Avatar photo

Editor, City Security magazine

January 14, 2020

Sign up to free email newsletters


The Video Surveillance Report 2022

Managing the insider threat

There is much talk in the cyber security world about what is termed the ‘insider threat’. To those not in the know however, the term can be misleading and conveys different things to different people. Gary Peace, CEO and founder at ESID Consulting, which specialises in insider threat and cyber security, explains more.

The ‘Insider Threat’ is simply someone who works within your company or organisation who has access to your systems and your data, combined with the recognition that there is a risk or a threat associated with that access.

The insider threat is made up of four groups of people:

  • The Malicious Insider
  • The Flight Risk
  • The Unwitting Insider
  • The Un-Trusted Insider


The Malicious Insider

The risk posed from a ‘Malicious Insider’ is, compared to the others, quite minimal. It’s the person who wants to do something bad with your data, your clients or your company assets. The reality is that thankfully, there are relatively few of these people around.


The Flight Risk

The ‘Flight Risk’ is the employee who has secured a job with a competitor or who may want to set up their own business in competition with yours, and in doing so use your data or your intellectual property in this new business venture to give them a head start – at your expense.


The Unwitting Insider

The ‘Unwitting Insider’ is the biggest risk. It is, for example, the person who mistakenly cc’s your entire client list to everybody else on that list, instead of bcc’ing them.

Or it’s the employee who finds a USB stick in a communal area and decides to plug it in to their desktop machine, in a kind act to find out who it belongs to and in the process of so doing, they inadvertently infect your systems with what was either a ‘planted’ device or simply an infected one.


The Untrusted Insider

The ‘Untrusted Insider’ might be the IT person you ‘let go’ last month, but because you were being nice, you allowed them to finish out the working week before restricting or terminating their access, during which time they created a backdoor into your systems, using false credentials, or they changed the system settings, deleting your backups. Or they planted malicious software in your systems, with a time delay, set to activate a few weeks after they have left and after everyone has forgotten about them.


So, how do we deal with the insider threat?

Fundamentally, it’s about:

  • Building security into the entire employment life-cycle
  • Pre-employment screening, on boarding, introduction and socialisation
  • Recognising changes in employees’ personal circumstances
  • Emphasising the importance of culture, reporting and communications

Insider Threat Management incorporates performance management, supervision and staff appraisals. It’s about having exit strategies and procedures to deal with termination of employment (a termination checklist, for example).


Managing the supply chain

A recent survey (Cyber Readiness Report 2019) by insurer Hiscox identified that supply chain incidents are now commonplace, with nearly two-thirds of firms (65%) having experienced cyber-related issues in their supply chain in the past year.

This means Insider Threat Management is also about the integrity of your suppliers, contractors and other third parties, making sure that they treat your data, or your client’s data, the way you or perhaps more importantly, your clients would expect it to be treated.


Unhappy employees

One of the biggest factors in mitigating the insider threat is by methodically treating all employees with fairness and transparency, working to avoid any form of ‘disgruntlement’ in the workforce. The disgruntled employee is ‘home-grown’. They don’t join a company being disgruntled, and they don’t become disgruntled overnight. They are made, over a period of time, and they can be identified.

Everyone knows an employee who is unhappy at work or struggling with personal issues – someone looking for another job. We all know who the bad managers are. These are some of the warning signs for a potential insider risk. It doesn’t mean to say that any of these people will become a threat. It just means that there is an increased risk of threat. Your ability to manage this risk is about having visibility of the risk.


An integrated approach

You need to be able to profile user behaviour and map it against the vulnerabilities in your organisation. This visibility also includes knowledge of your employees’ well-being, gained through a welfare support programme combined with a whistleblowing facility.

When this is all integrated within a properly structured and recognised security and business resilience or continuity framework, such as ISO27001 and ISO22301, combined with risk profiling, user awareness, and organisational mapping, you are then able to work out the ‘context’ of that behaviour. And it is context that is the key to managing your insider threat.

Put simply… you need to know what your employees are doing with your data and why.


First published in City Security magazine. You can subscribe for a free quarterly copy here.

Keep up with the wireless access control market

Download this free report to find out more about:

  • The current state of wireless access control solutions in the market
  • The developing ‘move to mobile access control’ trend
  • Views on open architecture and integration
  • The growing use of the cloud and ACaaS to manage access systems
  • How important is sustainability to the industry?

Related Topics

Notify of
Inline Feedbacks
View all comments