Your biggest security threat may be hiding in plain sight: your employees.
No business can operate without trusting its people. Without access to confidential information and essential systems, staff can’t perform their roles.
But if an insider turns malicious, regardless of their motivation, they can significantly damage your organisation. After all, their account is supposed to have access to sensitive data!
So, how can your organisation protect itself from malicious insiders?
Our head of security testing, James Pickard, explains.
In this interview
Insider threat vs insider risk
Do you consider accidental breaches caused by staff, like clicking a phishing link, part of the insider threat?
Technically speaking, any breach caused by an insider – a member of staff – is part of the insider threat, including accidental breaches.
However, as a penetration tester, I prefer to distinguish the ‘insider risk’ from the ‘insider threat’, with the insider threat exclusively referring to staff who know what they’re doing.
Regardless of whether the employee is disgruntled or blackmailed, I tend to separate attacks run by an insider from those run by an external attacker.
What about human error, like sending data to the wrong person? Do you consider that an insider threat?
Technically, that is the insider threat, but not in the pen test world. I think of non-malicious breaches as insider risks.
With the insider threat, when we test a client’s networks, we’re assuming some type of existing privilege that the person is looking to abuse.
But that’s not necessarily an employee – it could be, say, a cleaning company. That could be an insider threat, because they have a legitimate reason to enter the building. But if they haven’t been vetted properly, or haven’t been paid in six months, or whatever, they may decide to steal data from the organisation.
When we check for these types of risks, that’s a different test [internal infrastructure] to a social engineering penetration test.
How big is the insider threat?
How significant is the insider threat – specifically, the risk of malicious insiders?
It depends.
For example, if a penetration tester like me turned against the organisation, that’d be a very high risk. Because I’d know how to run an effective social engineering campaign and have access to lots of confidential information.
Whereas, say, a disgruntled receptionist has access to far more limited information. They could exfiltrate people’s diaries – which would be bad, and is a risk, but it wouldn’t be the end of the world.
The way Damian Garcia [our head of GRC consultancy] put it to me was: “an unhappy receptionist poses a vastly different threat to cyber or information security compared to an unhappy system administrator”.
Yes, that’s it exactly!
You’re also more likely to have turncoats [someone who switches sides, i.e. turns against the organisation] in organisations with high turnover – call centres, for example. The breaches may be minor, but you’ll get them more often.
We have done tests in call centres, where we were on one system, trying to access other systems, which call centre staff shouldn’t be able to access. That means checking things like:
- Machines only offer the functionality needed to carry out their job; and
- Whether we could get onto the main corporate network, which holds all the data, from the call centre network.
Access control and conditional access
How can organisations address the insider threat?
Access control is a good place to start.
Don’t give people access unless they absolutely require it to do their job, and only give them the privileges required – if someone only needs to view something, for example, don’t give them editing rights too.
Better still is to take a conditional access approach to your networks, which goes hand in hand with zero-trust architecture.
What does ‘conditional access’ mean?
You’re locking down access based on certain criteria.
Location is an obvious one – if you don’t have anyone working from outside the UK, for example, why would you allow anyone to log in internationally?
If you block login attempts from outside the UK, or restrict access to the countries from which your staff operate, and automatically notify your security team when someone does attempt to log in from an unexpected country, you’re massively reducing your risk.
You’re not just granting access based on whether someone knows the password.
What other conditional factors can organisations use to restrict access?
You could make it device-dependent: is the login attempt coming from a device you trust, like a company device?
And if it’s not coming from a device you trust – like a BYOD [bring your own device] phone or laptop – then you’d only grant access if the device meets certain technically enforced standards:
- Up-to-date patching
- Up-to-date antivirus software
- Sufficiently complex or strong password
- MFA [multifactor authentication] enabled
A bit like Cyber Essentials, basically.
Are there any other conditional access factors?
It could be the user themselves – should they be working at that time?
Some organisations prevent users from logging in outside of regular working hours because they have no reason to. Warehouse workers are a good example.
I should add that, where there are exceptional circumstances, exemptions can be granted. The same applies to any other factors – if someone is travelling, for example.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Defence in depth
You said that access control is a good place “to start”. Could you elaborate?
A truly effective defensive system relies on multiple layers: defence in depth.
This gives your organisation the best possible chance of fending off attacks, or at least mitigating their impact. In an environment where the question is not ‘if’ but ‘when’ your organisation will be attacked, this resilient mindset is vital.
This isn’t just a matter of defending against insider threats. With the increase of AI-driven and ransomware attacks, along with vulnerabilities within the supply chain, organisations are facing threats from multiple directions.
Implementing multiple measures, each aimed at mitigating different types of risk or attack, goes a long way towards protecting your organisation and its operations.
Network segmentation
What other measures can organisations take?
Say someone got through the first line of defence – access control, and measures like firewalls and spam filters. Or they gain physical access to the building.
Then segmentation of the internal network should stop, say, malware from spreading.
Unfortunately, flat networks are common. We see this with penetration tests – when we connect our laptop to the client’s network, we can often see all servers and desktops on all ports. That means that our machine could contact everything on all ports and compromise them.
The ideal is for a user to only be able to contact the servers on ports they require, which can be done with network segmentation. But, of course, it must be done properly to be effective, which a penetration test can check for.
How big is your insider threat?
Find out with an Internal Infrastructure Penetration Test.
With only network access, an expert penetration tester such as James will use advanced testing techniques to try to elevate their credentials.
Learn whether your users can access networks they’re not supposed to. Identify vulnerabilities within your internal infrastructure and act promptly with our prioritised action plan and remediation guidance.
Work with one of the leading penetration testing companies in the UK, offering one-to-one expert advice at any stage of the engagement.
Don’t take our word for it
Here’s what our customer Josh said:
We use IT Governance’s pen testing consultants for engagements with high value clients. We trust their team exclusively.
Their work is phenomenal, proves time and again to be one of the most important investments our clients make regarding improving cyber maturity.
Reports are thorough, yet very understandable. The communication during all phases of pen testing activities is superb.
IT Governance is our most trusted partner, and we highly recommend utilizing their expertise for penetration testing.
About James Pickard
James is an expert penetration tester – and our head of security testing – with more than a decade in the field.
He’s led and executed penetration tests across diverse industries on a global scale. He specialises in two key areas: infrastructure testing and authorisation bypass techniques.
James excels in leadership and technical expertise. He’s managed the penetration testing team since 2018, directing them through tasks, improving testing procedures and cultivating collaborative relationships with clients.
We’ve previously interviewed James about security trends for 2024 and beyond.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
