Insider Threats. When Friends Become Foes

This blog post is about Insider Threats. What will be clear shortly is that it’s not Ch1n@ that is going to attack you, it’s your own staff.

The first part is images from the website which contains a record of criminal convictions in the UK under the Computer Misuse Act, and others. Each image is accompanied by a brief explanation of what Should have been implemented that would have probably have stopped the malicious insider before they acted, or at least made them jump through a few more hoops before they could act.

The site gives a broad rundown on a range of convictions and their perpetrators, from malicious insiders, bored teenagers, proper cyber criminals and most worryingly, a high amount of Police that abuse their positions of power.

What is also clear is that for every one event that ends up resulting in a conviction and being recorded on the web site, there must between 1 and n that never made it to a conviction in the first place. Thousands of attacks must have slipped through the net for one reason or another.

The second part of this blog post is our specific Insider Threat policy that makes up one of the 20+ information security policies that we create as part of our IT Security Policy creation service. More information about this service offering is available here.

Exhibit 1 M’lud

Direct enabling cause. Shared passwords and/or unchanged passwords. Cost to the company £Half a million.

Exhibit 2 M’lud

Not immediately clear how the attack was perpetrated. Passwords should have been changed and accounts disabled. Possible checking for additionally created accounts should have been performed. Cost to the company £165,000.

Exhibit 3 M’lud

Direct enabling cause. Attacker still having access to the Dropbox account. Passwords should have been changed and/or accounts disabled, Multi Factor Authentication should have been enabled.

Exhibit 4 M’lud

Not entirely clear what form the Cyber Attack took, DDoS, ransomware or other. Cost to the company £180,000.

Exhibit 5 M’Lud

Direct enabling cause. Shared credentials and/or unchanged passwords.

Exhibit 6 M’Lud

Direct enabling cause. Unknown, but loose permissions probably involved. Did the Auditor really need access to all that staff information? Cost to the Company >£2,000,000.

Exhibit 7 M’Lud

Direct enabling cause. Loose password management. Failure to update passwords. Cost to the Company ~£50,000

Exhibit 8 M’Lud

Direct enabling cause. Shared or known passwords.

Exhibit 9 M’Lud

Direct enabling cause. Accounts not disabled. Passwords not updated. Cost to the Company £9,000

Exhibit 10 M’Lud

Direct enabling cause. Shared Passwords and/or passwords not updated.

The prosecution rests.

I don’t think you need to see anymore.

If you don’t get the potential seriousness and implications by now, I don’t think you ever will.

But what can we learn from all this?

  1. It’s to late after the horse has bolted.
  2. It could be cripplingly expensive for your business.
  3. People DO NOT become this disgruntled overnight, it’s a slow burning fuse of hate and anger that grows.
  4. Passwords MUST BE updated frequently and credentials MUST NOT be shared.
  5. Accounts of leavers MUST BE disabled, the moment they walk out of the door.
  6. MFA where available should be enabled.
  7. None of these cost you any money in advance but could cost you a fortune in hindsight.

These two reports just made me laugh.

1) What happened to the 6th Child and

2) Just what is a Sexual Adventurer and how do I become one?

The Second part of this happy go lucky blog post is OIC Solutions Insider Threat Policy. We share it with you freely. We can provide the full complement of required IT Security Policies that a modern business needs here.

Insider Threats Policy


It is a sad truth that once strong relationships spoil and once trusted allies can become dangerous threats, we must be prepared in advance for these types of situation. For as much as it is more exciting to think that an APT (Advanced Persistent Threat) or unfriendly Government is going to attack our company, we are far more likely to be attacked by a trusted or formerly trusted member of staff.

Tough economic times often precede staff redundancies. When staff are aware that their employment may be at risk and they start to think about what their next move should be if the worst happens, the temptation to steal intellectual property, databases, contracts etc can become greater than during economic boom times. However, economic downturns are not the only catalyst for a malicious insider to act.

This policy should be used in conjunction with the Human Resources department and their policies and practices for staff discipline. This is so that we as a company are not subject to compensation claims for wrongful dismissal or breach of contract etc.

This policy should also be used in conjunction with the Staff Leavers / Joiners Policy, Social Media Usage Policy, Acceptable Use Policy and the Ethics Policy.


Insider Threats are difficult to catch in the act, but potentially malicious insiders can betray themselves through their behaviours.


This policy is applicable to all staff members both permanent and contract.



  • The motivations in a high proportion of IT Sabotage cases are not financially driven, but driven by a negative event in the workplace or a poor performance review.
  • A Smoking Gun is unlikely. Malicious insider threats/activity are more likely to be betrayed through their behaviour, attitudes and interactions with other staff.
  • The most common data stolen in descending frequency from the “mitigating insider sabotage” SANS Whitepaper, available here.
    • Customer Database
    • Email Server Admin Account
    • M&A Plans (mergers and acquisitions)
    • R&D Plans (research and development)
    • CEO’s password
    • Financial Reports
    • Privileged Passwords List
  • Employee disgruntlement is a recurring factor in insider compromises. From the 4th Edition Software Engineering Institute “Common Sense Guide to Mitigating Insider Threats” available here; staff disgruntlement sources could stem from
    • Insufficient salary increase or bonus.
    • Limitation on use of company resources.
    • Diminished authority or responsibilities.
    • Perception of unfair work requirements.
    • Feeling of being treated poorly by co-workers.
  • Further possible indications of imminent malicious insider activity from the same Software Engineering Institute document could include.
    • Threatening the organisation or bragging about the damage the insider could do to the organisation.
    • Downloading large amounts of data within 30 days of resignation.
    • Using the organisations resources for a side business or discussing starting a competing business with co-workers.
    • Attempting to gain employees’ passwords or obtain access through trickery or exploitation of a trusted relationship (review the Social Engineering Policy for further information).
  • Potential seemingly innocuous behaviour that could be a precursor to IT Sabotage
    • Staff member behaviour and working practices start to change.
    • Staying much later at the office when they used to leave at the earliest opportunity.
    • Coming into the office at weekends.
    • Making remote connections to work resources at uncommon times, middle of the night or at the weekend.
    • Changes to server configurations, Auditing and logging disabled or Logs deleted.
  • From the NIST Special Publication 800-53 Revision 5 PM-12 Insider Threat Program.
    • Provide Insider Threat training to employees.
    • Human Resource records are especially important.
    • Insider crimes are often preceded by non-technical behaviours in the workplace, including ongoing patters of disgruntled behaviour and conflicts with co-workers and other colleagues.
  • Behavioural indicators of a potential Insider Threat
    • Digital behavioural indicators
      • Downloading or accessing substantial amounts of data.
      • Accessing sensitive data not associated with their job function.
      • Accessing data that is outside of their behavioural profile.
      • Multiple requests for access to resources not associated with their job function.
      • Using unauthorised storage devices (e.g. USB drives or cloud storage accounts).
      • Network crawling and searches for sensitive data.
      • Data hoarding and copying files from sensitive folders.
      • Emailing sensitive data outside the organisation.
  • Some safe guards that should be in place include
    • Staff should not be sharing passwords. Enforced frequent password changes are advisable.
    • The principle of Least Privilege for access levels.
    • There should be a form of non-repudiable logging of staff accessing the premises out of ordinary working hours. Another staff member should be informed by phone call or email of the staff members’ intentions. If no onsite security is employed, the entrances should be monitored by CCTV, the recordings should be retained for as long as is practical.
  • An Exit Interview should be conducted before the staff member leaves for the final time. Review the Staff Joiners and Leavers Policy for further information.
  • Hard Disks from computers should be retained for future forensic examination.
  • There should be an anonymous and confidential means for staff to report potential suspicious or concerning behaviour by others.
  • Periodic account audits of user accounts both on the local Active Directory network and Cloud based accounts should be conducted in an effort to identify
    • Backdoor accounts that could be used later for malicious insider actions, whether these accounts were specifically set up by the insider or left over from a previous employee.
    • Shared accounts whose password was known by the insider and not changed upon the insider’s termination or reassignment to another position within the company.
    • Accounts created for external partners that have not been changed upon the insiders’ termination or reassignment.
    • Password resets performed in excess by administrators or for infrequently used user accounts.
  • Every account should be attributable to an individual.

Policy Compliance

  • XXXX management will verify compliance to this policy through various methods including but not limited to, periodic walkthroughs, video monitoring, business tool reports, internal and external audits and feedback.
  • Any exceptions to this policy must be approved by XXXX management in advance.

Finally OIC Solutions can help you, through our sister organisation with actively monitoring your network and conducting malicious insider investigations to produce forensically sound court admissible evidence.

You can contact us here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close