Cybersecurity blog header

Internal security threats. A growing risk for companies

- Ciber 4 All Team
Internal security threats can cause serious financial losses for companies

Companies must have strategies in place to deal not only with cyberattacks, but also with internal security threats

Most of the business executives surveyed in a recent study believe that internal security threats are more difficult to detect and predict than cyberattacks. So much so that only 1 in 4 were confident that their organizations could stop internal security threats before they caused serious damage.

Although we have become accustomed to reading daily reports of new cyberattacks against companies, internal security threats are not given the attention they deserve.

Even so, in recent months, internal security threats have come to light, causing incidents across various sectors.

In mid-September, the financial institution FinWise Bank revealed that a former employee had accessed its systems and leaked personal information of 689,000 customers of the American First Finance platform. It took FinWise Bank a year to detect unauthorized access to the information, which was possible because the employee’s login credentials remained active.

A few days later, a BBC cyber reporter published a report detailing how a criminal group had offered him money in exchange for access to his corporate computer. The malicious actors attempted to entice him by promising a percentage of the ransom payment.

These cases show that internal security threats are not isolated incidents but risks that companies must consider when designing and implementing their cybersecurity strategies.

Below, we will address some key points about internal security threats and how to manage them.

1. What are internal security threats?

According to the CISA, the government agency in charge of cybersecurity in the United States, internal security threats are individuals who, consciously or unconsciously, misuse their authorized access to a company’s technological infrastructure to undermine its objectives or harm its resources, personnel, information, equipment, networks, or systems.

This definition provides us with two key elements to consider:

  1. Internal security threats do not come only from an organization’s professionals; insiders can also be other actors with authorized access, such as suppliers, customers, or former employees whose access was not revoked upon leaving the company.
  2. Internal security threats may come from people who intend to cause a security incident, as well as from members of an organization who unintentionally generate incidents.

Thus, the National Cybersecurity Institute of Spain (INCIBE) distinguishes between:

  • Malicious insiders. These actors deliberately seek to harm their companies. What are their motivations?
    • Financial. These are the most common and consist of obtaining payment from a criminal group with which an agreement has been reached, selling critical information and business secrets to competing organizations, etc.
    • Personal. Behind internal security threats, there may be motives such as employee disaffection or dissatisfaction, or a professional’s desire for revenge.
    • Political. In a geopolitical context as complex as the current one, it should come as no surprise that state-sponsored criminal groups seek to infiltrate companies in rival states to obtain key information, such as industrial property, or to disrupt their services.
  • Negligent insiders. In these cases, professionals make mistakes, take reckless actions, or overlook security measures that can lead to security incidents. For example, clicking on a malicious website, downloading files from unsafe sources, or writing down their security credentials and leaving them in plain sight.

2. What are the internal threats that most concern cybersecurity experts?

A study points out that among potential insiders, those who cause the most concern are professionals in charge of the technological infrastructure, because they enjoy very high access privileges, allowing malicious actors to access more information or cause greater damage to the attacked company.

On the second level are external suppliers with access to the corporate technological infrastructure.

The third level is occupied by professionals working in the organization, and finally, we would find privileged business users who, therefore, have access to business systems.

These actors may act negligently, devise a plan to harm the company, or reach an agreement with a criminal group seeking to infiltrate or attack the company.

Insiders pose a major threat to businesses

3. Consequences of internal security threats

The consequences of internal security threats can be far-reaching for companies, which is why it is essential to have a strategy in place to prevent and detect them before they cause serious damage. What consequences are we talking about?

  • Economic espionage. Insiders can trade in company secrets, intellectual property, financial information, etc.
  • Industrial espionage, especially in critical sectors such as defense, energy, aerospace, or legal.
  • Sabotage aimed at damaging the company’s technological infrastructure, preventing it from carrying out its activities, and affecting its business continuity.
  • Financial crimes against the company, such as making improper payments.
  • Theft of personal and financial data from customers and employees, with the legal consequences that this entails.
  • Physical harm to people as a result of the disruption of basic functions. For example, the paralysis of a hospital’s operations or damage caused by machinery that malfunctions due to sabotage.

It is therefore critical that companies be aware of the economic, legal, and reputational repercussions of internal security threats.

4. Why are internal security threats on the rise

We are living in an extraordinarily complex time, both geopolitically, economically, and technologically. And this has a direct impact on the landscape of internal security threats.

Among the reasons that explain why internal security threats pose a serious risk to companies are:

  • Geopolitical tensions and the role played by advanced persistent threat groups in cyber espionage and attacks on critical sectors.
  • The move to the cloud by organizations that need to control a wide range of devices and software poses a security challenge.
  • The expansion of teleworking following the pandemic and the implementation of BYOD policies in companies also increases their cyber exposure.
  • The constant renewal of staff means that new professionals have access to critical privileges and functions, making it necessary to have protocols in place to manage the secure departure of employees.
  • The hiring of remote professionals also makes it easier for malicious actors to infiltrate companies. Without going any further, a few months ago, the US Department of Justice announced that five people had pleaded guilty to stealing identities to get US companies to hire IT workers who were actually North Korean agents.
  • The fact that companies have strengthened their defenses makes it more difficult for criminal groups to access their systems. As a result, malicious actors seek to seduce company professionals into giving them access to their systems. To do this, as the BBC reporter illustrated, they offer large sums of money and even the dream of never having to work again.
  • The outsourcing of IT services means that the providers’ professionals can also be insiders. That is why cybersecurity must be considered when hiring technology providers.

5. Exploiting vulnerabilities facilitates privilege escalation

A study has revealed that 55% of internal security threats involve the exploitation of vulnerabilities that allow malicious actors to escalate the insider’s privileges and thus gain administrator privileges. To what end? To cause greater damage to the attacked organization or gain access to critical information.

Since they have higher privileges, malicious actors can deploy ransomware or spyware, causing greater impact.

That is why, in the fight against internal security threats, it is extremely important to implement vulnerability management that prioritizes remediation, taking into account the impact of their successful exploitation.

In addition, vulnerability management enables companies to respond quickly to zero-day vulnerabilities and prevent them from being exploited to escalate privileges and cause serious damage.

HR management is important when it comes to preventing internal security threats

6. Train HR professionals and take cybersecurity into account in recruitment processes

When it comes to preventing internal security threats, each company’s human resources management plays an essential role. What can be done from a cybersecurity perspective?

  1. It is essential that HR teams receive cybersecurity training.
  2. Those responsible for recruiting professionals must consider candidates’ cybersecurity training and awareness.
  3. During the hiring process for new professionals, an investigation should be carried out to verify that potential employees have no links to malicious activity. This is especially important for positions that enjoy high levels of access, such as IT teams.
  4. Internal protocols should be designed so that employees know how to:
    • Use corporate devices and personal equipment they use for work.
    • Act if they believe they have made a mistake or oversight that could allow malicious actors to gain access to corporate systems.
    • Report any communication they have received from criminal groups seeking to gain access to corporate devices or software.
  5. Encourage reporting of inappropriate behavior and suspicious actions that may indicate internal security threats through the company’s reporting channel.
  6. Act proactively to check for internal security threats and stop them before incidents occur.
  7. Address internal security risks and prevent disgruntled professionals from becoming insiders.

7. Basic pillars of a strategy against internal security threats

To prevent and detect internal security threats in a company, it is essential to:

  • Establish a security permission system that restricts access to information and digital assets. For example, an employee cannot have permission to view or export data stored in software that they do not need to perform their daily tasks.
  • Implement a BYOD policy securely using Mobile Device Management (MDM) software.
  • Record all actions performed by members of an organization and carry out continuous monitoring to detect unusual behavior and act as quickly as possible against internal security threats.
  • Ensure the physical security of digital assets by controlling access to critical infrastructure elements by company professionals.
  • Train and raise awareness among all members of an organization to avoid unsafe practices in their daily work.
  • Have filters in place to detect internal security threats that take not only technical factors into account but also suspicious behavior, non-work-related factors, and employee dissatisfaction.
  • Have clear, effective protocols in place to immediately revoke former employees’ access to digital assets.

8. What cybersecurity services can help prevent, detect, and eradicate internal security threats

Beyond these basic practices for preventing and detecting internal security threats, companies need cybersecurity services to manage these risks:

  • Continuous security audits to detect anomalous behavior and previously unidentified vulnerabilities.
  • Vulnerability management. To prioritize the mitigation of weaknesses that could be exploited in internal attacks to escalate privileges and persist without attracting the attention of the company’s security managers.
  • Internal penetration testing services to identify weaknesses that can be exploited by internal security threats and determine how to remediate them.
  • Specific Red Team scenarios for internal security threats. Companies with a higher level of technological maturity can conduct Red Team exercises in which Red Team professionals simulate insider roles. This allows the level of cyber resilience against internal security threats to be measured and increased through the implementation of prevention and early detection measures.
  • Proactive incident response. When managing internal security threats, it is critical to act quickly when they are detected in order to minimize their impact on the company. In addition, incident response team professionals are key to restoring normality and investigating what happened to take appropriate legal action and prevent a similar incident from occurring again.

In short, internal security threats are not a minor issue for companies. In fact, the impact of internal security threats can be extremely serious, resulting in significant financial losses.

Therefore, companies must account for internal security threats when designing, implementing, and optimizing their cybersecurity strategies.

Today, preventing, detecting, and responding to internal security threats is critical for companies.