MSP Best Practices to Halt Insider Threats


While nation-state threat actors and external hackers often garner the headlines, insider threats are an often-overlooked threat vector. Rockwell-Boeing, Anthem Healthcare, and Capital One are just a few organizations with damaging data breaches caused by insiders. Insiders such as privileged users, contractors and vendor partners, and trusted executives often have access to the “keys to the kingdom” and know system and process weaknesses to exploit.

A 53% majority have confirmed insider threats against their organization in the last 12 months, with 27% stating that insider attacks have become more frequent, according to Cybersecurity Insider’s 2018 Insider Threat Report. Ponemon Institute found that insider threats do more damage for longer than external threats, with an average cost of $8.7 million. Detecting and blocking insider threats and inadvertent insiders are crucial to reduce lost productivity and incident response costs. Managed Service Providers (MSPs) can enable practical cybersecurity approaches, both within their networks and their client’s, to reduce exposure to insider threats and accelerate a rapid response when minutes matter.

Insider Threat Definition

Most information security experts agree that employees and vendors form the weakest link when it comes to organizational information security. MSPs, with their trusted advisor role and unfettered access to client systems, are especially susceptible to insider risks and supply chain targeting. A holistic definition of insider threats enables security organizations to better prepare for the largest possible threat vectors that can lead to costly attacks.

“An insider threat is any breach that is caused by or facilitated by an insider,
whether it is an accidental insider or malicious insider.”

-- Joseph Blankenship, Forrester Research Principal Analyst

These types of internal threats can be particularly challenging to detect, especially if organizations have primarily focused on bolstering external security.

Insider Threat Types

Insider threats often remain undetected for months or years, causing lost revenue, disrupted operations, sagging brand reputation, and public distrust. It is important to understand the types of insiders and their motivations to provide context for prevention. According to Security Insider, there are five fundamental types of insider threats:

  1. Non-responders to awareness training
  2. Inadvertent insiders
  3. Insider collusion such as with vendor partners
  4. Persistent malicious insiders
  5. Disgruntled employees

Nearly two-thirds (64%) of insider threats are caused by users who introduce risk due to careless behavior or human error, according to Dark Reading. Whether intentional or inadvertent, would you even know if someone inside your network compromised or leaked sensitive data?

Align Security Plan to Risk

Traditional approaches such as security awareness training provide a good foundation, but are insufficient given the possible financial motivation and misconfiguration risks by insiders. Some industry sectors pose more internal risk than others, according to the Verizon Data Breach Investigation Report 2019.

  • The top industry for past breaches caused by insiders: Healthcare
  • The second highest sector for internal threats: the high-tech sector with its vast attack surface, cloud infrastructure, and globally dispersed employees and vendors
  • The third highest industry: financial services.

Surprisingly, the healthcare industry is the least likely to encrypt its data, according to the Ponemon Institute. Customize your insider threat program to your industry risk, sensitive assets, and organizational risk appetite.

Detect and Block Insider Threats

Use a pragmatic approach to cybersecurity to identify avenues to detect and stop insider threats. Some countermeasures against insider threats include:

Protect sensitive data with role-based access controls: in a nutshell, role-based access controls (RBAC) provide rights or computer access to a user or category of user based on their work function, and no more. A well-thought out plan for identity and access management (IAM) can create repeatable processes while limiting access only to those with a need-to-know. Many compliance frameworks such as PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Healthcare Insurance Portability and Accountability Act) require methods to limit sensitive data access.

Implement data encryption: encrypting or encoding sensitive data can create a barrier to attack while deterring insider access. While encryption of data at rest and in transit is a best practice, the global adoption rate for encryption is 45% - leaving much room for improvement.

Address privileged access management (PAM): privileged users are those such as system admins with elevated access to systems and services. These “super users” are prime targets for attackers looking to gain access to crucial servers or pivot to other networks or supply chain partners like MSPs. Limiting privileged access also reduces damage in the event of a data breach.

Identify anomalous behavior: use machine learning to understand normal operating behavior, then identify anomalous activity that deviates from the baseline, and to prioritize action based on alerts. User and entity behavior analytics (UEBA) from Netsurion can detect an employee or contractor’s suspicious activities, such as logging in at unusual times or attempting to access restricted files or intellectual property.

Link cybersecurity and physical security: cybersecurity insider threats are often intertwined with breaches in physical security. Some indicators of compromise include employees who are suddenly eager for additional after-hours work, volunteer for confidential projects outside their work scope, or using a flash drive when the organization does not permit USBs.

Add comprehensive visibility and monitoring: constant monitoring and alerting with a Security Information and Event Management (SIEM) platform can detect both internal and external threats in near-real-time. Log monitoring and alerting enables employees to go about their work with minimal intrusion and privacy concerns. Solutions such as EventTracker SIEM from Netsurion can also block user access when unusual or suspicious actions occur. MSPs should be using a SIEM within their organization for increased visibility, but to also become familiar with this crucial security platform.


Insider threats occur for numerous reasons, from disgruntled staffers to financially-motivated insiders stealing data, to unwitting employee mistakes. Understand your most valuable assets to prioritize insider threat protection that balances security and privacy as you prevent, detect, and respond to internal threats.

Increase security awareness training on insider threats and include an “if you see something, say something” approach. Enhance visibility into user behavior with continuous monitoring, internal threat correlation, and user behavior coupled with SIEM to elevate your security posture and speed up time to detection. While insider threats are costly, compensating solutions need not be expensive or time consuming for you or your clients. SOC-as-a-Service from Netsurion is one practical avenue to shore up internal gaps that rogue employees and inadvertent insiders can exploit.

Blog courtesy of Netsurion, which offers the EventTracker security platform. Read more Netsurion guest blogs here.