When Good People Become Insider Threats

The business world is fraught with threats that come from both inside and outside. Threats can originate with nation states or even rogue hackers, but often threats involve the risks that are posed by MSP employees. Most likely, your staff are good people who unintentionally become a hazard. In fact, recent statistics show that insider threats account for approximately 60% of all data breaches. In those cases, managing threats requires a different focus.

What Is an Insider Threat?

An insider threat is a type of cybersecurity risk where the potential damage originates from inside your MSP. The threat may come from an employee, a partner, a contractor you’ve hired or anyone else that has been granted legitimate access to your systems. However, these threats can often be unintentional and the result of simple human error or oversight. As a MSP, it is often your job to provide a service as a third party, making it extremely important that you take extra measures to mitigate insider threats.

5 Types of Insider Threats

Insider threats range in varying degrees from the intentional to the unintentional. Understanding your risk from all angles is the key to ensuring your MSP doesn’t become a threat to your clients and your own business. These are the different insider threat personas you should be anticipating.

1. The Collaborator

The collaborator is a type of malicious threat. These are people you have hired to work for you and who have legitimate access to your systems and clients. Collaborators are operating in conjunction with a third party to disrupt the activities of your MSP or your client. The collaborator could be acting on behalf of a nation state, an outside organization, a criminal group or individuals.

2. The Lone Wolf

The lone wolf acts independently and operates without external influence but is still considered to be a malicious threat. These people are considered to be particularly dangerous because they’re acting of their own volition and often have access to mission-critical systems.

3. The Pawn

The pawn is a person that is performing the bidding of a malicious person without knowledge or awareness of their participation. Pawns often fall victim to social engineering scams or phishing which can compromise your systems though malware or unauthorized use of credentials.

4. The Goof

The goof is an employee who frequently takes shortcuts and sidesteps company policy, but who doesn’t harbor any malicious intent against your MSP or your clients. Often, they don’t truly grasp the ramifications of storing sensitive information where it shouldn’t be or bypassing necessary password mandates.

5. The Mole

The Mole is what you envision when you think of popular movies. This person is an outsider, one that does not work for your MSP or client and who has gained access to your systems.

How Can You Avoid Insider Threats?

Avoiding insider threats almost always starts with education. Recent CompTIA research shows that more than 1/3 of organizations think there should be a greater focus on employee education. Since your perpetrator is most likely an employee caught up in an unfortunate situation, education is often a great first measure.

Here are some other steps to take:

• Teach all of your MSP staff how to recognize social engineering threats: One of the main culprits of insider threats is phishing. With more than half of breaches being the result of good gone wrong, we need to take steps to educate those at your MSP so they can recognize, thwart, report and avoid social engineering scams.
• Monitor employee activity: Logging user activity is a good way to identify anomalies and locate the source of any potential threats. Even if the threat is simple human error, identifying something out of the norm can be the first step in pinpointing a larger vulnerability.
• Develop security policies and procedures: It should not be assumed that all MSP employees will act in the best interests of your business. In fact, a greater focus on process improvement was cited as the number-two priority for organizations in 2024. Your employees likely mean well, but they may also be tempted to cut corners or even be unaware of what types of security policies they should be following.
• Limit the access of third parties and vendors: Implementing role-based user controls only gives certain people full, limited or zero access to certain technologies. Third parties are a known security risk and ensuring they have the right permissions is crucial. But limiting the access of legitimate entities can prevent good people from inadvertently going wrong.
• Develop an asset inventory: Asset inventories make it easy to know what technology you have and where it is. This limits the likelihood that rogue equipment could pose a risk and allows you to quickly identify where anomalies are coming from.
• Implement and practice incident response and disaster recovery: CompTIA research shows that proper incident response will be the top priority for organizations in 2024. Making sure you are regularly running through incident response exercises and disaster recovery will help to educate staff and ensure quick response times.

How to Manage Insider Threats That Become Reality

Should your good employee inadvertently cause some things to go wrong, here are some tips for managing a threat that has become a reality:

• Remove access from your employee immediately to limit further damage
• Contain the threat to only the affected systems by removing those systems from others on your network
• Notify key members on your team to engage those with critical knowledge
• If possible, fix the problem, if not, deploy incident response and/or disaster recovery plan
• Save data related to the threat for future analysis
• Update documentation and procedures to mitigate future threats

Resources for Managing Insider Threats

To learn more about identifying, mitigating and managing insider threats, check out these helpful resources:

• Video: How to Prevent and Protect Yourself From Social Engineering
• Whitepaper: Embedding Cybersecurity Into Your Culture
• Guide: What Is Information Technology (IT) Risk Management?
• Resources: CISA.gov
• Toolkit: Center for Development of Security Excellence Insider Threat Toolkit
• CompTIA Information Sharing and Analysis Organization (ISAO)
• Resources: Office of the Director of National Intelligence Additional Insider Threat Resources