Insider Threat Awareness Training

By Katrina Thompson 

While a large amount of cybersecurity real estate is devoted to defending against threats from without, the data suggests that no organization would be truly safe without defending against threats from within. While it’s an unsavory topic – who wants to admit there might be a mole in the ranks? – it needs to be discussed and hit head-on. Insider threat awareness training can arm your workforce against some of the most treacherous, far-reaching forms of compromise and teach them to spot signs of internal foul play before they disrupt the ecosystem. 

And it’s not just for them: Key decision-makers need to stay ahead of the latest insider trends so they know who they are putting in front of what data and whether or not they need to. Operating on the principle of least privilege, insider threats should be brought to a minimum. However, a full 360 refresh of the insider threat landscape is needed to understand the weak points and how to best solve them.

What are insider threats?

While the straightforward definition of an insider threat is self-explanatory, it helps to define key terms. CISA offers a few example profiles of ‘who counts’ as an insider:

• A person trusted by the organization (employees, repairmen, contractors, etc.)
• A person with an access badge 
• A person involved in product development (in-house or third party)
• A person with fundamental knowledge of the organization’s operations
• A person with inside information into the company’s business data
• In a government context, a person with data that could negatively impact national security if revealed

Put these people in the wrong place or give them the wrong access, and (given the allowance for human error and human frailty) something bad might happen. Here’s a few ways how:

IBM shows a few ways these seemingly innocuous profiles can be turned rogue with the right (or wrong) motive, becoming:

1. The Pawn. Unwitting employees fooled into revealing inside information or performing malicious activities. 
2. The Goof. Users who believe they are ‘above’ normal security policies and make security-related mistakes.
3. The Collaborator. Someone who actively works with outside forces to breach a company’s system, acting as a mole and usually with a motive. 
4. The Lone Wolf. A single operator within the company usually seeking financial gain. 

While there are more, you get the picture. This is a small part of what a user might receive as part of insider threat awareness training, and if it were the only part, the rest would be common sense. However, to fully understand the nuances (this is just the tip of the iceberg), companies must be willing to invest the time to prepare the right way.

The danger of Insider threats

One reason for considering insider threat awareness training is the high number of successful compromises attributable to this ploy. Security company SoftActivity shares some statistics on the state of insider threats to date: 

• In recent years, insider attacks rose from 3,200 per year (2018) to 4,700 (2020), an increase of nearly 50% – Panda Security
• Two-thirds of all insider-based compromises are caused by negligence – ObserveIT
• 55% of organizations agree that privileged users represent the greatest insider risk – ObserveIT
• 7 out of 10 companies are more frequently seeing insider attacks – Security Round Table
• Over 34% of businesses around the world are affected by insider threats – Sisa Infosec

While human nature might render insider threats inevitable, they don’t have to make insider attacks a given. Malicious insiders can try, but with the proper policies in place and threat-current security awareness training, they don’t have to succeed. 

How to detect and prevent insider threats

Data Detection and Response (DDR) company Cyberhaven offers some insights on detecting and preventing insider threats within your own company. 

First, build out your insider threat policies. These should consider the data that needs to be protected and make provisions for the negligent and the nefarious. Policies should define who uses what data assets and how and make no allowance for anything outside the permitted guidelines. In other words, identity all assets and implement the principle of least privilege.

Next, proactively monitor how users interact with data. Unfortunately, some mole-hunting is required. This isn’t a witch-hunt: It’s simply putting monitoring systems in place that give you visibility into how your users use the data and when something goes awry. You see how the previous step was important: If you don’t delineate how data should be used in the first place, your systems won’t know how to flag if something is out of place.

This takes some concerted time and effort but is the building block of some real, traceable results. Technical controls must be in place, or your program will have no teeth. Now, it’s time to marry that to the second – and often underrated – element of training your users. 

Choosing your insider threat awareness training program

A top-down directive can’t last long without buy-in, and that’s exactly what insider threat awareness training gives you. It brings everyone on board with your back-end initiatives and makes each employee an asset, not a liability. There are more eyes looking out for the problems, and more reason for an internal threat actor to reconsider something risky.

When choosing an insider threat awareness program, here are some things to keep in mind:

• The content must be engaging. Look for providers who know how to teach adults and keep entertaining learning methods in mind.
• Look for Subject Matter Experts. Many security companies will try to sell you general security awareness courses. Look for a provider with specific experience and a wide insider threat knowledge and resource base.  
• Use metrics. It’s more than throwing spaghetti at a wall and hoping it sticks. The best training programs will baseline current levels of awareness, benchmark progress, and track results. 

Along with some additional benefits to its use:

1. Users learn to monitor their own actions. Because so many insider blunders come from ignorance, awareness training ensures everyone minds their actions first and avoids risky practices. 

1. Users learn to spot signs of danger. While it is less common, employees can be aware of internal asks that seem fishy or suspect, such as an unauthorized member of another department casually asking for a department’s Box access for a ‘project’.
2. Security gains C-suite support. A top-down program like an internal security awareness training course communicates that board-level executives are not only aware of internal threats, but they see them as enough of a priority that the whole organization needs to stop, pause, and address them. 

Implementing such a program will not only educate your workforce but send the message that the organization is aware of these threats, is on the lookout, and is unyielding in its efforts to make sure every internal action is above board. Sometimes that’s enough to make cybercriminal find greener pastures.  

About The Author
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. 

She has written for Bora, Venafi, Tripwire and many other sites.