What is an insider threat?
An Insider threats is where a current employee or supplier, with legitimate access to your systems, steals information or money. Insider threats can also come from less malicious means, like an individual sending the wrong information to someone or losing a laptop or device containing sensitive information. These kinds of threats are very common all over the world, according to a 2021 report, up to 22% of all security incidents come from insider threats.
Any system reliant on people always requires trust, having the right controls in place can minimize the impact of accidental breaches, but when individuals deliberately try to steal money or data from an organization using the legitimate access they have to be able to do their job, then there is a limit to what trust can do.
So how do you protect your organisation?
There are a number of options around protection and as with most systems the best defense is layered, having very strict controls around who can change customer bank details in the payments platform is no good if all staff have access to be able to change the invoices, before they are sent out to customers. These principals should also extend beyond technology - would you give a trainee at a bank the keys to the vault and unsupervised access on day 1?
- The first layer of protection should be around less privilege - What is the minimum level of access required to perform the role the person is going to do. This should apply at all levels, if there is a senior manager who has no idea how to use the accounting platform, they should not get access to it by default just because "senior managers always get access to this system". With any system there will need to be exceptions to the rule, such as someone filling in for another role, but these exceptions should be regularly reviewed, and where technology allows, be set with an end date which will automatically revoke the additional privileges.
- The second layer should be around logging - Who did what, on which systems and when, this information alone may not prevent an insider threat but it will be invaluable in determining the size and scale of an attack. Insurers and the mandatory breach investigations team will look closely at this data to determine actions required and the level of claim.
- The third layer is closely tied with logging – That being ensuring each system has a unique login for each user. Anywhere it is possible, unique accounts should be used for each user, a shared account, used by multiple people, makes it extremely hard to determine the size and scale of the threat the organization is facing and to point the blame at an individual if something is found.
- The fourth layer is back ups - Backups are also a critical component of protecting from an insider threat. Many internal malicious attackers think, by deleting their files or emails they are covering their tracks, but if you have good backups in place and appropriate retention periods (how long you hold on to data for) then you can recover this data, and in combination with the layers above, determine the scope of the attack.
- The final layer is around keeping accurate and regularly reviewed financial information - With most attacks, money is often the motivator and target. In insider threats the attackers may be familiar with the accounting practices of the finance team in the organization and be able to work around them. By having the finances regularly reviewed by an independent third party, the organization may discover unknown threats.
How can PKF help?
PKF have assisted many organizations across the country, ensuring they have all of these layers of protection in place and working correctly, and have assisted with forensic accounting and data forensic operations for customers who have had or have suspected they had insider threats within their organization.