Insider threats: The who, what, why, and how. That’s what we covered in our last live Cyber Security Awareness Forum. 

An insider threat is any person who has authorized access to knowledge of an organization’s resources, including personnel, facilities, information equipment, networks and systems. An insider threat is the potential for an insider to use their authorized access or understanding of that organization to harm it. 

Insider threats can manifest in various ways and the key is to identify what’s most likely to happen in your business, how to stop it, and how to react when it happens. Before we get into that, let’s take a look at our guests: 

Ryan Healey-Ogden (RH) – Ryan is Click Armor’s Director of Business Development. He is also the Chief Communications Officer at the Cybersecurity Global Alliance.

Sid Choudhuri (SC) – Head of IT at Greenpeace Canada.

James Castle (JC) – Executive Director and Chairperson for Cyber Security Global Alliance and CEO and CSO of the Terranova Defense Group. 

And I’m Scott Wright, CEO of Click Armor, the Gamified Security Awareness Platform and Security Awareness Services Company. I wasn’t available for this session, but so much great information was still shared by our panellists and sub-host Ryan. Let’s get into learning about insider threats and abuse of privileges:

What are the most common insider threats?

RH:  Insider threats are people that have access to your organization, your data, your customers and your code and they can use that to turn that into a malicious approach. Like violence, espionage, sabotage, theft, and cyber acts.

JC: The list is quite extensive. There are disgruntled employees that may have a vendetta against the organization that may allow ransomware through an endpoint. You can have potential viruses, unknown viruses, or the matter of opening emails without actually understanding what phishing the ransomware is all about. The list is completely endless.

"It’s been a “super-fantastic” experience to see people learning and talking about security threats."

For just $325 USD, you can run a 6 week, automated program for gamified phishing awareness training and challenges.  (Limited time offer. Normally valued at $999 USD)

Use Promo Code: 6WEEKS

And as we move into artificial intelligence, we have to look at different things like hijacked artificial intelligence with inside trades that can open up those kinds of insider threats. 

SC: For Greenpeace Canada, I would say three things: Corporate espionage, ransomware through an attack vector like a USB, and anything that brings damage to our brand, like posts on social media.

And working from home has opened a whole other can of worms. Now if you are using a computer somewhere and stay logged in and something happens, that can be another insider threat. 

How are insider threats detected?

SC: We use something called SOCRadar, which is a v-SOC. This is done without logging. It’s a lot of open-source intelligence, looking at the dark web, and matching it to various indicators of compromise. Then, there are SEM tools that are run by our parent organization. Thirdly, we have various things in place for endpoint detection and response.

RH: You can take a look through logging or look for breadcrumbs to find out what the source of the problem was. You want to make sure someone can’t get in and break stuff and get out without leaving a clear trail which can be used. So, that’s access management, log management, and CAA. 

You also have to look for signs of possible disgruntled workers. Think about the nineties when there were so many disgruntled workers and there were unfortunate crimes of violence that were associated with them. If employees are not respecting the workplace, they could take out their frustrations on your security or brand. You have to ensure that your people are comfortable and happy.

JC: Insider threats can be difficult to detect. In most cases, they go really unnoticed for months, if not years, and some of them even longer. It’s important to realize that these are people with legitimate access to your networks. They are people who use their access in a way that causes harm to the organization as a whole. For that reason, insider threat prevention solutions are less digital and more focused on personal.

Whether the insider is a malicious employee or a contract or with compromised credentials, the list is completely endless. But we have to be able to identify them. And to identify them, we have to understand behaviour analysis. We have to be able to identify privileged access that the people have, and why they have it. Are there any anomalies in their life that may lead them to do something malicious?

How can employees prevent “insider threats”?

SC: At the end of the day, it comes down to just awareness. And if you don’t have that awareness, you don’t know what to identify. Everyone’s at risk.

Education of the senior management team and C-level executives is the most important to have them understand the risk of internal threats. And I see that lacking. 

JC: Preventing threats is done through awareness. We don’t have all of the answers, but we do have the ability to reach out to people and allow them to see what they may not have seen before and be able to share it within. Because it’s really quite amazing what happens when a person starts to realize outside the box what this world needs in order to create those preventions in place. 

What content and communications should you use to educate your staff on insider threats?

RH: Maybe part of our answer in the future is through AI. It could validate the information that your employees are sharing. How they are doing, what’s their tone in emails, what they are doing. Almost like a monitoring system for internal communications that would help you find insider threats before they happen based on the way people are speaking or based on questions they ask. 

JC: Corporations have to realize that awareness is a payable skill. We can’t just have one person show up and give free information all of the time. Companies do not want to pay money to understand this, they expect one person to identify all the threats. But come year-end, you need to allocate money towards insider threat prevention which means training your people.

SC: Start from the top down and make C-level executives understand the value of doing these risk assessments and paying for the education of staff. A structured course by HR has to be there. Not just on phishing but on the entire threat landscape, insider threats, and compliance.

The most important thing I can’t stress enough is the importance of C-Level executives understanding and having a budget.

60% of data breaches are linked back to insider threats, so your organization on how they occur. As we learned in this panel, awareness is key. In order for your organization to have awareness you need executive buy-in, a budget, and a continuous program. 

Want to hear more from this panel? Watch the whole session here.

Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.

Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.