A study of Insider Threat Personas What can we do to alter user behaviour and
mitigate the risk of insider threats

Employees are arguably the greatest security risk to modern businesses. Though it is often assumed that IT viruses and hackers should be your biggest concern, the reality is that it is your own staff, whether maliciously or accidentally, that are the most likely cause of a security breach.

This Insider Threat does not have to be a total unknown. One of the most important steps towards tackling internal security is understanding your own users, and their attitudes and behaviour with regards to security in the workplace.

Read more

Six Common Insider Threat Personas

From the report we’ve analysed how employees’ understanding and attitudes towards internal security differ and put together six distinct personas to help get a clearer picture of the employees businesses are managing.

Careless Jennifer

Age: 21 - Role: Customer Service
Industry: Travel and Transport

Jennifer is a customer service professional for a tour operator, spending the majority of her time on the phone answering customer queries and occasionally taking bookings. It’s her first ‘proper’ job.
She has a password to get on the company network, which she gave to her friend and colleague Steven when she was ill at home one day and wanted him to set her out of office. She doesn’t think it’s a big deal, she trusts Steven and there’s nothing on her computer that’s of any value to anyone anyway. She’d never give him her Facebook password though, obviously. She once gave it to a boyfriend when they were getting quite serious, and he posted some terrible things after the relationship went sour a few months later.

Careless Jennifer

Hypocritical Nooreen

Age: 49 - Role: Management
Industry: Finance

Nooreen works for a bank, and manages a team of over 20 people in the mortgages department. She is very considerate of the security of the information her and her team handle at work, being personal financial data it is naturally very sensitive. She does occasionally worry about how considerate her team are about this, the bank has vigorous security restrictions that she often hears complaints about. She wouldn’t complain herself, or attempt to circumvent security restrictions herself. Although she did have to transfer some files onto a USB and then her home computer once to get something finished while on holiday. In the end though she just gave her manager access to her system to finish the report himself.

Hypocritical Nooreen

Confused Kevin

Age: 29 - Role: Marketing
Industry: Retail

Kevin’s the marketing manager for a fairly big high street retailer, though most of his time is spent getting the business’ digital strategy right. He has at least 10 different passwords he uses for different work related systems. His network access, for one, then there’s the CRM system, the website CMS, the email marketing software, the website’s testing and optimisation software, the business’ various social media accounts. The list goes on. He imagines that IT have some kind of policy about password keeping, but he doesn’t know what it is and isn’t overly concerned; he’s very busy and that’s not too high up his list of concerns. He just does what he needs to do to get the job done, and if that means handing over his network access to his colleague Sophie while he’s out the office, well what’s the harm?

Confused Kevin

Diligent Roger

Age: 61 - Role: HR
Industry: Education

Roger manages human resources at a large college, a job he’s been in for over 30 years. He doesn’t really consider data security to be a huge part of his job, but he does like to think he is very considerate of it, especially given that he occasionally manages quite sensitive employee information. He can’t imagine a situation where he would need to give his network password to anyone, and if asked it would have to be very special circumstances in order for him to give it up. The same goes for his personal logins; he would never even share his Hotmail password with his wife. He is quite sure that this is the attitude of all the other staff in the college, and hasn’t really considered the concept of ‘internal’ security for that reason.

Diligent Roger

Ex-employee Mark

Age: 39 - Role: Legal
Industry: Professional services

A lawyer at a major management consultancy, Mark is relatively new to the job. He worked at another consultancy up until a couple of months ago, and it was only a couple of weeks ago that his remote access to that company’s network was cut off. Most of what he copied over onto his Dropbox folder was fairly innocuous; document templates and things to help him in the new job. He did grab some of the former consultancy’s client contracts though, thinking his new employers might find them of interest. And a few interesting HR files on his former manager, which he doesn’t really intend to do anything with at the moment. But if the will took him, he might do. He’s not hugely more considerate of his new employer’s security, their restrictive system making remote working difficult, so he’s already given his password to his colleague Rhea in case he needs her to email him files when he’s out of the office.

Ex-employee Mark

Partner Paula

Age: 35 - Role: Outsourced partner
Industry: Government

Paula works at an outsourcing company that have a number of government contracts, with Paula’s role specifically being in the management of historical public pension schemes. Subsequently, she has to have access to a lot of citizen data, but she has never received any kind of training on the security of this data from the government. She has no intention with passing on this data on to anyone, but she has made copies of some of it which she keeps in a Dropbox folder for when she’s working from home.

Partner Paula

Password sharing: who is sharing and why?

One of the biggest internal security issues every business has to deal with is password sharing. We presume that malicious attacks occur when clever hackers create complex code to crack security systems, but the reality is that the majority of the time it’s that someone's just let their password fall into the wrong hands.

In The Insider Threat Manifesto we asked IT professionals how regularly they thought that their users were sharing passwords with each other and the average estimate was 19%. In this new research, we asked the employees themselves to get a more accurate picture. It shows IT were underestimating.

said that one or more of their colleagues always had their network credentials

cited ‘authority’ admitting to having shared their password with either their manager or someone from IT

cited ‘necessity’ (just when needed) as a viable reason!

This means a total of 49% have shared their network login details for one reason or another.

« I already have shared my passwords or login details »

16 - 24

25 - 34

35 - 44

45 - 55

55+

Percentage by age.

Young and reckless?

Age directly correlates with likelihood of password sharing, with a clear difference in attitudes. Younger people are more likely to share theirs, and those of an older generation appearing to have an altogether different view. Is this an indication that they are more savvy, or less blasé about security?

It may be that in fact, as younger generations have grown up with multiple online accounts across social media, email, apps and other services, account sharing has become second nature for them. A trend that has been identified among US teenagers, for instance, is password sharing as a sign of affection. To them, sharing a password is a digital entanglement that because of the risk it involves, signifies trust and can be a milestone in a relationship, like sharing the keys to your house with a partner.

On the other hand there are services such as Netflix that actively encourage sharing by building features that allow users to add others to their account.

With these mixed messages it is understandable that younger people are less conscious of the risks of password sharing in a work environment, emphasising the need for education.

Young and reckless?

More rules means more bad behaviour?

Another interesting way to look at how habits differ with regards to password sharing is across industry sectors.

« At least one colleague has my login details »

Legal

Human Resources

IT and Telecoms

Finance

Organisation average

Password sharing across sectors.

What is perhaps most alarming is when looking at the industries where it is more common than average, a number are in sectors which are likely to be handling sensitive data or one would expect employees to know better.

It seems that rather than being more cautious, those in industries that are more likely to be handling sensitive data, and those to be regulated are actually more likely to be password sharing. This raises the question of whether strong security policing in these industries is forcing more people to attempt to get around their employer’s restrictions. Or is it that as employees in these industries work under so many differing regulations that in fact they clash, leading them to not know which rule to follow first?

The extended organisation

Those working with an organization as a partner (46%) or vendor (73%) are more than twice as likely to share their passwords, than normal employees.

The source of a security breach

The issue raised here is the danger of an extended organisation. It has been reported that the breach of customer data at US retailer Target Corporation originated from an email phishing attack sent to employees at an HVAC firm that was working with the business.

Additionally, many government organisations in both the UK and US regularly outsource work, employing private partner businesses to operate almost as an extension of the public body. Even the Edward Snowden example is relevant here, as he was an independent contractor within the NSA, not a full time employee.

Password
sharing
across the
organisations

73%
Vendors

46%
Partners

23%
Organisation
average

Access control for all

This highlights the strong need to control and educate your entire extended organisation, not just the full and part time employees but your outsourced partners and entire supply chain. They may have been given access to sensitive information, but are less likely to have gone through the same pre-employment checks and security training that you put your own employees through.

The bottom line is that an organisation can outsource its operations but not its responsibilities.

Why are they sharing passwords?

Our employee research has vindicated what IT professional’s have been thinking, with 32% of those who have shared their password saying it was because their manager or boss asked.

If you have shared passwords, why?

32.3%

My manager / boss asked

27.7%

I needed to give access to others while I was out of the office

22.3%

A colleague in IT asked

18.3%

I needed to in order to delegate work

13.4%

A (non IT) colleague asked

8.8%

I needed to give access to others while I was in the office

4.2%

I wanted to get access to information I could only access via someone else’s login

2.3%

Other

1.3%

I forgot my own password so needed to borrow someone else’s

The number that answered ‘a non-IT colleague asked’, is possibly the most shocking but the volume of people who see anyone asking for their login details as a legitimate reason for giving them over is very concerning.

While the act of sharing a password in itself is not a breach, the wider the practice is the greater the risk there is of a one. It leaves organisations open to the use of social engineering by malicious parties, potentially posing as somebody senior, gaining access to data and systems they shouldn’t have.

Awareness of,
and attitudes to, employer security

In this section we want to look at the actual attitudes of people towards their employer’s security, their awareness of their employer’s security policy and subsequently touch on what can be done to address the behavioural aspect.

How aware different kind of users are of security issues

An alarming majority – 52% - of all desk-based employees in the US and UK don’t think that sharing work related logins represents a risk to their employer.

Perhaps this lack of awareness can be attributed to an organization’s own behaviour when faced with a potential breach. To avoid any embarrassment and potential negative publicity, organizations can be keen to cover up when breaches happen, meaning that employee behaviour goes un-reprimanded.

And naturally, if those in the organization become aware that mistakes regularly occur and are forgiven, they are less likely to be considerate.

In order to address this behaviour, security has to be part of the corporate culture, bad choices should have consequences that employees are reminded of, but technology can also help remind users to make good choices.

52%

of all
employees

see no security risk in sharing work logins

A conflict of interest

Alternatively this behaviour can simply be about priorities. Take the example of a doctor, going from ward to ward in a hospital and not necessarily considering where they are logged in. They may need to take some kind of action quickly in a situation which is literally life or death. It is understandable that security may go out of the window at this point, but that isn't to say their actions don’t pose a risk. In cases such as this it is critical that the organisation understand this conflict and prepares to mitigate the risks.

Not leading by example

Those in senior management – 54% - were also unable to recognise that password sharing represented a risk, indicating that those in senior roles are not understanding the threat that this practice poses. If senior management do not understand this or fail to act like they do, then it is very difficult for the organization to engender this understanding into the security culture. It’s here that technology can help to ensure all users – including senior management - make good choices.

54%

of all senior
management

see no security risk in sharing work logins

The inconsistent attitudes to employer security

Perhaps this is not unreasonable. Internal security can never be 100% foolproof. But these numbers are still alarming as it indicates a vast majority that essentially believe that if they wanted to they could access their company’s sensitive data.

Regardless of whether a security policy is in place or not, or is effective, the majority of people (54%) do like to believe they are considerate of the security of work related information. In fact, 36% would agree that the security of work related information is ‘always front of mind’.

People do like to think that they are considerate about the security of their work related information. However, that does not necessarily mean that they act as such.

Once again, not leading by example

Senior management are most likely to claim that they are considerate of the security of work related information, at 64%. But, they are also the most likely to admit that they share files between work and personal computers (16% compared to the average 10%), indicating a dichotomy between what they say and what they do.

63%


believe their employer does not have a strictly enforced security policy

82%


believe it would be possible to access sensitive company information they weren’t authorized for

HR and the insider threat

Awareness of the dangers of internal security is a message that has to be spread throughout an organisation, and it is unlikely that IT can accomplish this in isolation. HR have a very important role in leading this education.

However, from our research only 15% of HR people believe that employees are a top three security concern. Of all the departments in an organisation that should be aware of the potential security threat of employees, HR should be the top, yet this is far from the case.

In addition, risk mitigation starts before employment with pre-employment checks, once again the remit of HR. At the point of employment it should be part of education and training, where HR should also be involved. And through the course of employment HR will have a better view on any personal issues and concerns employees might have that could lead to behaviour that may heighten risk.

Overall, HR has a fundamental role to play in the mitigation of the risks of insider threats, yet our research shows that they are the least likely people within the organisation to even understand the issue it should be part of their role to address.

Potentially the most dangerous user - Ex-employees

One kind of internal breach that IT professionals may not be aware of is that of ex-employees continuing to access work data systems and networks following the termination of their employment.

Asking desk-based employees, we were able to get a picture of how often this happens, finding that over a vhird (36%) of people are aware of having been able to access the work network of an old job after they have left.

The number that have then actually chosen to use that access is lower, at 9%, but this still constitutes nearly one in ten ex-employees going into their former employer’s systems.

The occurrences of ex-employees continuing to access their systems from their former jobs are rampant, and without the proper restrictions or monitoring in place IT people could be completely oblivious. This represents a considerable risk, especially given that ex-employees are far more likely to have malicious intentions and a lot less incentive to consider the sensitivity of the business’ data.

of employees have continued to have access to systems or data from an employer after they have left a job

Alter user behaviour and mitigate the risk of insider threats

The Insider Threat is not always the vindictive employee out to get revenge on their bosses, it can be the ignorant or careless user who doesn’t realise that their actions could have catastrophic consequences.

In fact even when the threat is a malicious employee, contractor or external individual, they often manage to gain access via a careless employee who is easily convinced to share their password or a victim of a social engineering and phishing attacks.

Step 1

Organizations are still guilty of not doing the basics to mitigate the risks. One typical example from the research is ex-employees who still have access to network and systems after termination.

Step 2

Education is a starting point to mitigate the risk of insider threats, but users are human – they will always act outside the boundaries of policy (and sometimes common sense).

Step 3

Rather than blaming users, organizations need to better protect each and every employee’s access to stop unauthorized access, even when passwords are stolen, shared or in any other way compromised.

Context-aware security addresses this gap.

It both discourages careless behaviour and out-rightly stops unwanted and unauthorized network access.

Context-aware security works by restricting an individual’s access through specific authorized machines and devices, departments, set times and geographies, so organizations stand a much better chance of keeping out attackers (internal and external) who use real but compromised logins.

Context-aware security can also limit or prevent simultaneous logins. Users are far less likely to share their own credentials as it impacts their own ability to access the network. It provides the motivation to adhere to password sharing policy.

Contextual controls help ensure unwanted and unauthorized access is no longer possible – even when passwords are compromised.

It also helps ensure access to an organization’s critical assets is attributed to an individual employee. Organization should know exactly who is on the network and what they are doing. Sometimes specific events need to be associate with specific users for accountability.

By educating your users about these dangers, along with technology to apply the appropriate restrictions, you can start to mitigate the risk of insider threats within your business.

Watch how E Corp could have foiled this internal attack in Mr Robot

Dashboard UserLock

UserLock

Guard against unwanted network access from both external attacks and malicious insiders using compromised Active Directory user logins.

Reduce the risk of a security breach with:

  • Context-aware access controls

  • Real-time monitoring

  • Comprehensive auditing

Learn More & Free Trial