Defending Against Cybersecurity Moles Inside Your Agency


The move to a virtual workforce has been a boon to industrious hackers.

Insider threats are nothing new, but they’re evolving. We’ve always thought of insider threats as either disgruntled employees with malicious intent or simply people who make careless mistakes. But insider threats are changing in the age of the coronavirus. Today, an insider threat is more likely to be a remote employer who seems completely innocuous, not someone sneaking out of a building with a sheaf of proprietary information hidden in a briefcase.

Indeed, the move to a virtual workforce has been a boon to industrious hackers. Employers are no longer protected by the brick-and-mortar security practices of the past, with access to sensitive data becoming more and more available and uncontrollable in many cases. This risk is further highlighted in Forrester's 2021 cybersecurity report, which predicts 33% of data breaches will be tied to insider threats. That’s a jump from 25%, an increase driven mainly by remote work. 

This pandemic-induced environment is easier for hackers to exploit. Prospects are applying for jobs all over the country, if not the world. Face-to-face interviews are a thing of the past, having been supplanted by more impersonal Zoom calls. It’s just more challenging for HR professionals and teams to do the proper due diligence, even in notoriously meticulous government agencies.

Combining Zero Trust with User Behavioral Analysis

Adopting a zero-trust approach can help combat this threat, but is it enough? After all, if a mole has already infiltrated the agency, that mole has already been granted some level of trust simply by being hired. Yes, organizations can apply policies that restrict that individual from having access to certain datasets or folders. But what if that person has air-tight credentials and security clearance? What if, by their job description, they need access to highly sensitive information? In such cases, zero trust as defined by many organizations may not be sufficient, and an expanded zero-trust methodology should be explored. 

Complimenting a zero-trust approach with careful analysis of user behavior can reduce the potential damage caused by insider threats. While behavioral analysis is already being employed by many government agencies, its importance is magnified by the pandemic, which gives cover for deviant usage patterns. A remote environment may make those patterns more difficult to detect without the normal security perimeters and safeguards in place. 

Consider implementing measures to monitor users’ behaviors regardless of their location and whether or not they are on a company-secured VPN. Strive to understand users’ intentions and activities across the divide, look for indicators of abnormal behaviors, and couple all of it with a zero-trust approach to continuously verify and validate users as they attempt to access critical information.

Establishing and continuously evaluating individual user risk scores for every employee is also essential. A risk score is a numerical value that indicates an individual’s propensity for risk based on a number of factors, including job title, access to sensitive information, anomalous behavior and more. Assign a baseline risk score to new employees. The user’s risk score can change over time as the employees’ responsibilities adjust. It’s a simple and effective way to reduce the time to detect your riskiest users while continuing to monitor deviant and non-deviant behavioral patterns. This ability to quickly exonerate employees is a critical component of successful insider risk programs. 

A New Variation of Insider Threats

Today, moles aren’t necessarily strategically placed sleeper agents in a terrorist cell. They might be the talented data analyst your organization just hired, or the new HR manager who recently started and has access to sensitive employee information. It’s important to discover these people before they do irreparable damage. 

Continuously vetting and monitoring behavioral patterns is one of the most effective and efficient ways to do this. It can protect your agency against a worrisome new variation of an old problem.

Michael Crouse is an ITPM user protection specialist at Forcepoint.