A startling 76% of organisations have detected increased insider threat activity over the past five years, yet less than 30% believe they are equipped with the right tools to handle them.

By Javvad Malik, lead security awareness advocate at KnowBe4

These findings from the 2024 Insider Threat Report by Cybersecurity Insiders and Securonix paint a concerning picture of the current state of internal security risks. Even more alarmingly, only 21% of respondents said they had a fully implemented and operational insider threat programme, highlighting a critical gap in organisational defences.

An insider threat can feel a bit like the plot twist in a spy thriller. You know, the moment when the protagonist realises the enemy is not just at the gates but has been inside the house the whole time. Suddenly, all those polite conversations by the water cooler take on a sinister meaning. So, what do you do when your corporate narrative takes a turn for the dramatic?

 

Identifying the mole

Recognising that you have an insider threat is akin to discovering an unexpected adversary within your ranks. It starts with anomalies – those little blips on the radar that don’t quite fit. Perhaps it’s an unusual after-hours access or data transmissions that scream “I’m up to no good!”

It’s all about the IoCs (Indicators of Compromise) and your ability to pick up on them with keen observation.

Many times, though, it is not a flashing red icon on the screen which will let you know that someone’s intentions may not be completely pure – but rather from colleagues. While technology is great, nothing picks out an insider faster than a vigilant co-worker. Red flags from co-workers can include, but not be limited to, people working odd hours, having substance abuse, or gambling addictions, asking invasive questions about data which doesn’t involve them, or frequently contradicting themselves about their personal lives and backgrounds.

While none of these things in isolation necessarily mean your co-worker is an aspiring threat, small things can add up.

 

Containment: The first line of defence

Once you’ve identified your insider threat, the next course of action is containment. You’ll want to limit their access swiftly and decisively. This includes revoking access rights, isolating machines from the network, and going through the logs to double and triple-check what activities the insider has been up to. It’s not just about stopping the immediate threat; it’s about ensuring the security breach doesn’t spread like wildfire.

 

Eradicate the threat

Eradication isn’t just about getting rid of the threat; it is about doing it with efficiency and precision. Whether it involves disciplinary actions, legal steps, or simply escorting the individual out of the building with their belongings in a box, or maybe in handcuffs, it needs to be executed quickly and thoroughly.

 

Recovery and reflection

After the storm passes, it’s time to look into what went wrong, what went well, and where improvements could be made. A thorough audit is needed and defences rebuilt to be stronger than before.

 

The sequel no one wants but everyone needs

Insider threats are not a one-off scenario, and they do not just impact one organisation. By the looks of things, they do not seem to slow down either. So prevention needs to be a priority. This involves training, vigilance, and creating a strong culture where security is taken seriously by everyone.

Organisations must build awareness through comprehensive training programmes and conduct regular security drills to keep everyone informed about the latest threats.

Finally, it’s important to not keep the event and learnings to yourself. Share the learnings with other organisations so that they too can better prepare themselves and hopefully not fall victim to a malicious insider.