top of page

The Malicious Insider

Security professionals spend a considerable amount of time, money and effort making sure malicious attackers stay firmly outside carefully fortified security defences. Scanning the horizon from the parapets, stomping feet and breathing heartily into cold and chapped fingers awaiting the inevitable onslaught.


Who would dream to think, that the danger already lies within the citadel? Unfortunately, it is often the insider threat that has the potential to do most harm. The insider is anyone who has knowledge of or access to your infrastructure and information and either knowingly or inadvertently, causes harm. Unfortunately, the insider can put your employees, customers, assets, reputation, and interests at risk.


Why Would Someone Do Such A Thing?

Accidental harm has many causes. For example:

  • Sending a sensitive email to an unintended recipient.

  • Opening a malicious file attachment and infecting the network.

  • Corrupting company records because of insufficient software training.

  • Misplacing a portable thumb drive with confidential data on it.


A hostile insider, on the other hand, is a completely different kettle of fish.  This is someone who knowingly uses your infrastructure or information to cause harm. They may be motivated by:

  • Personal or financial gain.

  • Revenge for some perceived injustice or personal slight.

  • Because they are being threatened or blackmailed.


Who Would Do Such A Thing?

An employee, contractor, business partner. Who knows? It could even be multiple personnel acting in collusion.  The more privileges the suspect(s) has, however, the greater the potential to do harm and the easier it is to cover tracks or plant false flags.

Awesome! So What Can I Do About It?


Administrative Controls:

  • Acceptable Use Policy: Which clearly defines security requirements and the expected behaviour of all users.

  • Onboarding: Screen employees who handle sensitive information by performing sufficient background checks. Employees also need the necessary knowledge and skills to carry out responsibilities with minimal mistakes.

  • Offboarding: Ensure that communication pathways between HR and IT are responsive so that the removal of access rights readily follows a departure or change of responsibility.

  • Mandatory Training: Cover topics such as social engineering, malware exposure, and how to follow procedures. Ideally, training should address organisation-specific threats and security controls.

  • Mandatory Vacation: Often taken in one or two-week increments.  This enables the detection of any fraudulent activity by replacement personnel.

  • Separation of Duties: So that no single person has full control over a critical function or system. For example, one person will approve invoices but another deals with payments. Thus reducing the potential for fraud.

  • Enforcing Security Agreements: With business partners and other 3rd parties through contractual agreements.  The mechanisms used to assess compliance must also be explicitly defined.


Access Control

Restricting a user’s access to networks, systems, and data is also important. In particular, one should enforce the concept of

  • Least Privilege: In other words, employees should only have the access rights necessary to carry out job responsibilities and no more. This limits the potential for damage and is particularly important, when it comes to controlling administrative accounts.

  • Implementing Two-Factor Authentication: Such as the use of cryptographic hardware tokens as well as standard passwords. Again, this heavily curtails access to high value assets and limits the potential for damage.



Auditing must facilitate the collection, analysis and storage of information associated with user actions. It is the; who, what, when, where and how of network activity.  Such logs will help identify when unusual behaviour occurs and what systems have been impacted.  Administrative changes (such as the creation of new accounts) are of particular concerns because of the danger they pose to security.  Logging should also include any form of remote access to organisational infrastructure and information.


Data Loss Prevention

Data loss prevention (DLP) is software that detects and prevents data from leaving your organisation’s control. DLP software uses alerts, encryption, and other protective actions to restrict end users from accidentally or maliciously sharing sensitive data.


DLP technologies require that the organisation develop a data classification scheme such as seen here. Each file is then carefully labelled so that the DLP system can determine what can and cannot be done with it based on its sensitivity or criticality.

Information Rights Management tools (IRM) work in a similar fashion but offer more sophisticated controls and better granularity

Ways to Respond to an Insider Threat

If an insider threat successfully gains unauthorized access to sensitive data or performs unauthorized actions, you should:

Detection & Analysis:

  • Check audit logs to identify and track suspicious behaviour – who, what, when, where and how.

  • Monitor endpoint devices.

  • Capture evidence for legal purposes.


Contain Eradicate, Recover

  • Manage access controls (e.g. restrict privileges to reduce further damage or disable accounts)

  • Sanitise systems (of malicious tools or infections)

  • Rebuild systems (which necessitates a backup and snapshots!), making sure to implement new controls that will prevent:

    • A reoccurrence.

    • Improve early detection.

  • Implement a communication strategy to advise internal teams, third-party partners or stakeholders to

    • Minimise the risk posed.

    • Manage reputation.

    • Illicit support for Incident Response Procedures.


Post Incident Activity

  • Use the experience to improve processes, raise awareness and provide tailored training.

bottom of page