The only way to really know if we’re a good fit is to get in touch, so let’s have a chat! One of our friendly experts will get straight back to you. You never know, this could be the beginning of a great partnership.

Johannesburg

+ 27 (0) 10 591 2323

Introduction to insider threats

Most modern organisations put significant effort into protecting against external cybersecurity threats. Far fewer have robust protections against threats closer to home.  

Given that the majority of data breaches originate from within organisations – not externally at all – we strongly advocate for plugging those gaps as fast as possible.  

Left unchecked, insider threats can result in:  

  • Sensitive data leaks and/or spillage 
  • Confidentiality violations 
  • Theft of intellectual property 
  • Fraud 
  • Insider trading 
  • Regulatory compliance violations 

So, what should you be looking out for? What are the challenges you might face? And where can you find the most effective solutions for a Microsoft 365 environment? 

Let’s find out. 

Meet the main insider threat contenders 

Insider threats can be divided into two main categories – those that happen inadvertently through human error, poor judgement or negligence, and those that happen with malicious intent. 

Inadvertent Insider Threats 

Manipulated employees 

These days, social engineering and phishing attacks are a lot more sophisticated than they used to be. It’s often disconcertingly easy for employees to be manipulated into divulging logins and other credentials that can then be used by attackers to access privileged information.  

What it looks like in the real world:

Twitter lost 4% of its share value after being targeted by a vishing (voice phishing) attack in 2020.  

Attackers posing as Twitter IT admins called employees working from home during the pandemic. Many were convinced to disclose their account credentials, which were then used to hijack around 130 high-profile Twitter accounts. 

The accounts – including the likes of Bill Gates, Elon Musk and Barack Obama – were then used to conduct a Bitcoin scam. 

Negligent employees 

Not all inadvertent insider threats are because of direct attacks. It’s all too common for lazy, complacent, or poorly trained employees to ignore corporate security guidelines and leave the door open for unauthorised access to sensitive information. 

This can be as easy as leaving a device unlocked at a coffee shop, storing a password in the wrong place, or taking files home to work on over the weekend.  

What it looks like in the real world: 

The NHS had the details of its coronavirus contact-tracing app leaked after an employee accidentally misconfigured permissions for confidential documents hosted in Google Drive.  

Links to these documents were included in several others published by the NHS covering the app’s privacy protections. The irony must have palpable when they discovered these documents were literally guiding unauthorised viewers to privileged information. 

Malicious Insider Threats 

Disgruntled employees 

Accidental insider threats are one thing, but when it comes to real organisational damage, there is nothing quite like an insider with malicious intent. 

Disgruntled (ex)employees (and even third-party partners) have been known to wreak havoc using legitimate access credentials and/or inside knowledge of security flaws to commit corporate espionage, fraud, intellectual property theft and sabotage. 

What it looks like in the real world: 

Google’s self-driving car project, Waymo, lost important trade secrets to a malicious insider who spent months collecting valuable proprietary diagrams, drawings, source code snippets and more. He then left to launch his own competing startup. 

The breach was only discovered when that startup was acquired by Uber, who had to hand over $245 million worth of shares to Google’s Waymo in compensation. The ex-Google exec faced criminal charges, pleading guilty to theft and attempted theft of trade secrets in 2020. 

Inside agents 

Disgruntled – or opportunistic – employees (or collaborators with access permissions) can also work with external attackers to intentionally cause harm to organisations. This is a major vector of attack for corporate espionage, resulting in serious financial losses through targeted attack facilitated by insider access and knowledge. 

What it looks like in the real world: 

Cloud computing and enterprise software company, Appian, was recently awarded $2B in a trade secret espionage lawsuit against Pegasystems.  

Pegasystems convinced a software developer working on Appian software to spy on the company for more than a decade, sharing trade secrets and videos of the development environment in an operation they called “Project Crush”.  

The espionage was only revealed when a former Pegasystems employee blew the whistle, leading to Appian’s successful lawsuit against Pegasystems. 

The challenge of insider threats for IT 

Because insider threats typically use legitimate credentials and permissions, it can be incredibly difficult for IT to differentiate between threats and ordinary activity. The trick, in our experience, is to clearly define what counts as risky behaviour in your organisation in order to identify which activities can be safely ignored, and which deserve closer investigation. 

Of course, your average IT security team has nowhere near the manpower necessary to handle that scope of work manually. Thankfully, strategic use of AI and machine learning make it possible to deploy limited resources very effectively. 

Where to find insider threat protection in Microsoft 

Microsoft has a specialised security toolset called Insider Risk Management, designed to help organisations protect against insider threats. It falls within Microsoft Purview’s compliance suite, and centres around the following principles: 

  • Transparency – balancing user privacy against organisational risk through privacy-by-design architecture. 
  • Configurability – configurable policies based on industry, geography and business groups. 
  • Integration – integrated workflows across Microsoft Purview solutions to eliminate security gaps. 
  • Action – actionable insights to enable user notifications, data investigations and user investigations. 

With a convenient “recommended actions” section providing a great starting point for configuring and deploying relevant insider risk management policies, it’s surprisingly easy to get Microsoft Purview Insider Risk Management off the ground.  

That said, it’s also important to look at insider risk within the context of your broader security strategy. Everything is connected, and it’s important to consider the big picture as well as the details. 

Catch up with our Insider Risk webinar for more expert insights and practical tips, or get in touch to find out more about our Microsoft-funded Manage and Investigate Risk workshop.