In today’s cyber landscape, defending against cyber breach means being observant of both technological and human factors. All technology is created, managed, and used by humans. No technological barrier protects against a disloyal human being who is already on the inside and holds the key in their hands. We need to embrace the insight that it is vital to keep track of our own people to make sure that they really stay our own.
This blog post explores the methods of the aggressor and the incentives of an insider. Contrary to common belief, the insider him- or herself is not the qualified intelligence professional with the typical attributes you might envision from films and fiction. That person is far away, hidden in safety. The insider is anyone – the ordinary employee – who just happens to be in a bad place at the wrong time and who makes the wrong decisions for the wrong reasons and becomes an insider threat within your organization.
How Is the Insider Recruited?
It's called targeting. To identify which individual might have access – or later on probably be given access – to security-sensitive information or operation. If this person also falls under one or both of the two categories listed below, that would make them an attractive target for the aggressor. Given the strategic security landscape around us, we need to accept that the aggressor is increasingly a foreign state power with intelligence interests in Sweden. That means a qualified party with the intent and the ability to recruit and use multiple insiders.
Normally foreign intelligence services work in ways that create deniability. Contact with the insider will occur through a network of professional handlers that build trust with the target, grow what is perceived as genuine friendship, and shape loyalty over time. Experience shows that it is often difficult for the insider to explain when it all started. The first “test job” is always innocent and just a simple gesture between friends.
Two Primary Drivers for an Insider
Life is complex. It's full of happiness, misery, and everything in between, in a crazy mix that is impossible to plan and see coming. Things just happen – good and bad – and life takes its toll. Every day makes you stronger and smarter but also leaves you with frictions and bruises, and the experience that life brings shapes you and affects you over the years – one friction at a time. Most of us are born with a heart-mounted moral compass that guides us and makes us separate between right and wrong. We have built-in automated brakes that hold us back and steer us right. Even when we truly desire something, we're not prepared to cross that final boundary to get it, not if it means betraying your friends and family, your values, or your country.
But that is not the case for everyone. Experience shows that there are two primary reasons for crossing the line. No. 1 is voluntary, and No. 2 is non-voluntary. In Category 1 falls the individual with a faulty or wrongly designed moral compass, the one who thinks along different paths than others but still hides it in everyday life, not necessarily by lying and deceiving, just by not reacting in the same way as we do. You might want to put names to that to grasp it properly – being a sociopath or having problems with empathy. This person might simply feel it to be right to give away information in exchange for money, especially if the offer comes together with flattery and admiration. “Finally, someone who appreciates my true value and trusts me to do a job that requires courage…”
In Category 2 falls the individual who gives in to pressure against one’s will, who might be cornered and feels that there is no way out but to do what it takes to get rid of a threat to the family or the financial debt that weighs on the shoulders and is getting out of hand. This person is someone who carries with them the kind of friction of life that, from a security standpoint, would be described as a vulnerability – something that can be exploited by a second party to gain access to security-sensitive information or operation. These kinds of vulnerabilities are attractive to the aggressor, who uses them as leverage to build extortion and constantly increase the level of pressure or threat until it breaks.
Insider Threat Indicators
- The person who quickly adopts a more luxury lifestyle than before, or in comparison to existing salary and economic status.
- The person who begins to show interest in something very specific and sensitive that lies outside the ordinary job area.
- The person who obviously seems to be in a bad place in life but at the same time holds a security-sensitive position. We are all in bad places from time to time, but this person is reluctant to explain the cause even in a relaxed or confidential setting, or the story doesn’t fit together.
- The person who reacts in a manner that is unproportionately nervous or aggressive when you ask, "how are you doing?"
Rise Your Insider Threat Awareness
The method to counteract the insider threat is education and training to raise awareness and continuous security vetting throughout the employment lifecycle. It is a question of caring for both the organization and the individual. We will discuss more about this in the following article.
- The insider threat is increasing as it is a smart way of gaining access - in combination with or instead of - regular cyber attacks.
- Severity increases when the power behind the insider is a foreign intelligence service with the intent and ability to follow through with an intelligence operation. Foreign states’ interest in Swedish security-sensitive information and operation is escalating.
- The insider is not the hard-core intelligence professional you might imagine but the ordinary employee with a personal situation that makes them willing to cross the line or susceptible to pressure.
Read more about Human Threat Intelligence or contact Truesec for more information or support.