Insider threat is a malicious threat to a company that stems from people who have legitimate access to company assets, such as current and former employees, as well as contractors and partners, in which they cause harm to the business, either intentionally or unintentionally. It can involve theft of information, fraudulent transactions, or sabotage of systems. The consequences for a company can be devastating, as it often leads to both reputational damage and regulatory fines. Digital Forensics plays a key role in identifying who was involved in an insider threat matter, and how it occurred. Through analysis of digital devices and data, as well as user’s digital footprint, a Digital Forensic investigator can establish the root cause, subsequent events and their consequences.Â
According to Ponemon Institute’s 2020 Cost of Insider Threats study, between 2018 and 2020 insider threats increased by 47% and the cost to companies rose by 31%. It was also found that if an insider threat took more than 90 days to contain, as opposed to under 30 days, there was a 92.6% increase in annual costs to companies. Such statistics demonstrate how insider threat is becoming the biggest threat to companies, and how there is an increasing need for businesses to become more aware of what it involves, and how to appropriately manage it.Â
Who is Involved?Â
The three types of person to commit insider threat are:
- Negligent insider – a current or former employee, as well as a contractor or partner, who unintentionally causes damage to a company by making a mistake, or being the victim of a phishing scam, or social engineering.Â
- Malicious insider – a departing or disgruntled employee who intentionally causes damage to a company for their own personal gain.Â
- Infiltrator – an external perpetrator, referred to as a credential thief, who targets an insider’s username and password in order to gain unauthorised access to a company’s computer systems.Â
What Data is Taken?Â
The preparator’s motives and intentions normally determines what data they take from their company. However, there are very common themes when it comes to insider threat in which the most common types of data to be taken are:Â
- Intellectual property
- CRM databases
- Business plans
- Financial records
- Private employee records
- Usernames and passwords
Where Does it Occur?
Insider threat is not something which can only occur whilst the perpetrator is in the company’s premises, it can also occur remotely, such as at the perpetrator’s home.Â
- Office – as the perpetrator has physical access to the company’s premises, they can circumvent certain security controls, allowing them more in-depth access to resources which are not accessible remotely.
- Home – as the perpetrator is not surrounded by colleagues, or security measures such as CCTV, they have more freedom in their own surroundings to conduct insider threat. Given that the majority of companies now allow their employees to work from home, it could become more common for perpetrators to conduct their actions remotely, away from the office.
When Does it Occur?Â
There is no set time frame for when insider threat can occur, with various instances taking place inside and outside of office hours, including weekends.Â
- Inside working hours – a perpetrator can be seen by their colleagues to be going about their normal work day and schedule, however, unknown to them, the perpetrator is conducting malicious actions whilst no one is watching them. Also, conducting their actions during working hours makes preparators think they are being more discreet, as opposed to working earlier or later in the day or week.
- Outside of working hours – a perpetrator may think it is easier to conduct their malicious actions whilst no one else is working, whether they are in the office or at home, as they believe they are not being monitored. This sense of freedom adds to the perpetrator’s confidence.
How Does it Occur?Â
Similar to why insider threats occur, there are many ways in which it occurs, such as one or more of the following:Â
- External USB storage device – a perpetrator can connect a personal USB storage device to their company computer and copy or move company data to it so that they then have their own personal copy.
- Cloud storage system – a perpetrator can sign into their personal cloud storage account to copy or move company data to it so that they then have their own personal copy.
- Communication application – a perpetrator can sign into their personal communication account, such as their email or WhatsApp account, to copy company data to it so that they then have their own personal copy.
- Photographs – a perpetrator can take photographs of the company data using their personal mobile phone so that they then have their own personal copy.
- Printing – a perpetrator can print off company data using a printer so that they then have their own personal copy.
ConsequencesÂ
There are various consequences of insider threat with each of them having their own severity of impact. In some cases, companies have failed to recover from the aftermath of an insider threat and subsequently ceased to exist. However, more commonly, the following consequences will occur:Â
- Loss of intellectual property
- Loss of client trust
- Reputational damage
- Regulatory fines
Preventative MeasuresÂ
There are a few measures which can be put in place by a company to prepare, prevent or manage insider threat, such as:Â
- Policies and procedures i.e. Acceptable Use Policy (AUP)
- Appropriate access rights for each employee i.e. principle of least privilege
- Encryption of systems, devices and data
- Antivirus and antispyware software
- Data loss prevention (DLP) software
- Restricted USB port access
- Use of a virtual private network (VPN)
- Employee training
- Forensic readiness plan
About the Author
Callum Hogan is a Digital Forensic Investigator at Hawkins. He is a Professional Member of the British Computer Society and a member of the UK Register of Expert Witnesses. He holds a Bachelor of Science (Hons) degree in Forensic Computing and multiple accreditations for Digital Forensic tools. This means he can acquire, analyse, identify, and report on electronically stored information (ESI) from various digital devices such as servers, desktop computers, laptops, tablets, mobile phones, CCTV units, Sat Navs and USB storage devices. Callum’s extensive knowledge and experience has seen him instructed on several high-profile criminal and civil litigations, investigations and matters.
