The three types of individuals that constitute the insider threat

Forcepoint's Neil Thacker says you need to put people first when developing security strategy

Insider threats are an increasingly common focus for IT security professionals as the old fortification model of defence gives way to a data centric, intelligence led approach. But who are the insiders who represent a threat?

"It's all of us," said Neil Thacker during his presentation to the Computing Enterprise Security Summit on Thursday. Thacker, who is CISO at security firm Forcepoint, included himself in this analysis.

"We're all insider threats," he said. "I myself have caused security incidents because I'm not the data owner for all the data I work with. I have emailed data to the wrong person". Indeed as an infosec professional, Thacker might be among the insider threats that pose the biggest risk.

Thacker divided insider threats into three categories, pointing out that to defend against them it is important to understand the behaviour and motivations of the people concerned.

1) The compromised user
The compromised user is likely to be an IT professional or a senior director. As they have access rights to systems and are able to escalate privileges they are the most likely to be targeted by criminals, either using phishing and social engineering attacks to deliver malware, or through more traditional methods like blackmail and bribery.

2) The intentional insider
The intentional insider is the individual that most people would think of when they think of the insider threat. They deliberately misuse systems for the purpose of theft, sabotage or fraud. However, they are generally not the biggest threat overall, and their intentions are not necessarily malicious. Intentional insiders will usually have an ethical rationalisation for their actions, such as "I've been here a long time so I don't need to conform to the rules".

3) The accidental insider
The accidental insider is the person who works their way around protective systems for the sake of convenience by using external tools - shadow IT as it's known. They may send data by email to the wrong person, or they may be using a cloud platform to back up data that's insecure or that contravenes data protection regulations.

Thacker said that individuals present different risks at different times in their careers. For example, when they are working their notice at the end of their employment their risk profile is likely to rise.

"When you give someone admin rights you'll find they're installing Spotify and Facebook on their laptop. They know they're not meant to but they definitely feel that because they're leaving the rules don't apply to them any more," he said.

Countering the insider threat encompasses people, processes and technology, Thacker explained, but it needs to start with the people. The types of threat need to be identified, a collaboration built between IT and HR and legal departments, and policies and strategies reviewed. Above all, it should be recognised that employees will not memorise security rules and advice and will not take measures by themselves.

The next step is to look at the technologies available to counter the threats identified (for example whitelisted email addresses might help prevent accidentally emailing sensitive data; machine learning can help spot anomolous behaviour), and to run proofs of concept, before moving on to the process of baselining normal behaviour, identifying outliers and correlating the value of assets with their risk profile.

All of these activities then feed into developing individual- or role-specific security education, working out metrics and introducing cultural change within the organisation.