The Growth in Insider Risk

Insiders take many forms. At one end of the spectrum are the inadvertent insiders who facilitate hostile bad-actor access by thoughtlessly clicking on phishing emails. Other insiders include reckless employees, staff and contractors who fall out with management, and staff that become ideologically motivated or corrupted. They also may, albeit relatively rarely, be surreptitiously placed in organisations by organised crime gangs, activists and/or hostile nation states.

Insider risk has been around for ever and most organisations have reasonably well-developed defences against conventional insider activity like fraud and reckless behaviour. However, the insider threat landscape is changing in multiple ways.

Drivers behind the growth of insider risk

The threat to systems and data from insiders has grown rapidly as a result of the strengthening of cyber security defences making it harder for remote hackers to gain access to systems and undertake fraud, espionage and disruption.

Insider threats have also grown sharply as a result of the rise in geopolitical tensions driving a step change in efforts to compromise staff both by persuasion and through manipulation; as well as in efforts to place agents.

Insider threats have proliferated, and become harder to deal with, because of the growth in outsourcing to third parties and “insiders” beyond the corporate perimeter – especially in technology supply chains.

New forms of insider threat are also beginning to have real impact. Attacks with AI, notably increasingly sophisticated spoofing of senior executives and business partners, is having real impact. Meanwhile attacks on AI systems – which are de facto insiders, often with highly privileged access, are becoming a major issue.

Finally, concerns about the role of insiders acting as proxies for nation-state hybrid attacks and as knowing or unknowing facilitators of information warfare campaigns are growing.

The insider threat to national preparedness and resilience

The threat to organisations that operate critical national Infrastructure, hold significant sensitive data, provide important (especially technology) services to other organisations, enable trade in strategically important products, and/or have access to valuable financial and other assets has increased substantially over the past five years or so.

Current assessments indicate that the scale of insider activity may have increased by as much as an order of magnitude since the immediately pre-pandemic years.

Hostile nation states are engaging in complex, sometimes multi-year programmes to establish persistent presence and the capability, not only to undertake espionage, but also to deliver disabling attacks.

Insiders can facilitate the delivery of a range of cyber, physical and other attacks. They can also be used to undermine preparedness, organisational resilience and the continuing delivery of important business services.

The challenges presented by insider risk

Insider risk is complex. It is not simply an HR challenge, a technical or physical security challenge. Effective insider risk management requires a coordinated and integrated approach that combines technical, HR and physical measures to address new risks. All too often staff in one functional area fail to appreciate the risks and importance of action in other domains. For instance, HR teams often do not have a sufficient grip on the management of technically highly privileged staff.

Insider risk is typically underestimated. Most organisations think they understand the risk and think that they have appropriate defences, including organisational policies and procedures (e.g., segregation of duties and the delegation of authority) and cyber security controls in place. However, the recent sharp rise in threats for many organisations has not been recognised and addressed.

Insider risk is even more complex than it used to be because of the explosive growth in the number of third-party staff, contractors and systems that have access to and (often) insights into the operations, data and other assets of the organisation. Management of insider risk now needs to go “beyond the corporate perimeter”. It also needs to address the potential risks an organisation’s staff and contractors present as insiders to its customers and other business partners.

Insider risks have also increased with the growth of hybrid and mobile working and the associated use of insecure environments.

Insider risk is no longer a purely human risk. Many of the most potent threats are a combination of human, cyber and physical risks. Technology enabled attacks continue to grow and evolve. The advent of the explosive, often poorly controlled deployment of AI is creating a whole range of new insider related threats and attacks.

Because of the sharp increase in and evolution of insider related threats and the cross-functional complexities of insider risk management, new governance and oversight are typically needed to ensure that appropriate and proportionate organisational, technical and operational measures are delivered by organisational leaders and otherwise often siloed security teams.

The agenda for boards and top management

Review threats, risks and the maturity of existing defences and then, as appropriate, ensure that there is a proportionate strategy in place, and clarity on and commitment to the joined-up measures to be taken. In particular:
- Ensure that there is clear functional management responsibility for the integrated risk management of insider risk across HR, technical/cyber and physical domains.
- Review the effectiveness of organisational culture, line management behaviour and whistleblowing arrangements in mitigating insider-related risks. Recognise that these human and organisational defences against insider-related risks are an essential complement to other formal and technology-based defences.
- Review organisational policies, the use of role-based risk assessments, vetting of staff and staff training.
- Review how the robust management of insider risk in critical third parties might best be achieved.
- Review technical controls and whether appropriate use is being made of the growing set of technologies and other tools that can play a major risk in detecting, identifying and mitigating insider risks.
Exercise crisis management and incident response planning and arrangements against severe but plausible scenarios that include sophisticated attacks employing insiders within the organisation and in critical third parties.

Establish an ongoing review of the threats and risks presented by insiders; and the continuing appropriateness of the insider risk management strategy and organisation.

Drivers behind the growth of insider risk

The insider threat to national preparedness and resilience

The challenges presented by insider risk

The agenda for boards and top management

Recent resources

GSA Global Appoints Reza Sibilant as Managing Director, Client Engagement

The Cavendish School; Strengthening Travel Risk Management Through ISO 31031 Assessment

GSA Global Appoints Mark Raeburn as Director of Cyber Security and Resilience