Insider Risks and Threats – the Blind Spot of Cybersecurity?

Both Finland and, more broadly, the Nordic countries have a long tradition in technical cybersecurity, particularly in detecting and blocking attackers and malware. We are skilled at identifying anomalous activity within our systems and preventing technical threats before they materialize.

However, there is a significant blind spot in our cybersecurity culture – insider risks and threats. We do not take seriously enough the possibility that someone inside the organisation may act intentionally (and far more often, unintentionally!) against the organisation’s interests.

After reading this text, you’ll understand what insider risks and threats truly are. You’ll also gain an understanding of the role technology plays in managing these risks – and in minimising negative impacts if they materialise. You will also see where the limits of technological intervention lie and why collaboration between people is essential.

An insider is a person:

• Who is currently or has previously been employed by the organisation

• Who has access to the organisation’s resources, including people, processes, information, technology, or physical premises, or who possesses information about the above

When viewed this way, insider risk is easier to understand in its true magnitude. It concerns the individual potential of all insiders to act, either intentionally or unintentionally, in ways that may cause harm to the organisation. The potential to cause damage is a natural consequence of the trust an organisation places in its employees. Individuals placed in the most central and critical roles typically have a higher-than-average capability to cause harm.

We speak of actual insider threats when individuals, in addition to having this potential, also intend to act – or due to circumstances are likely to end up acting – in a manner that causes some form of harm or loss to the organisation.

Cybersecurity focused on insider risks and threats requires a completely new type of cooperation between people, supported by technology, where preventing undesired actions through technical means alone is rarely the only risk management measure needed.

We cannot use technology to address the primary motivators behind deliberate actions against the organisation – greed, ego, ideology, revenge, and sometimes curiosity – nor the personality traits that predispose individuals to harmful behaviour, the so-called Dark Triad personality traits: narcissism, psychopathy, and Machiavellianism.

Some of the conditions that often trigger insider risk behaviour are also beyond the reach of technology, because they arise from a person’s private life, such as financial difficulties, stressful life events, dissatisfaction, or becoming isolated from the work community.

Perhaps the most common trigger for harmful behaviour – acute uncertainty – is, however, predictable in the workplace, for example when layoffs are happening.

A positive cybersecurity culture can also help prevent situations in which an employee who is, by background, predisposed to harmful actions recognises an opportunity, develops a motive, and prepares to act against the organisation. By nurturing a visible and encouraging cybersecurity culture, it is also possible to reduce harm caused to the organisation by insiders through carelessness or indifference.

Technical cybersecurity and other controls nevertheless play an important role in managing insider risk and minimising the impact if it materialises. Many organisations using Microsoft’s cloud services are already making use of certain technical controls related to insider risk management, even if they may not realise it. Next, I will present a few examples.

Each of us uses cloud services with a digital identity, which in the Microsoft ecosystem is an Entra ID user account. Various permissions to systems and data are granted to this identity, but due to missing processes, these permissions often are not removed when they are no longer needed. As a result, risk accumulates over time.

The organisation can use Entra ID’s Entitlement Management Access Packages to bundle the permissions required for a role and grant them for a limited period, making it easy to comprehensively verify and remove them once the need has ended.

Automated permission assignment when employment begins, deactivation when employment ends, and permission cleanup when roles change – the so-called Joiners/Movers/Leavers process – is a critical tool for managing insider risk.

Modern access management is often seen as a way to protect against external threats — which it certainly is. However, many data thefts, leaks or harmful actions carried out by insiders have, around the world, taken place using devices other than the employer-provided one.

Entra ID’s Conditional Access controls, which require a managed and protected device for signing in to services, also play a key role in managing insider risk.

The more permissions accumulate under a single identity, the greater the potential negative impact on the organisation if the person owning that identity decides to act — or unknowingly acts — against the organisation. In some organisations, for example in IT administration and system owner roles, individuals have received broad and powerful permissions under the same identity they use for everyday work. This makes monitoring the use of these privileges and managing the risks of misuse challenging.

Organisations using Microsoft services can manage this risk by, for example, creating separate and more tightly protected identities for administrative tasks and using Entra ID’s fine-grained roles so that, instead of assigning the Global Administrator role, each administrator account receives only the limited roles necessary for the task.

Activating administrative roles only for a limited time, in a logged manner, through Privileged Identity Management — potentially and deliberately requiring another administrator to approve the activation — is also an effective way to curb the continuous risk associated with overly broad permissions.

Insider risk typically does not materialise intentionally, but rather as a result of mistakes or careless handling of information. When the services people use in their daily work provide guidance on secure information handling and help avoid the most serious errors, this has a positive risk management effect. At the same time, actions that violate organisational policies become more visible in technical monitoring tools, as fewer employees handle information in an unsafe manner.

In the Microsoft ecosystem, guidance for safe information handling is provided through Purview Data Loss Prevention tools in services such as Exchange Online, Teams, SharePoint Online and OneDrive for Business, Fabric and Power BI. Additional awareness-raising DLP capabilities are also available for Defender for Endpoint managed Windows 10/11 and macOS devices.

On the other hand, when people understand that policy violating actions are likely to be detected (i.e., that the activity is visible to administrators), this significantly reduces the likelihood of intentionally undesirable behaviour involving organisational data or systems. Properly designed DLP controls and prompts therefore help create a credible deterrent that discourages deliberate harmful actions against the organisation.

A real-world insider threat does not manifest as a single, isolated technical event. Instead, it is recognised from a massive pool of logs by correlating relevant pieces of information into a sequence of events — for example, sensitive files are gradually collected from SharePoint to a workstation, then transferred all at once to a USB storage device, followed by a resignation notice.

A key element is also modelling normal human behaviour (so-called baselining) using machine learning, so that unexpected deviations from this baseline can be flagged.

Without AI and machine learning-driven tools, identifying these event chains at an organisational scale is unrealistic (and would require systematic monitoring of individual employees' behaviour with significant privacy implications). For this reason, an organisation aiming for active insider risk management should make use of a supporting tool such as Microsoft’s Insider Risk Management (IRM).

Tools like IRM depend on access to comprehensive log data that covers activity across services. Organisations using Microsoft services should therefore ensure that all relevant technical events are logged for each service so that logs can be utilised for risk identification.

Even recognised technical event chains still require nontechnical context to be understood, which is why a functioning insider risk team must work closely with, for example, HR.

Ultimately, the most valuable asset for most organisations is their data, and the risks related to that data are managed in Microsoft services by:
Identifying secret, confidential or otherwise sensitive information and files using Purview Information Protection Sensitivity Labels.
Ensuring the preservation of information and cleaning up operationally or regulatory unnecessary data through Purview Data Lifecycle Management Retention Policies and Labels.

These and many other methods can be used by an organisation to manage the impact of an insider attack or risky insider behaviour. I therefore challenge you to reflect on what your organisation is doing to manage insider risk.