What is a trusted insider threat?

For companies and other organisations, sometimes the greatest threat comes from within. Anyone who understands the inner workings of a certain corporate entity or government organisation can feasibly cause harm. Malicious insiders are those who have privileged access to information, technology, or assets, and who deliberately exploit their access in ways that compromise commercial or national interests. Insider threat actors can include current employees, former employees, contractors, service providers or someone working for a business partner.

Essentially, trusted insiders are categorised within two distinct types: Malicious, whether self-motivated (Individuals whose actions are undertaken of their own volition) and recruited (Individuals co-opted by a third party to specifically exploit their potential, current or former privileged access); or unintentional (Trusted employees or contractors who inadvertently expose or make vulnerable to loss or exploitation, privileged information, assets or premises).

The Federal Government’s Managing the insider threat to your business handbook defines the malicious trusted insider threat “… as the threat posed by unauthorised access, use or disclosure of privileged information, techniques, technology, assets or premises by an individual with legitimate or indirect access, which may cause harm.” The motivations of a malicious trusted insider vary, as the Deputy Director-General of ASIO explained at a conference in 2015, “…when we talk about malicious insiders, we are talking about individuals who, with a range of motivations, betray the trust of their employer. Research has shown that motivations for such betrayal vary widely. But they are fundamentally personal – such as disgruntlement, revenge, ego, a sense of the misguided greater good or loyalties, or financial gain.”

Why are insider threats difficult to detect?

Malicious insider threats are often more difficult to identify and block than outside attacks. For instance, a former employee using an authorised login won’t raise the same security flags as an outside attempt to gain access to a company’s information security network. For this reason, insider threats are not always detected before access is granted or damage is done. Opportunism, compounded by circumstance, may turn an otherwise trustworthy person into someone who seeks to deliberately steal or harm an organisation and/or its assets.

Of note is that trusted insider threats often begin with an individual or entity being given authorised access to sensitive data or areas of a company’s network. This access is granted in order to enable the individual to perform specific job duties or facilitate a contractual obligation. When an individual makes the decision to use this access in ways other than intended – abusing privileges with malicious intent towards the entity – that individual becomes an insider threat.

As detailed previously, trusted insiders can also pose an unintentional threat, such as assisting someone to access physical facilities or information systems without realising that what they are passing on may hold significant value and may be used for malicious purposes. This often happens when employees lack security awareness or fail to follow correct security protocols. Trusted insiders present a threat whether acting independently with a specific agenda and intent or act by assisting external parties; they are not necessarily predisposed to undertakings that go against the policies of an organisation.

Australia is not immune from the current, enduring and emerging threat of trusted insider attacks. Ideology can motivate insider threats. Current employees can also become malicious as a result of some real or perceived grievance, or after being recruited by an external threat actor, such as an Issue Motivated group or organise crime seeking to gain sensitive information. Also, such insiders could become opposed to some aspect of their employment, or they could intentionally join an organisation that aims to harm it. Reputation damage is a serious risk regarding unlawful distribution of sensitive and private information to unauthorised parties.

The same holds true for financially motivated insiders, far more common than those driven by ideology. There have been many cases of employees trying to sell proprietary information for personal gain or giving that information to a competitor in exchange for a job. Organised crime networks and other nefarious threat actors could benefit greatly by having inside sources embedded long-term within a targeted entity. Australian Security Agencies recently informed a parliamentary inquiry that the organisation requires sweeping new national security laws as the threat posed by foreign espionage is worse than during the cold war; adding that there was a “pervasive” threat of foreign actors seeking to influence Australian society; such is the risk.

Finally, returning to work full-time as opposed to working from home may also increase anxiety or disgruntled behaviour, potentially exacerbating trusted insider activity. During an ease of lockdown phase, workforce disaffection could be caused by staff feeling disgruntled by enforced changes to their working arrangements, feeling unsupported by an employer whilst working remotely for a long period if there have poor communications relating to their role, or uncertainty about their health and safety as they return to work, or even future job insecurity. Disaffection can make people feel that the psychological contract between the individual and the organisation is damaged and begin on a pathway towards harm.

Contact us to learn more about the very real risks associated with malicious and unintentional trusted insiders, and how we can assist in protecting your business-related information and location from unauthorised access and compromise.