Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

A Guide to Insider Threats

0 title

about the author

Share this post

September 2019 has been declared National Insider Threat Awareness Month by the US National Counterintelligence and Security Center (NSCS) and the National Insider Threat Task Force (NITTF).

The initiative has been specifically set up to raise awareness of the serious risks posed by insider threats, whilst encouraging employees to recognise and report security incidents so early intervention can occur.

It’s easy to focus on the more pressing Cyber Security threats, but the reality is that insider threats can be equally as damaging and require the same vigilance to help prevent and detect.

These types of attacks are more common than you might think and according to the Verizon Insider Threat Report, 20% of Cyber Security incidents and 15% of data breaches originate from insiders within an organisation.

The attacks can also be extremely costly, with the average incident costing organisations more than $8 million. We tend to think these attacks are premeditated and sinister, and often they are, but the majority of insider threat incidents are as a result of poor security practices by employees.

What is an Insider Threat?

A Guide to Insider Threats

An insider threat is a security incident that originates within an organisation itself rather than from an external source. It may be a current or former employee, a contractor, a third-party vendor or any other business associate that has access to the organisation’s data and computer systems.

Every organisation is vulnerable, however, certain industries such as Manufacturing, Healthcare, and Finance tend to have a higher risk profile than others. This may be due to the vast amounts of valuable information they hold.

Types of Insider Threats

A Guide to Insider Threats

Insider attacks can be particularly dangerous because unlike external actors attempting to infiltrate a network, insiders will typically have legitimate access to an organisation’s computer systems. They can gain access to sensitive data without arousing suspicions and attacks can often go unnoticed for weeks, even months.

For organisations to stop insider threats, they need to know about the different types of threats and the motivations behind the attack.

  • Malicious Insider – This is an employee who will take advantage of their privileged access to knowingly steal data or commit other negative acts against the organisation. Another type of malicious insider is the disgruntled employee. They will deliberately try and find ways to inflict damage to the organisation if they feel they have been mistreated. This could be editing or deleting large amounts of sensitive data or interfering with critical systems.
  • Compromised Insider – This can often be one of the most dangerous types of insider threats as employees may not even realise that they’ve been compromised. Typically, their computer will be infected with malware as a result of clicking on a phishing link or opening a malicious attachment.
  • Negligent Insider- An employee that doesn’t follow proper IT procedures is known as a negligent insider. Whether they leave their computer unlocked, leave sensitive data in full view or let an authorised person into the building, these employees put their organisation at great risk with poor security practices.

Warning Signs

A Guide to Insider Threats

There are often a number of warning signs that can alert organisations to an insider threat. These include:

  • Downloading or accessing large amounts of sensitive data
  • The use of external storage devices such as USB sticks
  • Accessing data not associated with job role
  • Copying files from sensitive folders
  • Emailing sensitive data outside of the organisation
  • Personality and behavioural changes
  • Working unusual hours

High Profile Examples

A Guide to Insider Threats

Unfortunately, there’s no shortage of examples of organisations that have been on the receiving end of Insider threat incidents. These high-profile attacks have highlighted the financial and reputational damage that can be inflicted as a result of insider threats. Some of the more notable cases include:

Punjab National Bank

In one of the costliest insider attacks, an employee at Punjab National Bank used the SWIFT interbank communication system to authorise the issuance of money through Letters of Undertaking and Foreign Letters of Credit. Through these fraudulent transactions, the employee was able to transfer funds totalling £1.5 billion.

Morrisons

In 2017, Morrisons, one of the UK’s leading supermarket chains, was held to account after a disgruntled internal auditor published the details of over 100,000 employees. This included sensitive data such as National Insurance numbers, dates of birth and bank account details. 5,518 employees took Morrisons to court claiming the leak had exposed them to the risk of identity theft and potential financial loss. Morrisons was found liable and incurred costs of up to £2 million.

Target

The 2014 Target breach occurred when a third-party employee clicked on a phishing link that helped attackers get into the HVAC vendors network and eventually into Target’s network. The attack compromised the names, addresses, phone numbers, email addresses, and credit card data of over 70 million people. In this particular case, the insider did not have malicious intentions, but the attack caused significant reputational damage and cost the company $300 million.

How can Organisations Defend Against Insider Threats?

Security Awareness Training – Training is critical in educating employees on security policies and the threats they are likely to encounter in their day to day role. This could be anything from a phishing email to the importance of physical security in the workplace. Small lapses in judgement have the potential to cause great damage to an organisation so staff need to receive regular training to ensure they know how to identify and respond appropriately to evolving threats.

Use Strong Authentication – If an organisation’s accounts can be compromised, insiders can move laterally around networks stealing sensitive data. Employees should avoid sharing passwords and there should be strong authentication processes in place for access to sensitive applications and systems.

Monitor Employee’s Online Behaviour – Organisations should periodically monitor employee behaviour to detect any suspicious activity. This could be logging in at random times, accessing sensitive data or attempting to copy data from folders that they are not authorised to view. Behavioural analytics can play an important role in identifying users that are acting out of the norm. The earlier organisations can pick up on this behaviour, the quicker they can resolve any issues.

Establish Incident Reporting Process – Organisations should have a clear procedure in place for the reporting and logging of all security incidents. The reporting capability will address the full range of incidents that could occur and set out appropriate responses. This will help flag up any suspicious behaviour and provide all the necessary information required for regulatory reporting.

MetaCompliance specialises in creating the best Cyber Security awareness training available on the market. Our products directly address the specific challenges that arise from cyber threats and corporate governance by making it easier for users to engage in Cyber Security and compliance. Get in touch for further information on how we can help transform Cyber Security training within your organisation.

Other Articles on Cyber Security Awareness Training You Might Find Interesting