Supply Chains Make Insider Threat Defense More Complex

Regular insider threats are bad enough — conventional security tools don’t detect them, they know where it’ll hurt to hit, and management doesn’t suspect them. Unfortunately, insider supply chain threats are often worse. What can business leaders do to protect their organizations?

Why Companies Must Be Vigilant Against Insider Threats

Insider threats can be anyone with trust, access, knowledge or leverage. When people think of them, figures like a disgruntled former employee with a grudge or a spiteful colleague recently snubbed for a promotion often come to mind. However, more often than not, they are simply employees or contractors who make costly mistakes.

Malicious insiders act intentionally, often seeking to cause damage or gain something. They’re often resentful or feel overlooked by their employer, prompting them to commit acts like espionage, sabotage or corruption. For them, working with a competitor or cybercriminal isn’t out of the question

Negligent insiders generally act unintentionally, driven by carelessness or apathy. However, they are still responsible for their actions. Inadvertent insiders accidentally cause damage, whether by mistyping an email address, becoming a victim of phishing or using a device that behaves unexpectedly.

To be clear, an insider’s intentions don’t matter much when the result is the same. The distinction exists simply to guide disciplinary action and post-incident analysis. That may be why 30% of chief information security officers agreed this threat was their organization’s most significant cybersecurity risk in 2023, according to one global survey.

Unlike cybercriminals or disreputable competitors, internal threats don’t stand out. Since they have legitimate access, conventional monitoring tools and security measures won’t flag their activity. Moreover, since they personally know their colleagues, they often don’t seem immediately suspicious — even if indicators suggest they are.

Crucially, insider supply chain threats pose an even more significant danger because they have disparate data systems, operate with less oversight and have different security protocols. Even under contract, these vendors may feel they can get away with taking shortcuts or being inattentive of cybersecurity — and businesses will likely be blissfully unaware until it’s too late.

Strategies to Defend Against Insider Supply Chain Threats

Several strategies to defend against insider supply chain threats exist.

1. Monitor Third-Party Vendors

Monitoring is critical to mitigating insider threats. After all, information technology (IT) teams can’t address what they don’t see. Recently, real-time visibility has become fundamental for developing a resilient supply chain. In fact, most companies are seeking to invest in such solutions within the next few years.

Decision-makers should consider this surge in interest a sign to begin monitoring their supply-chain vendors. Whether they decide on periodic audits, sentiment analysis software or radiofrequency identification tag tracking, increased oversight will help them identify and eliminate all but the most sophisticated insiders.

2. Develop a Mitigation Budget

Even though negligent insiders cause 60% of data breaches, only 8% of a company’s cybersecurity budget goes toward managing them. Developing a mitigation budget for this issue ensures the IT team has enough resources to address vendors in addition to their regular responsibilities.

3. Conduct Risk Assessments

How do senior executives know which third party to trust? Conducting risk assessments for supply-chain vendors removes the guesswork. It determines their likelihood of employing an individual who is a malicious, negligent or accidental internal threat. This method is simple and effective, making it ideal for time-sensitive situations or IT teams with large workloads.

Notably, many companies don’t utilize this method. In one recent survey of over 2,500 companies, 29% of senior executives reportedly don’t assign a risk score to each vendor. An additional 13% admitted they don’t use any third-party risk management system, highlighting the opportunity for widespread adoption.

Decision-makers should look to guidance like the International Organization for Standardization 28000 to learn how to reduce security risks or the National Institute for Standards and Technology SP 800-161 to manage supply chain threats. These standards can help them recognize what to prioritize and how to proceed.

Best Practices for Handling Third-Party Insider Threats

A zero-trust architecture is quickly becoming fundamental to cybersecurity. Leveraging it can minimize companies’ insider threat risk and reduce the scope of potential damage. Giving supply chain vendors the minimum amount of access needed to do their jobs prevents them from having opportunities to cause problems.

Another best practice is to leverage encryption. While typical techniques minimize the damage negligent and inadvertent insiders can do, format-preserving encryption (FPE) prevents malicious actions. Its ciphertext is the same form and length as the plaintext, allowing vendors to perform operations on data without reading it or possessing a decryption key.

Decision-makers should also consider developing an incident response strategy to address internal threats as soon as the IT team detects them, minimizing the scope of damage. Outlining the grounds, limitations and implications of such action in contracts would help them escalate as necessary while giving vendors a reason to comply.

Insider Threat Mitigation Is an Ongoing Process

Human error and disgruntled employees are a natural part of doing business. In other words, insider threats will always exist, no matter how often the IT team addresses them. While this fact may seem discouraging, it is a reminder to stay vigilant — threat mitigation is an ongoing process that evolves with time.

About the Author

Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.