Insider Threats - Part III

Chris Cassell, Technical Team


  • Security Blog

So what can I do to stop that Russian spy ruining us!?

There are several steps an organisation can and should take to try and prevent these problems from occurring, or if they do, decrease the damage and mitigate the fallout.

Implement good management practices

By far the most effective step in avoiding an insider threat occurring in the first place starts with management.

Management staff regularly fail to engage with the staff under them when it comes to perceived social problems. In many cases in the past, warning signs of issues were present, and even on later examination spotted by managers but not acted upon, and as such opportunities to avoid the threat were missed.

It is up to managers to address issues in the work place quickly and effectively to avoid the problems growing to the point where a decline in morale leads to disloyal behaviour. All the following issues and any like them should be addressed and regarded as potential triggers for problems if left unaddressed.

Issues between colleagues in the workplace.

  • Frequent absenteeism
  • Anti-social behaviour
  • Staff who appear bored or who lack productive work that they feel is worthwhile
  • Staff who regularly appear to be overworked
  • Lack of appropriate resources for staff to do their work
  • A grievance raised by an employee
  • Part of a manager's job is to foster loyalty and investment from their employees and many insider threat actors, when subsequently interviewed, indicate that a better work environment might have affected their behaviour.
  • Security Controls

    Strong physical and electronic security controls should be implemented. Employees should have no access to any area or data that is beyond their requirements for their work. Any restrictions should be explained to employees clearly and with justified reasons to avoid them feeling disempowered.

    All data should be held to a “need to know” standard. This avoids employees getting access to sensitive data they have no requirement to access, and allows items such as intellectual property to be segmented so that only the required part is seen by an individual so they cannot get a complete package of data that could be valuable.

    No one employee should have total and absolute power over any process or system; most cases of cheating the system have been found to occur when there is no oversight to a system and where only one person is the sole authoriser for a process. Split authorisation and oversight remove the temptation for corruption.

    C-level employees should also understand that these controls must apply to them. Any C-level employee that demands unrestricted access to everything just due to their position should be trained on why this is a bad policy.


    Even with the best security controls in the world employees will still have access to sensitive data as is required by their job. Human Resources have access to a great deal of sensitive information, IT staff as well. It is therefore important that a strong auditing policy is implemented to make sure that this allowed access is not abused.

    Checks for inappropriate copying of data, inappropriate searches of databases and altering of protectively marked data should be flagged and investigated immediately. Where possible security oversight should not be done by IT staff due to their excessive access to systems.

    Strong auditing can stop threats before they have fully implemented their plans, or allow quick mitigation and where appropriate legal action to have a greater chance of success.

    Security training for all staff

    All employees should be taught the importance of security, what constitutes bad practice and what to look for as an issue in others (for instance leaving machines unlocked). The fact this breaches corporate policy and the likely penalties should be explained, but far more importantly, the reasons for the policies should be explained as well.

    Getting your staff to invest in your security practices provides a powerful cultural advantage. Telling someone they will be disciplined for e-mailing certain data out of the company will not invest people. Telling them that the reason is that if that information got into the public domain it would lose the company £££s or cause reputational damage shows that you trust them. Getting them to understand why things are done the way they are is important.

    Pre-Employment Screening

    The more information the person will have access to the more they should face screening prior to employment. Criminal record checks and careful interviews with past employers should be the minimum to check for previous fraudulent behaviour or any previous concerns about security in prior workplaces.

    Sharing information

    People should talk to each other; if a project or an item becomes of increased security implication at any point this should be shared around the company. Far from generating interest from threats it shows them that the item is being watched and encourages all other employees to keep an eye for any oddities in behaviour.

    The part of the organisation in charge of security should have in feeds from HR, IT and management to allow it to have the big picture; where one of these groups might miss a pattern forming from the individual pieces, when combined they may forewarn of issues.

    No-One is Above Scrutiny

    Security and awareness must be included in the role of C level; it is vital they buy in to the process to allow appropriate resources and mandates to be created with meaningful consequences.

    All senior managers must also accept the same level of scrutiny as the general employees. They are just, if not more, vulnerable to corruption due to their enhanced access and sign of privileges of their position.

Leave a comment

Comments (0)

Latest News

  • Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme

    Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme ...Read more


  • Zero Trust networks with zero hype - an overview of real world deployments

    An overview of the NCSC CloudClient project in the context of Zero Trust network characteristics ...Read more


  • Measured Boot & Measured Execution for Device Health

    Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more