The Enemy within – Securing the business against the internal threat


The news archives are littered with stories of organisations betrayed by trusted colleagues, including the most innocuous-looking workers. The trust that organisations place in their workforce can leave them vulnerable to malicious employees, who often use clever methods to hide their illicit activities. Attacks from the inside carry the potential for significant damage that can rival or even exceed the damage caused by external forces. Internal attacks that continue undetected can cause serious harm to an organisation. Perhaps most significantly, they can expose the personal information of customers or employees. A breach of this kind — whether it is identity theft, inappropriate use of data or the sale of sensitive information — can leave an organisation legally liable for associated damages and subject to regulatory fines. In addition, a company’s competitive position could suffer if an insider uses intellectual property or trade secrets for unauthorised purposes.

Insider threats in particular present a unique problem for a physical protection system. Insiders could take advantage of their access rights, complemented by their authority and knowledge of a facility, to bypass dedicated physical protection elements or other provisions such as measures for safety, material control and accountancy, and operating measures and procedures. Further, as personnel with access in positions of trust, insiders are capable of carrying out ‘defeat’ methods not available to outsiders due to protective measures such as intruder detection and and access controls. Insiders have more opportunities to select the most vulnerable target and the best time to execute a malicious act.

Therefore, securing the business against the insider threat requires firstly an assessment to understand what those threats might be. Insiders may have different motivations and may be passive or active, non-violent or violent. The term ‘motivation’ is used to describe the motive forces that compel an adversary to perform or attempt to perform a malicious act. Motivation may include ideological, personal, financial and psychological factors and other forces such as coercion. Insiders could act independently or in collusion with others. They could become malicious on a single impulse, or act in
a premeditated and well prepared manner, depending upon their motivation.


Anybody can pose a threat

Insiders may hold any position in an organisation from security guards through to maintenance staff or even senior management. Others not directly employed by the operator but who also have access such as vendors, emergency personnel, including firefighters and first responders, contractors, subcontractors and inspectors from regulatory organisations should also be considered. It is vital that organisations understand normal employee baseline behaviours and also ensure employees understand how they may be used as a conduit for others to obtain information.


Thus, one of the first steps must involve policy making — the definition of parameters for acceptable behaviour within a peer group. These parameters will serve as the baseline for comparative analysis, so it is important to establish user profiles based on historical data or concrete experience — not just business expectations that may or may not be realistic. Building a baseline understanding of the personalities and behavioural norms of those previously defined as ‘insiders’ will make detecting deviations in these norms easier. Some general behavioural characteristics of insiders at risk of becoming a threat include:

  • Greed/ financial need
  • Vulnerability to blackmail
  • Compulsive and destructive behaviour
  • Rebellious, passive aggressive
  • Intolerance of criticism
  • Self-perceived value exceeds performance
  • Lack of empathy
  • Predisposition towards law enforcement

Obviously, these characteristics alone do not mean that your organisation is at threat, and nor is it an exhaustive list, but it is important to realise that individuals that exhibit these characteristics may reach a point at which they carry out malicious activity. One of the best prevention measures is to train employees to recognise and report behavioural indicators exhibited by peers or business partners.


Who should have access?

Another common-sense recommendation for preventing security breaches is to restrict privileged access to as few people as possible and keep watch over those who do. Insiders may indeed have access to some or all areas of a facility, systems, equipment or tools, or possess intimate knowledge of the facility layout, transport arrangements and/or processes, physical protection, safety systems and other sensitive information. Too often, organisations give employees more access to systems and data than they really need to do their jobs. They also fail to monitor or disable accounts for third- party contractors when their work is done, or delete access privileges for ex-employees.


Integrated Security Systems

Most organisations will have at least some of the security elements needed to protect against malicious internal attacks: authentication systems, asset tracking software, device and Internet usage monitoring capabilities, to name a few. However, it is critical for these pieces to interact as seamlessly as possible. One of the difficulties in detecting insider attacks is the time it takes to analyse a vast amount of data coming from a wide array of devices, entry points and user accounts.


Through the integration of a wide range of security components, both physical and cyber, systems can communicate in real time, enabling a faster response before data can be used for illegitimate purposes — and potentially even predict and prevent malicious attacks. Administrators should be able to access a central console that compiles messages and events from systems that monitor everything from door alarms through to network devices and application usage. This removes much of the effort normally required when trying to manually review historical logs and searching for complex relationships across systems. Integration enables events to be correlated across the Enterprise, for example, providing the ability to identify if an employee remotely logs on to an application without having passed through physical access points, such as a badge reader or an onsite workstation, can immediately identify the behaviour as unusual and potentially harmful. Without this automatic, real-time correlation, the remote access may not be detected quickly enough. A delay of even a few hours can provide an ample window of opportunity for a would-be attacker.


Similarly, an automated response to events can also help to prevent or mitigate damage. This may be alerting security personnel, automatically turning on CCTV recording, or even notifying emergency services; the systems themselves must be capable of acting immediately in response to unacceptable behaviour.


The overall approach of securing the business against the insider threat consists of implementing several layers of defence, including both administrative aspects (procedures, instructions, access control rules, confidentiality rules) and technical aspects (multiple protection layers fitted with detection and delay) that insiders would have to overcome or circumvent in order to achieve their objectives. Implementing preventive and protective measures to counter the insider threat is usually much more difficult than implementing measures to counter the outsider threat, due to the access, knowledge, authority and attributes of insiders. Thus, although already partially addressed for the outsider threat, any elements that could provide protection against the insider threat should be considered. These elements include deterrence, detection, delay, and defence provisions. Their synergetic effect should be established and formally integrated within the comprehensive approach.


Honeywell offers a range of solutions that allow organisations to keep pace with the dynamic security threats facing them today. By evaluating the impact of evolving vulnerabilities and business risks, an organisation can identify its strengths and weaknesses, and implement practical measures to effectively align security programs with specific business objectives.


Our services include operational risk and security assessments, and design and implementation of security technologies to provide perimeter security, application security, enterprise authentication and access control. Our extensive experience, coupled with advanced technology provides superior knowledge and best-of-breed tools and techniques, enabling us to deliver tailored security solutions that integrate the right combination of hardware, software, and access and policy management platforms for our customers.