The Insider Threat – Part 1

Which is a bigger risk to your organization?  A determined outsider trying to break into your network?  Or an insider, an employee or coworker who is already on the network as a credentialed user?  Obviously, it is the insider who represents the greatest threat.

In truth, all successful attacks become insider attacks.  The determined outsider who finds a way into your network is now operating as an insider.  But we are interested in exploring the ways that your employee or coworker might become a threat to your business.

Cybersecurity professionals are typically engaged with network and computer based insider threats such as unauthorized file access, data exfiltration, circumvention of security controls, installation of unauthorized or unlicensed software, configuration of rogue wireless access points, and the like.

I get drawn into insider cases usually “after the horse is out of the barn.” There was the case I worked on at an expensive private school where a student was able to change grades for himself and several friends. I have worked on several email account hijacking (BEC) cases, which may start out as outsider, but once the email account has been taken over, really works as an insider attack, or at least an impersonation attack.

There are other insider threats to be looking for.  Let’s take a look at a couple of common threats.

Disgruntled employees – A disgruntled employee may come to feel that everyone is against them, nobody likes them, and becomes more alienated from the company and coworkers over time.  This can become an insider threat if left unattended.  Management needs to be alert for this situation, and proper early intervention can help improve the employee’s attitude. The best solution may require one or more meetings involving the employee’s supervisor,

  • Act quickly – Don’t let the situation with this employee fester, their negativity can bring down the whole team.  Things rarely “get better on their own.”  Be proactive.
  • Remain professional – If they want to vent, let them vent, but don’t join them.  Remind them you are only trying to help resolve whatever the situation is, to the best of your abilities.
  • Confidentiality – Keep this issue between you and the employee.  Bring in HR if appropriate, and maybe another manager.  You do not want to discuss this issue with other members of your staff, because this could make the situation even worse.
  • Documentation – Take notes during your conversation, and keep a written report over everything that was discussed, and whatever you agreed to.
  • Resolution – If you can satisfy this employee and get their attitude turned around, then chalk it up as a win for your team.  This situation still bears monitoring for a while.  But at the end of the day life isn’t always fair, and you may not be able to meet their demands.  This employee may just be a complainer.  If you can’t get the employee back on track, you may need to consider dismissing the employee.  If you are planning to terminate, you definitely need to get HR and probably your own manager involved.

Recently, an employee of Canadian credit union association Desjardins was discovered to have released the personal records of nearly 3 million members and 173,000 business customers.  An insider can cause huge amounts of damage.

Embezzlement – There are telltale signs if an employee is embezzling from your company.  Keep your eyes open for these warning signs of employee fraud or embezzlement:

  • Vacation – Embezzlers often refuse vacations because they are worried about being discovered by their replacement.  Insist that vacation time be taken.
  • Overtime – Employees who work overtime that is not required may be using the extra time to cover their tracks.  Limit overtime to that which is necessary.
  • Home work – Another sign can be an employee who is always taking work home in the evening.
  • Lifestyle changes – If an employee is suddenly sporting new cars, boats, or homes, without the income to support it can be a sign of embezzling.
  • Petty cash – If the petty cash account is emptying more quickly than usual, this can be a warning sign, too
  • Travel expenses – Inflating travel expenses is one way traveling employees can pad their income.  Audit travel expense closely and insist that they be supported with receipts and invoices.
  • Vendor friendships – It’s great when relationships with vendors are effective, but watch out if they become closer than needed for business or intimate.  Collusion between an employee and vendor can lead to fraudulent invoicing and other financial crimes.
  • Disappearing office supplies – As with petty cash, disappearing office supplies can put a strain on the corporate budget.  If everybody is taking :just a little bit” home with them, the financial drain can accumulate rapidly.

Putting proper security controls in place can help prevent or at least minimize the about of damage an embezzler can cause.

  • Deposit receipts daily – Don’t leave money laying around where it can become a temptation.
  • Reconcile financial statements monthly – Proper monthly reconciliations can help detect embezzlement earlier rather than later.
  • Separation of duties – The person making the deposits should not be the person reconciling accounts.
  • Job rotation – If employees are trading jobs periodically, it provides another means of detecting financial irregularities.  An additional benefit is that your staff is cross-trained, which can be helpful if you lose an employee.
  • Mandatory vacations – Requiring annual vacations provides another opportunity to catch financial issues, especially if it is coupled with auditing.
  • Auditing – Bring in an outside auditor to confirm the books.

In cases like the disgruntled employee or the embezzler, you should consult with an employment attorney before you actually terminate an employee.  In the case of embezzlement, you should plan on reporting the crime to the police and prosecuting the case.  Prosecution sends a clear message to other employees that theft of this sort will not be tolerated.

In our next post we will examine other insider threats you may not be considering in your security program.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an information technology and cybersecurity instructor for several training and certification organizations. Bob has worked in corporate, military, government, and workforce development training environments Bob is a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.