When Your Biggest Threat is on Your Payroll: Drivers & Enablers of Insider Threat Activity presented at BSidesVienna 2019

by Christina Lekati,

Summary : It is an irony in organizational security: Although so much capital is invested in the protection of the organizational assets against external threats, some of the largest compromises have occurred as a result of insider threats, sometimes resulting in irrecoverable damage, reputation risk, and liability. This type of threat is more important for organizations that are part of the critical infrastructure and industries where intellectual property and the protection of sensitive information are critical elements for their operations.Employees in security-focused environments learn to treat outsiders with suspicion and to maintain trust boundaries. However, it is often the case that once an “outsider” enters the payroll of an organization they are given a "carte blanche" in terms of trust and disclosure of information. They are now treated as the "insiders" that they are- members of the same tribe, fighting and working towards the same goals and using their skills to benefit their organization. Employees do not always realize that some “colleagues” consider the exploitation of organizational weaknesses a high-reward activity that serves their personal interests better than loyalty to the employer.This presentation aims to shed light on the challenging topic of insider threats. It will discuss the motives that lead employees to unauthorized disclosure of sensitive information, process corruption, electronic sabotage, and/or the facilitation of third-party access to organizational assets. Research has repeatedly found a clear link between insider activity taking place and exploitable weaknesses in an organization’s security and management processes. Therefore, this talk will go on discussing the organizational factors enabling insider threat operations as well as countermeasures against them, by combining the lessons learned on insider activity prevention from the fields of counterintelligence, psychology, and cyber-security.• Introduction to self• Introduction to the risk of insider threats: Background information on who insider threats are, how they operate and the types of insider activity (such as unauthorized disclosure of information, facilitation of 3rd party access to organizational assets, electronic sabotage)• Case studies: Examples of insider threat incidences are described.• What motivates insider threat activity and what are some signs?: By identifying what motivates insider threats, managers and employees become better able to detect unusual behavior and keep an eye on high-risk individuals. This section also draws lessons learned from the case studies and builds upon it.• Organizational Factors: Research has shown a clear link between insider activity taking place and exploitable weaknesses in an employer's protective security and management processes. The last part of the talk will discuss what lowers an insider threat's motivation to harm the organization (eg. proper security controls can significantly discourage insider threats.) Best management practices and the topic of building a security culture will be discussed at this point as well.• Research and statistics on insider threats and reporting insider threat activity when employees witness it in their organization.• Concluding remarks stretching the point that insider threat prevention should be approached in a way that does not negatively affect the organizational culture, and that creating paranoia is not the goal.• Resources