Summary: Real internal threats include employee sabotage, accidental data leaks, and disgruntled ex-workers. Learn how to prevent internal breaches and protect your data from friendly fire.
There is a common perception that the leading cyber security threats to a business come from hooded hackers halfway around the world.
These cyberattacks are more likely to be focused on larger targets than small to mid-sized businesses.
However, potential internal threats from local employees and/or contractors should be considered. These are also known as insider threats or insider risks.
Some of the threats are breaches and theft by insiders acting independently.
There are also hybrid threats. These are threats in which the external bad actor colludes with either an unsuspecting person or with a willing participant on the inside.
Unwilling Collusion
An example of unwilling collusion is when an employee pays a fraudulent invoice or unwittingly gives up credentials due to successful phishing or other social engineering attacks.
Willing Collusion
An example of willing collusion is when a ransomware gang entices an insider to install and launch ransomware on a server in exchange for a percentage of the heist.
Data Protection Measures
How can you protect your business from an ever-growing variety of internal threats? We have assembled a detailed list.
While this list may seem overwhelming, it shows that internal network security’s balance between convenience and protection has moved toward the risk mitigation end of the spectrum.
Managing data security requires a more dynamic strategy than ever.
Update: In July 2024, the security awareness training vendor KnowBe4 reported that it had unknowingly hired a North Korean hacker. Fortunately, their internal controls, some of which we cover below, prevented any consequences.
Adopt a Zero Trust stance
Zero Trust is a security concept. It means not trusting anything internal or external by default. Anything or anyone trying to connect to company systems must first be verified.
The approach can be described as “untrusted until proven trustworthy.”
Zero Trust is not a one-and-done proposition. Users and permissions must be monitored on an ongoing basis.
Enforce internal software and firmware patching compliance
Continually updating all internal software and firmware with the latest updates from vendors is essential for patching vulnerabilities.
The CVE database is the most comprehensive source of information on current vulnerabilities.
Internal threats can go undetected for a long time, so ensuring that all internal systems are always up to date is critical.
Patch management software is essential for automating as much of the software and firmware updating process as possible.
Check with your managed service provider about their patch management software solution.
Note: While patching should be at the top of your security tasks list, it is not a silver bullet due to zero-day vulnerabilities. A zero-day attack happens when an attacker exploits a flaw or vulnerability before a vendor can create a patch to fix the vulnerability.
Be aware of all software being used within your organization
If your IT team doesn’t know about all installed software and firmware on employees’ machines, they won’t know everything that needs to be patched.
A good internal security practice around ‘shadow IT’ is knowing about and consistently updating your network’s software.
This may require establishing an inventory of all endpoints and installed software.
Replace end-of-life software
While it’s possible to subscribe to security updates to specific software past its end of life, like Windows 7, some software is so old that updates are unavailable.
One organization experienced a successful ransomware attack partly because of a vulnerability in an 11-year-old installation of Adobe ColdFusion 9.
Implement a company-wide password manager & policies
While using strong passwords is well-worn advice, it always bears repeating.
From an internal threat perspective, strong passwords are an essential layer of protection against Kerberoasting attacks.
In a nutshell, if a cyber attacker compromises the account of any domain user, they can easily crack weak passwords using offline cracking tools.
Strong passwords are facilitated across the board by a company-wide password manager, along with appropriate password policies.
Require the use of multi-factor authentication
When a password is an employee’s only account authentication requirement and is weak, a hacker can log into their account by brute force in minutes or seconds.
An excellent internal security practice is to use multi-factor authentication whenever possible. Multi-factor authentication requires an additional step beyond a username and password to access an online account. Examples are:
- Email services
- Cloud productivity software such as Microsoft 365 and Google Workspace
- Document storage such as Box and DropBox
- Online banking services
- Social media accounts like LinkedIn, Twitter & Facebook
- CRM, ERP, and tax preparation software
This has the benefit that if the first level of authentication is compromised, the second level will still be in place.
Add a layer of email filtering
Both Microsoft 365 and Google Workspace have native email filtering capabilities that can warn users about suspicious emails.
However, some third-party products give more control over email filtering policies.
An email filtering application can catch suspicious emails that a vendor email server may have missed.
Implement better antivirus/EDR software
In some small businesses, antivirus software is ‘catch-as-catch-can,’ with employees using different types of AV software. There is no verification as to the reliability of installed AV software.
Centrally administered AV or Endpoint Detection and Response (EDR) software ensures that reliable and up-to-date software is installed on all endpoints to defend against malware.
Provide Zero Trust remote network access
When members of a distributed workforce have remote access to the corporate network, zero-trust security should be applied.
Cloud-based remote access technologies such as Secure Access Service Edge (SASE) and integrated software-defined perimeter (SDP) capabilities enable organizations to implement Zero Trust network access more easily.
For example, you can deny administrators administrative access outside the internal network.
Hybrid workers can have more restrictive remote privileges compared to when they are in the office.
Give internal users access to the minimum needed resources
The Principle of Least Privilege (a.k.a. Least Privilege Security Model) states that each user’s account should only have the access privileges necessary for a person to do their job.
For example, some users may not be allowed to install new desktop software.
The Principle of Least Privilege can also apply to database software such as CRM and ERP. Users can only access the records and fields they need.
Encrypted fields, such as fields containing certain personal information and passwords, can be visible to users who need to see the information.
While file-level encryption is typically used to protect organizations from ransomware attacks, it can also be used to defend against insider threats.
Give administrators the minimum privileges they need
The Principle of Least Privilege should also apply to internal administrators. Just because an admin can control several system settings does not mean they should be able to control them all. Role-based permissions can be applied to admins, just as permissions can be applied to users.
Administrative accounts usually have the highest risk of insider threat. Microsoft provides tools to help with this.
Removing unnecessary administrator rights helps defend against attacks such as Pass-the-Hash.
Segment your network into subnets
Network segmentation involves creating smaller networks within an organization rather than having a single, extensive network. The flow of traffic between networks can be tightly controlled.
This can be used to completely separate departments. For example, the engineering and marketing departments may not need to access one another’s network applications or files.
In the “execute ransomware for hire” scenario described above, an employee willing to execute ransomware may not have access to the machine on which it needs to be executed.
Immediately disable a departing employee’s accounts
Accounts created by an employee who no longer works for the company should be deleted or deactivated — or passwords should be changed as soon as possible.
Employees who quit, are laid off or are fired often take internal data — intentionally or unintentionally.
Your IT services provider may be able to supply a formal offboarding template to ensure everything is locked down when an employee leaves the company.
Monitor high-risk employee activity
The computer-related behavior of soon-to-be-departing employees and other high-risk employees can be monitored.
There are available applications that can add departing employees to a risk detection lens for data exfiltration — and then monitor them for any suspicious file transfers.
“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.”
Dr. Larry Ponemon
Implement internal security awareness training
Conduct security awareness training for employees and contractors. Many Managed Security Service Providers (MSSPs) offer this.
This partly involves training users to spot phishing and business email compromise (BEC) emails. Employees should be instructed to forward any suspicious-looking emails to an IT representative.
“The weakest link in the security chain is the human element.”
Kevin Mitnick
Other forms of social engineering by hackers, including phone calls, text messages, and in-person visits, can cause an employee to give up their password to a third party. When this happens, email filters and strong passwords are irrelevant.
Use voice analytics to assess the risk level
Voice analytics technology company Clearspeed provides innovative technology that can screen prospective or current employees for risk.
A “yes” or “no” response to each question in a set of four or five can clear a prospective employee or flag them for additional screening.
If an incident has already occurred, the technology can flag a current employee for further investigation.
Set internal session timeouts
To protect your network against internal threats, session timeouts should be used.
This will help users maintain security by not leaving Windows and other sessions active while away from their desks.
Suppose users are left logged into an internal network for an extended period. In that case, they may unintentionally or intentionally give up computer access to someone else posing as a user.
Disable unnecessary services and protocols
SMBv1 is an old Server Message Block protocol version that Windows uses for file sharing on a local network. It’s been replaced by SMBv2 and SMBv3.
However, some devices like MFDs (printers/scanners) still require SMBv1. As of 2019, a long list of SMBv1-dependent applications and devices existed.
If you have web servers, you may be running TLS 1.0 and TLS 1.1 even though current versions of modern browsers no longer support those versions for security reasons.
Even if some website visitors use an old browser that only supports TLS 1.1 or lower, you may also choose to disable TLS 1.0 & 1.1 because the risk of keeping it enabled with the current known vulnerabilities is too high.
Restrict access to critical internal systems to only certain users
It is also essential to restrict access to internal systems to only certain users. This is especially true regarding internal administrative access with internal systems critical for the business.
Internal users with access to internal networks or servers should be monitored closely for unusual activity. Access levels with permissions on different internal systems should also be managed carefully, usually with an internal system management tool.
Security experts often overlook internal threats; internal-facing threats, whether viruses or security breaches are difficult to detect.
Keep up to date with internal security news, internal threat intelligence
To protect your internal networks from internal threats, you should keep up to date with security news and internal threat intelligence.
Websites that focus on business security include:
Some headlines alone may draw needed attention to a newly discovered vulnerability or a creative new social engineering approach that employees should be aware of.
Conduct internal (and external) penetration tests
An Internal Pen Test requires hiring a competent auditor who can emulate the behavior of an attacker who has gained access to your network.
An experienced tester will create a map of your internal network. The tester will then perform brute force attacks on employee accounts and exploit any vulnerabilities to break into servers and other devices.
Internal threats are ever-present in many organizations, even small businesses.
Business owners, managers, and IT teams must be more vigilant than ever in defending against unauthorized access to valuable information assets.
Adopting a zero-trust stance and employing the right blend of technology can help mitigate these threats.
Also, a regular Network Security Assessment will identify group policies that need to be tightened down, user access vulnerabilities, and other services that may present an attack vector.