Page 372 - ITGC_Audit Guides
P. 372

Insider threats may be malicious when the actor intentionally misuses access to an organization’s
                   network, system, or data to negatively affect the confidentiality, integrity, or availability of the
                   organization’s  information  or  information  systems.  However,  insider  threats  may  also  be
                   nonmalicious (unintentional) when the actor through action or inaction without malicious intent
                   causes harm or substantially increases the probability of future serious harm to the confidentiality,
                   integrity, or availability of the organization's information or information systems, such as those
                   outlined in Figure 1.


                   Figure 1: Examples of Insider Threats
                    Malicious                                  Nonmalicious

                    An employee steals trade secrets and later sells them to
                              3
                    a competitor.                              A systems administrator accidentally turns off a website.
                    A former employee damages an ex-employer’s   A user accidentally deletes files.
                                  4
                    computer network.
                    A consultant uses credit card information to   Employees fall victim to social engineering or
                    commit fraud.                              phishing emails.



                   Collusion happens when multiple insider threat actors work together to commit an attack against
                   the organization; when insiders are targeted by malicious outsiders (cybercriminals, hackers, and
                   hacktivists) and end up colluding unknowingly; or when insiders are targeted by malicious outsiders
                   and end up colluding on purpose (many times for a profit).


                   The potential for collusion creates a larger attack surface and increases the likelihood of a successful
                   attack  that  is  difficult  to  detect.  For  small-  and  medium-size  businesses,  which  often  lack  the
                   necessary  resources  to  recover  from  such  attacks,  the  impacts  can  be  especially  devastating.
                   Mitigating threats can be an expensive proposition, but when compared with the costs associated
                   with  recovering  from  a  major  IT  security  incident,  preventing  or  detecting  attacks  is  a  business
                   investment that pays off in the long run.

                   Adding into the equation data breaches resulting from unintentional acts, the average cost of
                   addressing insider-related damage increases substantially. Moreover, as malicious attackers
                   become more proficient in targeting unsuspecting insiders, the cost is expected to continue to
                   increase.







                   3  Kacy Zurkus, “Former Apple Employee Charged with Data Theft,” InfoSecurity Magazine, July 11, 2018,
                   https://www.infosecurity-magazine.com/news/apple-filed-criminal-complaint-of/.
                   4  “Former Employee of Transcontinental Railroad Company Found Guilty of Damaging Ex-Employer’s Computer
                   Network,” U.S. Department of Justice, October 10, 2017, https://www.justice.gov/usao-mn/pr/former-employee-
                   transcontinental-railroad-company-found-guilty-damaging-ex-employer-s.


                         www.theiia.org                                      Auditing Insider Threat Programs   5
   367   368   369   370   371   372   373   374   375   376   377