{"id":4718,"date":"2011-06-27T15:48:48","date_gmt":"2011-06-27T15:48:48","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/011\/06\/27\/how-to-deal-with-insider-threats\/"},"modified":"2025-07-08T14:53:20","modified_gmt":"2025-07-08T14:53:20","slug":"how-to-deal-with-insider-threats","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2011\/06\/27\/how-to-deal-with-insider-threats\/","title":{"rendered":"How to deal with insider threats?"},"content":{"rendered":"<p>\u201cYour ISO 27001 is nice in theory, but if our system administrator goes crazy, we\u2019re dead.\u201d \u2013 I hear this quite often when speaking to my clients about which security controls they should apply.<\/p>\n<p>And it\u2019s not only system administrators, it is also the line managers, engineers, top management, etc. \u2013 actually, anyone who has access to sensitive information or systems could be a potential threat. For instance, the biggest damage in banks is not done by robbers (with guns in their hands), but by inside jobs (with computers in their hands).<\/p>\n<p>Of course, money theft is not the only purpose of these kinds of attacks \u2013 it can also be sabotage, theft of confidential corporate information, altering of data, theft of identities, etc.<\/p>\n<p>Since this is such a complex issue, how can you deal with it?<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Risk assessment<\/h2>\n<p><a href=\"https:\/\/staging.advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> is a standard which approaches security management mainly from the preventive point of view \u2013 the first step is to find out which incidents could happen regarding your employees (but also external partners with access to your systems), and then to choose appropriate security controls in order to avoid those incidents. In ISO 27001, this process is called <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=risk-management&amp;doc=risk-assessment-and-risk-treatment-methodology\" target=\"_blank\" rel=\"noopener\">risk assessment and risk treatment<\/a>.<\/p>\n<p>However, risk assessment shouldn\u2019t be done superficially. If you didn\u2019t think really hard about all the bad things that can happen, then you won\u2019t mitigate those risks and someone could exploit those vulnerabilities.<\/p>\n<p>Therefore, don\u2019t rush through this step; do it systematically.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Preventive measures<\/h2>\n<p>Once you know how an insider can exploit your vulnerabilities, you can start planning your security controls in a comprehensive way. Again, ISO 27001 offers a catalogue of security controls in its Annex A \u2013 here are a few examples of the most common controls to mitigate the risk of insider threats:<\/p>\n<ul>\n<li>Access control (section A.11 in Annex A) \u2013 access to sensitive data can be approved on a need-to-know bases only. This way you decrease the number of people that can do harm, but also decrease the damage if someone\u2019s identity is stolen.<\/li>\n<li>The access privileges must be regularly reviewed (control A.11.2.4) \u2013 very often quite a few employees have access to information they don\u2019t really need.<\/li>\n<li>The accounts and access rights of former employees must be removed (A.8.3.3) \u2013 yes, sometimes there are open accounts a few years after an employee has left the company\u2026<\/li>\n<li>Strong <a href=\"https:\/\/staging.advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=password-policy\" target=\"_blank\" rel=\"noopener\">password policy<\/a> (control A.11.2.3) or some other authentication method should be enforced to disable identity theft.<\/li>\n<li>Segregation of duties (control A.10.1.3) \u2013 you probably wouldn\u2019t allow a single person to authorize large payments \u2013 the same goes for any other sensitive system.<\/li>\n<li>Backup (A.10.5.1) \u2013 of course, it should be regular; but also access to backup information cannot be allowed to employees who can harm your production systems the most.<\/li>\n<li>Document policies and procedures which clearly define the security roles and responsibilities (A.8.1.1; A.10.1.1) \u2013 you cannot expect your employees to observe the security rules if they don\u2019t know what the rules are.<\/li>\n<li>Awareness &amp; Training (A.8.2.2) \u2013 all of your employees need to know why it is necessary to protect sensitive data, as well as how to do it; for certain jobs (like monitoring logs) you may need to send your employees to special trainings.<\/li>\n<\/ul>\n<p>Of course, there are other controls that are more technically oriented, like segregated network architecture (A.11.4.5), regular security patches (A.12.6.1), spyware scanning (A.12.5.4), anti-virus (A.10.4.1), firewall (A.10.6.1), physical entry controls (A.9.1.2), etc.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">People issues<\/h2>\n<p>However, someone with high motivation and skills can bypass all of these security controls and achieve whatever agenda he or she has. Therefore, in my opinion, the most important thing is to develop some early warning indicators. And that requires a little bit more sophistication.<\/p>\n<p>First of all, you need to know who you are employing \u2013 you probably wouldn\u2019t allow some total stranger to access your sensitive data and\/or systems only because he or she has a very nice diploma and a letter of recommendation. You need to dig deeper, or as ISO 27001 puts it \u2013 perform the background verification checks (A.8.1.2).<\/p>\n<p>The second, and probably the most important control, is to constantly monitor what is going on \u2013 both on the \u201csoft\u201d side (most of the times you can observe if someone is starting to behave in a strange way) and on the \u201chard\u201d side \u2013 by monitoring logs (A.10.10.2), i.e. monitoring whether there is anything suspicious in the use of information systems. Actually, the two can often be viewed together \u2013 whenever you conclude that someone\u2019s behavior is peculiar, then this person\u2019s logs need to be observed in more detail. And vice versa \u2013 if you spot some strange usage of information system, the soft side should be monitored more closely.<\/p>\n<p>To conclude, insider threats will probably remain the biggest risk to the security of information \u2013 the complexity of information systems and amount of data will only increase this threat in time. And the best way to deal with them is to prevent them \u2013 once they happen, you can only hope they won\u2019t go too far.<\/p>\n<p><em>To help you establish good security practices within your company and raise awareness about the threats throughout different departments, try this online<\/em> <a href=\"https:\/\/staging.advisera.com\/training-account\/security-awareness-training\/\" target=\"_blank\" rel=\"noopener noreferrer\">Security Awareness Training<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201cYour ISO 27001 is nice in theory, but if our system administrator goes crazy, we\u2019re dead.\u201d \u2013 I hear this quite often when speaking to my clients about which security controls they should apply. And it\u2019s not only system administrators, it is also the line managers, engineers, top management, etc. \u2013 actually, anyone who has &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[277,379,381,481,492,525],"class_list":["post-4718","post","type-post","status-publish","format-standard","hentry","category-blog","tag-risk-assessment","tag-information-security","tag-iso-27001","tag-vulnerabilities","tag-threats","tag-risk-treatment"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4718"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4718\/revisions"}],"predecessor-version":[{"id":104288,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4718\/revisions\/104288"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}