Your Biggest Security Risk: The Insider Threat – IT Governance UK Blog
Expert insight from our head of GRC consultancy
Our analysis of the ICO’s (Information Commissioner’s Office) public data set found that 29–35% of reported personal data breaches between 2019 and 2023 in the UK had been caused accidentally.
That is, the incident type was one of:
- Data posted or faxed to incorrect recipient
- Data emailed to incorrect recipient
- Failure to use Bcc
- Failure to redact
Sector patterns
However, when we investigated the sectors suffering the most accidental breaches, we found that the entire top 3 comprised the public sector, with numbers as bad as 36.4%, 40.4% and 57.1% of all data breaches caused through human error.
When we asked Damian Garcia, our head of GRC (governance, risk and compliance) consultancy, why that might be, he suggested that the public sector is no more likely than others to suffer this type of incident.
Rather, government entities are more likely to report it, while private-sector organisations are more incentivised to cover up smaller breaches to avoid bad press.
Taking this into account, more than a third of all data breaches may be caused by human error.
Other types of insider threat
These figures become worse when you consider staff making other types of mistakes, like falling for a phishing attack. Verizon’s 2024 Data Breach Investigations Report found that 68% of data breaches involved a “non-malicious human element”, such as human error or falling for social engineering.
This 68% figure still excludes threats like malicious insiders (more on that later).
In this interview
Put the pieces together, and you get a sense of the scale of the insider or internal threat.
To learn more, we talked to Damian about:
What is the insider threat?
Many people misunderstand the terms ‘insider threat’ or ‘internal threat’. People often think of malicious insiders, but these are only a subset of the internal threat. Could you elaborate?
The misunderstanding goes beyond just the internal threat.
Historically, when people hear ‘cyber attack’ or ‘cyber criminal’, they envision a person in a hoodie on a computer, trying to hack their way into someone else’s device.
Today, most people understand that this is a dated view, but many still fail to realise that the biggest threat lies within the organisation itself – the insider threat.
What is the insider threat, exactly?
You can break it down into two camps: malicious and accidental. Both, however, originate from staff, whether that’s someone clicking a malicious link, sending data to the wrong recipient, or deliberately stealing money or data from the organisation.
If it originates from a legitimate user’s account and can cause harm to the organisation, you’re looking at the insider threat.
Why are insider threats an issue?
Your Master’s thesis focused on the insider threat. Why did you choose that topic?
As I talked to more experts in the field, I realised the scale of the insider threat problem.
For instance, I had the opportunity to work with a large UK charity, whose workforce consists mainly of volunteers. Their head of information security made a point about how most of their people are working for this charity out of pride. They want to help – they’re not likely to be malicious.
But this charity was having a massive problem with accidental breaches – people clicking phishing links, people not logging out of their terminals, stuff like that. Accidental breaches were by far this charity’s biggest problem.
How come? Why were accidental breaches such a big problem?
The workforce was quite diverse – some worked in an office and were very familiar with computers and how to use them. But others were manual labourers, who lacked IT literacy. They were very knowledgeable in their field but knew little about computers and the associated risks.
That is part of the challenge – how to tackle the insider threat when you have a diverse workforce.
The other problem is that you’re more likely to trust an insider – they’re supposed to have access to confidential systems and information. So, if something goes wrong with that account, it can do a lot of damage. It may also take a while before you realise that something is wrong.
Sector trends and patterns
Do charities have more trouble with the insider threat than other sectors?
Quite possibly, but the same applies to other sectors less likely to invest in their people.
Out of all the ways you can address the internal threat, staff training is the most obvious solution. If you don’t invest in basic training and awareness, you’re going to suffer more data breaches. It really is that simple.
Plus, charities tend to have that diverse workforce – so, they’re more likely to have people who aren’t very knowledgeable about computers. To be clear: there’s nothing wrong with that – we all have our own strengths and weaknesses – but you do need to teach those skills.
It comes down to understanding the risks that the organisation faces to its information assets, then figuring out how to address and manage them.
What other sectors are more likely to have a big problem with the insider threat?
I work with a lot of councils. You see a similar pattern as with charities: diverse workforces, good cyber hygiene isn’t a given, and staff training can be limited and ineffective.
So, by extension, smaller organisations are also more susceptible to the insider threat? Because they can’t afford – or rather, think they can’t afford – to invest in staff awareness training?
Absolutely. If I was a cyber criminal, without a doubt, I’d focus on small and medium-sized organisations. They typically lack the funds to invest in cyber security, making them easy targets.
They also tend to see their data as not worth very much, so don’t see why they’d be the focus of an attack.
Staff training is one of the most cost-effective measures that an organisation can take to reduce the risks it faces from the insider threat.
Our Phishing Staff Awareness Training Programme offers world-class content for a competitive price, developed by experienced and knowledgeable industry experts.
The course is quick to deploy, easy to repeat and convenient for your staff. Taking just 45 minutes, it’ll help employees spot the signs of common threats like phishing.
It also explains the importance of staying alert and teaches staff what to do if they think they’ve been attacked.
Malicious insiders
Staff awareness training is a way to address accidental breaches. What about malicious insiders? How can organisations protect themselves from that type of insider threat?
The first step is to understand why someone might turn malicious. Why might an employee wish harm on your organisation? Typically, that’s a disgruntled employee. So, a way to mitigate that risk is to look after your people.
Another angle you should consider, to better understand the risks that your organisation faces, is the respective level of technical knowledge of your staff.
For instance, an unhappy receptionist poses a vastly different threat to cyber or information security compared to an unhappy system administrator.
So, if you have someone who’s technically competent, pay attention to whether they’re happy. If they exhibit signs of poor performance and being disgruntled, put extra measures in place to ensure they’re not taking steps to cause problems for your organisation further down the line.
What about a blackmailed, rather than a malicious, employee?
That’s possible too, particularly if you’re an organisation more likely to be targeted by nation state actors. Central and local government and critical infrastructure organisations are top of the list.
For my research project, I interviewed various industry experts. This included a cyber security expert who worked for the UK government, who advised organisations that are a part of the UK’s critical national infrastructure on how to protect themselves.
He advised that the greatest risk organisations face from the insider threat is when people leave, and the organisation doesn’t take steps to immediately revoke the individual’s access to its systems.
This is critical when you have a disgruntled employee who’s extremely technically competent, such as a system administrator.
Security culture
Good leaving procedures and staff awareness aside, how else can organisations defend against the insider threat?
Culture is very important. You want a culture that’s security-aware and where all members of staff [not just IT] acknowledge they have a part to play in security.
Also, you mustn’t punish people when they make an honest mistake. So, to be crystal clear, if someone accidentally clicks a phishing link, do not punish them!
You want to encourage your staff to report incidents right away, so you can investigate in a timely manner.
That seems rather obvious. Do organisations really punish staff for making that type of mistake?
Yes. I worked with a client based overseas that had a very interesting – a very male-dominated – culture.
This company wanted to put a procedure in place that automatically disciplined anybody who caused a cyber incident, such as clicking a phishing link. That type of approach fitted with their culture.
I asked them to reconsider their approach.
Without going into too much detail, this company was likely to be targeted by well-crafted social engineering attacks. And if someone does fall for one, you want them to call it out as quickly as possible! Because the longer a problem carries on, the worse it could become.
Detecting the insider threat
How can you detect the insider threat? Besides people reporting accidental breaches, like clicking a phishing link?
First, you need to establish a baseline – the ‘normal’ pattern of behaviour. Then you can identify red flags – when your tools are catching behaviour falling outside those normal patterns.
For instance, would you expect your London-based employee to log in from mainland China at 3:00 am? Would you expect to see terabytes of data leaving your systems at 4:00 am? Either of those suggest you may have a problem, requiring some form of response.
It’s important to have both these types of automated monitoring tools, as well as staff training, email filters, and all sorts of other preventive measures – in short, cyber defence in depth.
Overlaps between the internal and external threat
What you’re saying about security monitoring, email filters, and so on doesn’t sound that different to how you’d address the external threat.
Yes, the two aren’t completely separate. They are distinct, of course, but you have to implement controls that apply to both. Security monitoring is one. Another is access control:
- Do you have role-based access control?
- Are you following the principle of least privilege?
- Are you only granting access on a need-to-know basis?
Regardless of whether someone brute forces a user account [external threat], or you’re dealing with a malicious insider, you want to give people as little access as possible.
What other technical controls work for both internal and external threats?
Segmentation and segregation are good. Again, limit the access people have to things, whether an authorised user or not. Zero-trust architecture will also help with that.
But the most important thing is to not rely on just one control. Take a defence-in-depth approach – get multiple layers of measures working together, making up for each other’s weaknesses.
You can never know where the next attack or threat might come from. Who might turn malicious, what might turn bad, who may want to harm your organisation.
So, the more defences you have in place, the more protected you’ll be.
Want to identify risks within your internal systems?
Our Internal Infrastructure Penetration Test contains a mix of advanced manual testing techniques and automated scans to simulate real-world attacks, so you can identify risks within your systems.
We’ll assess:
- Patching
- Passwords
- Encryption
- Configurations
- Authentication
- Network traffic
- Information leakage
At the end of the test, you’ll receive a comprehensive report containing a high-level, non-technical summary of the risks to your business, as well as detailed descriptions of each technical vulnerability our consultant identified and remediation advice.
About Damian Garcia
Damian has worked in the IT sector in the UK and internationally, including for IBM and Microsoft. In his more than 30 years in the industry, he’s helped both private- and public-sector organisations reduce the risks to their on-site and Cloud-based IT environments.
He has an MSc in cyber security risk management from the University of Southampton. Damian’s dissertation focused on the insider threat. He received a distinction for both.
Damian maintains various professional certifications. As our head of GRC consultancy, he remains deeply committed to safeguarding organisations’ information and IT infrastructures, providing clients with pragmatic advice and support around information security and risk management.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.