Combating Insider Threat During the Pandemic

Business of all sizes are at risk due to infractions caused by insiders including some malicious actors seeking to capitalise on times of crisis. While organisations fight to simply keep their heads above water, it is likely cybersecurity operations are stretched to the limits. Amongst the plethora of risks, insider threat continues to pose a problem for organisations regardless of size or stature.

 Insider threat is the risk posed by employees or contractors regarding the theft of sensitive data, misuse of their access privileges, or fraudulent activity that puts the organisation’s reputation and brand at risk. The insider’s behaviour can be malicious, complacent, or ignorant, which in turn can amplify the impact to the organisation, resulting in monetary and reputational loss.

Though companies have previously tried to mitigate this risk by investing in tools, people and processes, the insider threat problem has been further exacerbated by the amount of people now doing their jobs from home. Organisations are finding that insiders are now outsiders, working externally from the office and network perimeters and so controlling their behaviours and what happens on the network has become more difficult, as some organisations loosen restrictions to enable the business to function.

The 2020 Insider Threat Report Findings in context

Despite the best efforts of security teams, exfiltration of sensitive or concerning data over email continues to be the #1 egress vector; followed by web uploads to cloud storage sites, like Box and Dropbox. Naturally, data aggregation and uploads to cloud applications are becoming increasingly popular as companies make their shift to embrace cloud infrastructure and applications for end users. However, this has the potential to create more attack vectors unless businesses familiarise themselves with the risks to take action. In fact, the report showed that 80% of employees who are deemed “flight risks” – or those whose behaviour patterns indicate they are about to leave the company – will take data with them anywhere from two weeks to two months prior to the termination date.

Now consider this in the context of a global pandemic, where employees are even less uncertain of their standing in the company, furloughed – or worse – have had to be made redundant. It’s a concerning prospect for organisations at an already unpredictable time, with the data clearly pointing to human behaviour as the riskiest of the many threats an organisation will face.

Take, for instance, the circumvention of IT controls that was confirmed to be prevalent across all organisations. IT security operations teams, especially ones from large enterprises, find it difficult to draw conclusions about such incidents mostly due to lack of, or differences between, policies and procedures for each line of business at the best of times. Yet, now with more people than ever working from home, it’s likely this circumvention of IT controls has increased as workers attempt to take the easy route to data access and storage, rather than the most secure one.

To further illustrate this point, as businesses shift to remote working, account sharing continues to be a huge problem for organisations, resulting in compliance and security hygiene issues. The past several months has seen an increase in network share compromise by suspicious accounts, forcing companies to bridge the gap between external and internal threat detection collaboration.


Protect what matters most

With this in mind, businesses should aim to prioritise protecting the most critical aspects of business operations. It is important to isolate specific insider threat behaviours that are affecting organisations and security teams can take away what to detect and how to detect those threats. For example, Securonix’s Threat Research team has revealed that malicious emails have risen sharply. These malicious emails perform the following actions: steal web browser cookies, enumerate system information, share cryptocurrency wallets; and exfiltrate stolen information. 

Using traditional technologies, such as Data Loss Prevention (DLP) tools, privileged access management (PAM) solutions or other point solutions are no longer sufficient to detect insider threat behaviour today. The adoption of cloud systems presents a complex threat fabric which requires advanced security analytics that utilise purpose-built algorithms to detect specific outcomes. In addition, it is essential to stitch these indicators together to form a threat chain that represents a holistic threat, which allows for effective response and threat mitigation.

In order to reduce the risk that these attack vectors pose, it is recommended that enterprises:

 Use a behaviour anomaly technique: In order to detect privileged access abuse, which is an important insider threat for companies to combat, apply curated multi-stage detection, which combines a rare occurrence of an event in conjunction with anomalies that indicate suspicious or abnormal usage. This method is proving to be effective, since it combines deviations from what is deemed as “normal” behaviour for accounts, users, and systems.


Review VPN policies to facilitate adequate visibility:  In addition, ensure that split-tunnelling is disabled as it may impact visibility. It is also suggested that businesses deploy VPN server logs to only predetermined users that are accessing sensitive information. It is also important to maintain visibility into cloud application/Software-as-a-Service (SaaS) logs used by your remote workforce/WFH users in order to prevent malicious emails and external threats.


Deploy SSO and Multi-factor authentication (MFA): In order to limit unauthorised access to business-critical information, security teams should also look to deploy single-sign-on (SSO) and 2FA/MFA logs in an effort to verify the identity of users with access to sensitive information. It is also recommended that privileged user access is constantly maintained to ensure that users only have access to the information that they need in order to do their job.


Never underestimate the importance of education: Even in these precarious times, one thing is certain: cybercriminals will stop at nothing to steal sensitive information. By educating employees on security hygiene while working from home, organisations can greatly reduce the human factor mistakes leading to a data breach. We are all in this together, and security starts at the individual, especially as security teams are already stretched too thin.


As the network becomes more porous due to the current situation that organisations had little time to prepare for, they may be finding themselves in catch-up mode – particularly when it comes to cybersecurity operations. Time will truly tell the affect that this will have on companies, but by applying some basic security measures in combination with behavioural analysis, Security Operations can obtain visibility which is absolutely needed at times like these and further make improvements to support the overall security of the enterprise now and into the future.


By Shareth Ben, Director of Insider Threat & Cyber Threat Analytics at Securonix. 

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.