Is your startup protected against insider threats?

Employees are one of your biggest assets, but human beings are the weakest link in the security chain

We’ve talked about securing your startup, the need to understand phishing risks and how not to handle a data breach. But we haven’t yet discussed one of the more damaging threats that all businesses large and small face: the insider threat.

The insider threat is exactly as it sounds — someone within your organization who has malicious intent. Your employees will be one of your biggest assets, but human beings are the weakest link in the security chain. Your staff are already in a privileged position — in the sense that they are in a place where they have access to far more than they would as an outsider. That means taking data, either maliciously or inadvertently, is easier for staff than it might be for a hacker.

“Organizations need to understand that the threats coming from inside their organizations are as critical as, if not more dangerous than, the threats coming from the outside,” said Stephanie Carruthers, a social engineering expert who serves as chief people hacker at IBM X-Force Red, a division of Big Blue that looks for breaches in IoT devices before — and after — they go to market.

Insider risks can become active threats for many reasons. Some individuals may become disgruntled, some want to blow the whistle on wrongdoing and others can be approached (or even manipulated) by career criminals over debts or other matters in their private life.

There are plenty of examples, many not too far back in recent history.

The National Security Agency saw three whistleblowers in the past decade, the most well-known was Edward Snowden in 2013, but also Reality Winner in 2017 after she sent a classified document to news site The Intercept and Daniel Hale earlier this year for disclosing details about the U.S. government’s drone warfare.

Aside from those who claimed to expose internal, classified government files on moral grounds, the largest leak of classified information in U.S. history came from Harold Martin, a former NSA contractor who stole more than 50 terabytes of classified NSA data over several years. How did he leak so much? He walked it out the front door because there were no TSA-style checks at NSA headquarters — everyone is highly trusted and vetted. But that didn’t stop Martin from siphoning off years’ worth of secret data.

Earlier this month, security firm Trend Micro disclosed an insider threat — an employee reportedly “improperly accessed” customer data with “criminal intent,” a breach that affected approximately 68,000 customers. The worker in question used “fraudulent means” to get access to a customer support database, which was then allegedly sold to a malicious actor.

And, just a day later, Twitter confirmed that at least two employees were secretly working for Saudi Arabia to spy on political activists, journalists critical of the Saudi regime and other dissidents. The spies’ activity prompted the social media giant to warn possible victims of state-sponsored hacking. All three former Twitter employees are now facing federal charges.

Research from the Ponemon Institute says the risks of insider threats are getting worse — with the number of incidents rising by one-quarter since 2016. And because insider threats can take months before they are undetected, they are harder to resolve.

It’s not just big organizations, either. Smaller firms and startups are just as vulnerable to insider threats, said Carruthers. But there are steps all companies can take.

“Most coworkers develop a bond of trust with each other, especially in the close quarters of a fast-paced startup,” she said. “This close-knit community environment combined with a desire for efficiency can lead to decisions that are unsafe in the long run,” she added.

“For example, many small companies will use shared passwords across multiple software programs and applications. If they have one set of credentials, an insider can often access more information within that program than they should, or use that password to guess the login for a more sensitive system,” she said. “Also, shared systems such as cloud drives or project management tools — may have poor permissioning that allows insiders to access information beyond the projects they are working on,” she added.

“These problems can be exacerbated in the close quarters of an open office environment,” she said.

Compartmentalizing customer data and restricting access to that information with strict policy controls ensures that only the most highly vetted and trusted staff have access. It’s not, however, a guarantee that data won’t be misplaced or taken. Some companies explicitly take a “zero knowledge” or “zero data” policy to begin with by simply not storing any data in a human-readable way, but that often requires corporate foresight of these kinds of threats.

The basics go a long way and will help to prevent the more opportunistic incidents.

“It’s important for startups and all companies to develop sound security practices early by making sure there are effective and substantial barriers to access any sensitive information without explicit permission,” said Carruthers.

“There should be clear and enforced policies to keep a clean desk (no passwords on sticky notes, no sensitive documents in plain sight), lock file cabinets containing sensitive information and to shred papers that are no longer needed,” she said.