One of the big security problems that no organization likes to talk about is that of insider threats.
Every organization would like to think that their employees are trustworthy and have the organization’s best interests in mind (and indeed, most employee are trustworthy). Even so, history has conclusively demonstrated that insider threats can pose a problem, and so security-conscious organizations have put in place certain policies to minimize the damage that an insider could do.
However, as important as such security mechanisms might be, it is equally important to acknowledge the fact that not all insider threats are alike. As strange as it may sound, there are several different types of insider threats that organizations must account for.
1. The Usual Threats
When most people think of insider threats, they probably picture rogue users who are out to sabotage the organization. Such users might be seeking revenge against the organization or perhaps trying to disrupt the organization for political reasons.
Likewise, a malicious insider could be working for someone else, such as a competitor. They might receive a reward for stealing data or sabotaging IT operations.
Malicious users are the main type of insider threat that organizations typically work to avoid. However, they aren’t the only type of insider threat.
2. Shadow Threats
Shadow IT is another type of insider threat.
For those unfamiliar with the term, shadow IT refers to users who deploy their own IT resources as a way to circumvent the IT department's policies. Early on, for example, many organizations were hesitant to deploy wireless networks due to security concerns. Users who wanted the convenience of wireless connectivity, however, would sometimes deploy their own wireless access points unbeknownst to the IT department. This is a classic example of shadow IT, but it is far from the only example.
Today, most shadow IT takes place in the cloud. Users often subscribe to SaaS applications that the IT department has either not approved or specifically forbidden. The use of such applications can put data at risk, and it can also subject an organization to regulatory penalties.
When a user engages in shadow IT practices, they are actively circumventing IT policies. Therefore, shadow IT must be considered an insider threat.
3. The Coverup Threat
I spent the early part of my IT career doing helpdesk support for a large insurance company. A large percentage of the calls that the helpdesk received were related to problems that had been self-inflicted by a user. Users would sometimes attempt to fix the problem themselves, only to make the problem worse. In other cases, a user would call the helpdesk because they had broken something. The thing that really sticks out in my memory is how many users tried to cover up their self-inflicted problems. I couldn’t even begin to tell you how many times users lied to me about what had happened. Presumably, the users were either embarrassed that they had caused a problem or feared some sort of disciplinary action. Regardless, these types of coverups happened frequently.
The fact that a user tries to hide whatever caused their IT issue does not necessarily make that user an insider threat. After all, many user-inflicted problems are harmless. However, there can be issues that demand immediate attention. For example, if a user causes a malware infection or falls for a phishing attack, the user may attempt to cover up what they have done, thereby making the damage far worse.
The only realistic way of avoiding this problem is to educate users on the importance of immediately contacting IT when bad things happen.
4. Third-party Threats
It may seem strange to talk about third-party threats in the context of insider threats, but third-party insiders are a thing.
Many organizations give nonemployees access to certain IT resources. For example, a partner organization might be granted access to a Microsoft Teams channel. A vendor might be given access to a particular SharePoint site. There are any number of reasons an organization might give a nonemployee guest access to a resource.
While providing guest access to certain people and organizations might be a necessary part of doing business, it is extremely important to tightly control such access. These controls can help avoid the accidental exposure of your organization’s most sensitive data to an outsider.
When it comes to guest-level access, you must be keenly aware of who has access to what and closely monitor all guest access. That way, you can hopefully detect anything that is amiss before a significant volume of data becomes compromised.