Humans are the biggest risk to ensuring the confidentiality, integrity and availability of information assets. While untrained staff and unmotivated staff might reduce the performance of the organisation to reduce threats, having an insider threat makes things become a whole lot worse. Human factor seats at the centrepiece of ensuring that information security is attained. Regardless of the funds an organisation could spend on security tools, the tools will not function properly if the human factor is not properly controlled.
That brings us back to the issue: Insider threat. What is Insider Threat? According to Wikepedia,
An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.
This means that an insider threat is someone who had or has at one point had access to critical information of an organisation, and he or she is looking to exploit that situation. This could be a case of a disgruntled staff looking to get back at his employee or ex employing by purposely deploying malware on the firm's network or purposely leaking classified documents to the public, which could lead the firm to lose a competitive edge over rivals or faces legal sanctions. This insider threat could also work to hold the organisation to ransom by deploying ransomware applications on the firm's IT system and network.
This Insider threat is always smartly executed so that no trace of the activities performed by the perpetrator will be left at the scene or the system. This threat could also be made using innocent staff credentials to execute their plan. This is done to throw away people off their scent and also to give the firm a suspect or scapegoat. Insider threats could crumble a firm structure and lead to a firm permanently shutting down. Besides, what better way to hit where it hurt the most than from the inside?
Social engineering could make others do things on your behalf without them suspecting foul play to materialise and ensure that an insider threat materialises optimally. Social engineering is the concept where a hacker cons people to divulge sensitive information or turn them into zombies to do his or her bidding without them even realising what their action is costing their own firm.
Although the damage insider threat could cause could end the firm, they are a series of actions which a firm information security team and management could implement to ensure that the impact is reduced or eliminated. Some of these controls are:
Segregation of Duties: This is when everyone's role in the organisation is defined. Roles are defined based on the staff's position and what is expected of him/her in that position. This, in a way, brings about accountability. It also ensures that no single entity can independently run the business processes without input from others.
Least Privilege or Need to Use Basis of logical access control: This principle of the least privilege or need to use ensures that the logical access to staff is limited and is right for the job they have been employed to do. This way, staff will not have access to what does not confirm their role in the firm. Also, it creates some restrictions for users as they only know a portion of things on the system. The principle makes access control to staff organised, action traceable, and activities on the network accountable.
Monitoring and Reviewing Privileged Users Activities: Privileged users have far more access to the firm system than ordinary users. Privileged users have admin rights and control over a system and can direct other users' affairs. That makes it a wise decision to monitor and review the activities of privileged users at least quarterly. So reviewing activities logs of all privileged users is a must.
Logging: All activities carried out while using the firm system and IT systems needs to be logged, and these logs need to be protected. The protection entails ensuring that the log files are not modifiable and remain available as long as the law requires. Some organisations go as far as setting up a SIEM, which collates logs from all systems in the firm into one central location. These SIEMs also raise and send out alarms in cases where an unusual pattern or suspicious activities are noticed or carried out.
Password Management: Staff should be made aware not to give another staff their user ID and password under no circumstances. Also, using MFA should be encouraged; this way, an extra layer of security is provided in case a password is cracked or hacked. Staff should be aware that writing down their name is prohibited and is against the organisation's information security policy. Also, password parameters need to change from time to time. Ensure that passwords are not written down on sticker notes.