Insider threats: What lessons can the security community learn from the Edward Snowden scandal?

The name Edward Snowden tends to invoke a wide range of emotions depending on who you talk to, from admiration and intrigue to rage and disappointment. As a quick reminder, Snowden made global headlines around the world in 2013 when he copied and leaked highly classified government information while working as a subcontractor at the Central Intelligence Agency (CIA) in the US. Much of this information related to controversial surveillance operations taking place, both domestically and abroad, causing significant tension between the US and its allies. As the scandal grew, Snowden fled to Russia, where has remained ever since, fearing prosecution should he return home.

With Snowden and his family recently being granted permanent residency in Russia, his name has been thrust back into the mainstream media, which offers a good opportunity to look back at his actions and reflect on the lessons to be learned.

Insider threats come in many forms

The Edward Snowden scandal serves as an extremely high-profile example of the potential dangers posed by an organisation’s own employees when it comes to data protection. While most organisations invest significant sums of money in keeping outside threats at bay, often the threats from inside the company get overlooked. Edward Snowden clearly intended to leak the information that he did, meaning his data theft was premeditated, but not all ‘insider threats’ have that intent, which in some cases can make them even more dangerous.

The majority of insider threat cases can be broken down into three categories. Someone like Edward Snowden would fall into the category of ‘malicious insider’, which is an employee who intentionally steals data. Usually, this is done either for personal gain or to negatively impact the organisation involved.

While some see Snowden’s actions as noble, others view them as traitorous. Either way, he actively chose to do what he did. Conversely, many other insiders do not mean to do anything. The next category, the ‘compromised insider’, is considered by many to be the most problematic for that very reason. Generally speaking, compromised insiders have done very little wrong and usually have no idea they’ve been compromised. All it takes is clicking on a link in a phishing email or opening an infected file and their credentials can become compromised, opening the door to let malware or an attacker in. Once done, they carry on as normal, completely oblivious to the damage they’ve inadvertently inflicted.

The final category is the ‘careless’, or ‘negligent insider’, someone who leaves their laptop on the train, walks away from their unlocked workstation, or simply fails to follow cybersecurity best practice (either knowingly or unknowingly). These individuals can be particularly challenging, because their actions are very hard to predict and defend against.

While external threat protection generally gets the majority of the fanfare (usually because of efforts of the vendors selling it), research indicates it is insider threats that pose much more of a risk to most organisations. According to Gartner, for example, insider threats account for as much as 70% of all security incidents. As you might expect, the consequences can be severe too.  One of the most recent estimates available suggests that insider threats can cost an affected company well over £6 million per year.

Building an effective defence against insider threats

One of the toughest challenges when defending against insider threats is their unpredictable and silent nature. For example, if an external threat actor is attempting to breach a firewall, it will usually trigger numerous security alarms and warnings, alerting the organisation to the issue. However, most traditional cybersecurity solutions don’t turn that same focus inwards, meaning organisations could be haemorrhaging data via insider threats and not have the slightest inkling what’s going on for days, months, or even years.

While improving general awareness of insider threats can help address some of the core risks, there are numerous other preventative steps that many organisations still don’t apply as rigorously as they should. First and foremost, they need to invest in relevant cybersecurity training for all employees. From senior executives to mail room staff, anyone with access to the company’s IT ecosystem needs to be kept informed of the latest threats and how to spot/prevent them. Doing so helps build a more risk-aware culture at every level, which minimises the chances of anyone unwittingly becoming a compromised insider.

Next, organisations should invest wisely in technology solutions and infrastructure that enables them to see the whole picture and address the challenge of insider threats. From a technology perspective, one of the most potent weapons currently available is user and entity behaviour analytics (UEBA). A key advantage of UEBA is its ability to use machine learning to quickly create a baseline of ‘normal activity’ for an organisation’s entire complement of employees (both internal and third party) and machines. Once baselines have been created, any major deviations from them are automatically flagged as potential security alerts, which security teams can then investigate. For example, if an employee is logging on at 3am when their baseline behaviour is to only log on between 9am and 5pm, UEBA technology will quickly pick up on this. Security teams can also work closely with other departments, such as HR, legal and senior management to identify potentially risky insiders in advance and restrict access to sensitive data as necessary.

In today’s fast paced, high risk business climate, organisations that can get ahead of insider threats will be in a much better position to proactively protect against them, rather than having to react to breaches in progress. The Edward Snowden scandal demonstrated that malicious insiders are hard to detect even with the budget and power of the US government, because they are inherently trusted. While the stakes aren’t quite as high for most of us, the consequences can still be severe, so taking the time to put the right people, processes and technology in place before it’s too late will always pay dividends in the long run.