Malicious insiders

The Australian Cyber Security Centre provides you with up-to-date advice on current threats and vulnerabilities, as well as guidance on mitigation and cyber security best practice.

What is a malicious insider?

Malicious insiders can be employees, former employees, contractors or business associates who have legitimate access to your systems and data, but use that access to destroy data, steal data or sabotage your systems. It does not include well-meaning staff who accidentally put your cyber security at risk or spill data.

There are many reasons an insider can be or become malicious including revenge, coercion, ideology, ego or seeking financial gain through intellectual property theft or espionage. They could:

  • impact external sites, creating public damage to your brand

  • prevent your systems from functioning properly

  • steal or sell business trade secrets or intellectual property (IP)

  • install malware for their own purposes.

Cyber adversaries can use employees whose trust they have gained to access your business systems and accounts. Employees could provide information to a malicious insider unknowingly, or mention sensitive details in trust.

How do I recover from a malicious insider threat?

Report illegal activity to the police.

Recovering from a malicious insider depends on the damage they have done. If they have damaged your website, installed malware or otherwise stopped your systems from functioning properly, you can put in place technical solutions to those problems.

However, if they have stolen data, there is very little you can do to recover. If you have unique logins and auditing on your systems (more information below), you or the police might be able to identify who the malicious insider is. However, this will not recover the stolen data. That is why prevention is key.

How do I prevent a malicious insider threat?

How to protect against malicious insiders will depend on your organisation, systems, culture and business processes, and how well this is communicated and understood by staff.

A malicious insider’s system access and knowledge of your business processes (particularly its checks and balances) can make them hard to detect. But there are practices you can put in place to reduce the risk of a malicious insider in your organisation.

Technical controls

Control removable storage

One of the easiest ways for a malicious insider to steal data is simply to plug in a removable storage device, like a USB stick. If possible, control who is allowed to connect removable media to your network, and what devices can be connected.

You could also block you network from connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices.

Control outbound emails and files

Another way for a malicious insider to steal data is to email it to themselves, either through their work email address or personal webmail. They could also use upload files to cloud-based storage services. To prevent this:

  • implement a system to block and log outgoing emails with sensitive keywords or data patterns

  • block the use of unapproved cloud computing services including personal webmail.

Backups

Malicious insiders may set out to ruin your business by destroying your information systems. Keeping regular backups, which are only accessible to trusted staff, will reduce this risk.

Require strong passwords and multi-factor authentication

Requiring strong passwords and using multi-factor authentication means that even if a malicious insider gets hold of a colleague’s user id, it is difficult for them to get access to that account to perform malicious actions.

Access controls

Restrict access

If your business is dependent on critical intellectual property, or other highly sensitive and vulnerable information, you should restrict staff access to only what they need to do their job.

If that is impractical and wider access is provided, ensure transactions are logged, monitored and audited, and that staff are aware this is an ongoing practice. If possible, consider having a separate team to review audit logs.

Tracking the assignment and use of privileged accounts will help control who can do what on the network and restrict unauthorised activities.

Use unique logons

Staff should have unique logons to systems. Don’t let staff share a logon unless there is no other practical alternative. If staff must share a logon, try to devise a way to control this arrangement.

Deactivate access

When an employee finishes with your organisation, or their role changes, make sure their associated network and system access is deactivated at the same time.

Any shared passwords the person knows should also be changed. For example:

  • shared office WiFi password

  • alarm code

  • bank account passwords

  • remote access details

  • shared email accounts

  • administrative or privileged user accounts.

To help in this process, keep a checklist of all systems a staff member potentially has access to so that the access removals and password changes can be systematically checked and actioned as necessary. Provided the list is updated as new systems are added, the task of keeping it up to date should not be too onerous.

Auditing

Audit and logging

Many business information systems will log, monitor and audit staff network activities. You should investigate what logging capabilities your system has, especially for high-risk systems, such as ones that authorise payments.

Of course, without unique logons, auditing loses its value if you cannot identify who did the transaction.

Similarly, when looking to buy new software or cloud services, you should check that appropriate technical controls are included for critical transactions.

To be effective, you need to make sure audits of your system are regularly reviewed and that unusual activity is followed up. Make sure your staff know of your auditing and review process, so they are deterred from considering unauthorised activities

Focus on your culture

The culture of your organisation and overall contentment of your staff is important in mitigating the insider threat. The more integrity and transparency you have in your work environment, the harder it is to act dishonestly. Additionally, happy, valued and challenged staff members are less likely to act to harm your organisation.

Collaboration can also help discourage malicious insiders, by discouraging a culture of lone operators and reducing the incentives and opportunities for staff to work against your organisation.

An active approach to staff welfare will help you support your staff, and provide early warning signs of changes in their circumstances which might put them, and your organisation, at risk.

Business processes

Personnel security

For all employees, irrespective of their system access, pre-employment and background checks are a good first step.

Be clear with new starters on how you can and will verify pre-employment information and conduct background checks. You should also include a dispute process to identify incorrect information from these checks.

Identity should be established using a recognised form of identification, such as an Australian state or territory driver’s licence or Australian passport.

Police records checks are obtainable through State and Territory police forces.

You can check referees and previous places of employment.

In addition, there are firms that specialise in doing background checks on individuals.

You could also consider ongoing, periodic checks to ensure that you employees’ situations haven’t changed.

For more information and mitigation strategies, read the Australian Government’s Managing the insider threat to your business—A personnel security handbook.

ICT staff

ICT staff have powerful access, and can often bypass access controls and audit trails.

In the Australian Government these roles are known as ‘positions of trust’ and require a security clearance.

If your business is big enough to have its own ICT staff with this level of privileged access, you should make sure they have a high level of integrity.

Improve staff education

Make staff cyber security awareness a priority in your organisation.

Documenting and training staff in business activities helps drive a clear and shared understanding of expectations and culture. Educating staff on the business and the risk environment it operates in is key to this outcome.

Cyber security documentation loses its value if staff are not made aware of its existence and use.

Make staff aware that they are responsible for activities under their logon and the importance of protecting their logon from misuse.

For example, staff should be made aware of the importance of:

  • choosing a strong password

  • not sharing their password/logon details with others

  • either remembering their password, or ensuring it is securely stored so others cannot access it

  • locking their computer or device when they leave their desk.

Stay ahead of the latest cyber threats. Sign up for Stay Smart Online alert, a free service to inform you of the latest cyber threats and how to manage them.