be something subtler, a sudden opportunity when they find they have access to a network drive they never realised they did and it's got the companies Intellectual Property on there and they‘ve been struggling to pay their bills the last few months and just one file won‘t do that much damage will it?

It could be someone doing a favour for a friend or relative, something they‘d never do for a stranger but they trust their family not to abuse that trust. It could be someone that believes that the company is doing something morally wrong and wants to stop it but doesn‘t think that taking the problem higher up the chain will fix it as those higher up the chain are the problem (In a past life this one even sorely tempted me).

It's true that there are still a small percentage of people who actively take a job to exploit that position, but generally it's opportunity or the offer of money that turns otherwise loyal employees disloyal.

So what do these scallywags get up to?

There are a variety of activities that insider threats will get up to, generally breaking down in to five categories:

1. Disclosure of sensitive information

2. Cheating the system

3. Giving away access to people that shouldn‘t have it

4. Deleting, altering or corrupting files

5. Breaking stuff

Disclosure of sensitive information

This is your Snowden, Manning, Aleynikov. These are people that use their position of privilege on the inside of an organisation to obtain data which they knew was sensitive and was not for distribution to any third party and choose to release it regardless.

This can vary from the hundreds of thousands of records that made their way to WikiLeaks causing massive, irreparable damage to the source agencies, to the theft of a few files that a potential future employer might find irresistible and will secure that new job.

The reasons for this type of action vary greatly:

Ideology - Where the leaker believes they are doing the right thing and they know there will be consequences but they think the risk is worth the reward.

Greed – Where they are directly selling the files, or using them to secure better employment.

Entitlement – Where someone has built up a database of information or contacts and they believe they are entitled to a copy for the future regardless of it being the company's property.

Recognition – When everyone else takes the credit for someone's work, sometimes they arrange for the truth to slip in to the public.

Cheating the system

This covers people funnelling money to bank accounts for personal gain, corrupting expenses reimbursement schemes and ordering an ’Extra‘ of valuable items for the company and taking them for personal use.

The bank LIBOR rate scandal is another example where people manipulated information to make automated systems alter their values in predictable ways and in doing so were able to profit greatly by removing randomness from systems.

Generally, the reason for cheating the system is simple.

Greed – By far the bulk of cheating internal systems is based around being able to profit from the exploits.

Entitlement – Sometimes it's less about direct greed and it's down to a sense that the company has not fairly compensated the employee and they just want to redress the balance.

Giving away access to people that shouldn‘t have it

This can be electronic or physical access. Sharing passwords for accounts with external parties, leaving doors or windows open at the end of the day, leaving deliberate security weaknesses in security systems such as VPNs and Firewalls.

This tends to be the path of people who have been externally influenced and do not have the skill or will to actually commit crime themselves directly, so they justify it by leaving the actual dirty work to others and only enabling.

Motivations include;

Loyalty to others – Doing it as a favour to a friend or family member who's in need.

Greed – Giving access to others with the skills in exchange for a cut of the profits.

Deleting, altering or corrupting files

This generally is the act of someone who has lost all loyalty to the organisation and feels that they have no more vested interest in assisting them. They will take steps to destroy efficiencies to spite those above them or destroy another member of staff whom they see as the source of their issues.

This can be destroying financial data to damage the company; presentations or documents to make a rival look a fool; or Intellectual property documents to devalue the organisation.

Direct sabotage tends to be motivated by one of two factors.

Revenge – Getting back at an organisation they believe has betrayed their loyalty over the years.

Ideology – Destroying files to stop an organisation doing something they see as morally bad, or to stop another member of staff from doing something they view as against the company's interests.

Breaking stuff

Then we get down to good old fashioned physical sabotage. This can be quite a varied form of threat from people breaking their work mobile phone as someone has a newer, better one and they are jealous, to arson on a grand scale by disgruntled staff who cannot stomach the company any longer.

It tends to follow the same lines as the electronic sabotage above when it comes to motivation.

Revenge – Getting back at an organisation they believe has betrayed their loyalty over the years.

Ideology – Destroying items to stop an organisation doing something they see as morally bad, or to stop another member of staff from doing something they view as against the company's interests.

Greed – Some people just want a shinier phone/laptop.

Leave a comment

Comments (0)

Latest News

  • Cyber Best Practice and the CNI

    The importance of information sharing to support the development of cyber security best practice across the critical national infrastructure. ...Read more


  • Measured Boot & Measured Execution for Device Health

    Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more


  • Debate Security

    The first Debate Security briefing took place on 26th February 2019 in Canary Wharf in London, bringing together senior executives across multiple industries to spark a cyber-risk discussion that compared and contrasted approaches between government and the private sector. ...Read more