Best practices for cyber risk prevention, the human factor.

Insiders without Kymatio

Standard cybersecurity programs often do not contemplate a significant part of the risk, which is generated by employees. Current tools are insufficient instruments. To obtain better results, a new approach is necessary.

From the internal threat (insider) we are all part: the employees of the company, but also the subcontracted personnel and suppliers. Insider risk is one of the biggest problems without solving satisfactorily in cybersecurity.
The threat is present in 60 percent of the incidents reported in all recent studies. Companies are increasingly aware of the problem and increasingly dedicate the resources of executives and the necessary attention of the management to solve it. However, most internal threat prevention programs turn out to be unambitious. Among the most common failures are:

  • Focus exclusively on behavior through monitoring and analysis in the technical field, such as solutions based on alerts of variations on “baselines”.
  • Do not seriously consider cultural norms.
  • To completely ignore the real situation of your greatest asset, the people.

The leading companies are implementing a micro-segmentation approach that can address potential problems more precisely, adopting a profound cultural change and a predictive analysis.

These new approaches predict and prevent, also producing more accurate results than pure traditional monitoring, ultimately help companies navigate the complicated business of safeguarding assets while reducing risks and strengthening their employees.

Understanding better the threat

Organisations sometimes suffer to clearly define the concept of internal threat. In this article, we use the term to refer to the cyber risks posed to an organization due to the behavior of its employees; To this end, subcontracted personnel is also considered, as notable incidents insider in our recent memory have arisen from third parties.

There are different types of internal threats. The list is long and all the typologies, or better following the jargon of the sector, the Insider Risk Groups (IRG), can lead to an expensive incident. Some IRGs may be more or less striking for the layman, such as those related to harassment, violence in the workplace or simply misconduct. In other cases, IRGs are more evident, such as overloaded users and stress in the workplace. Fortunately, the case of employees with deficiencies in cyber-awareness is deeply accepted. But other IRGs should always be taken into account, such as those susceptible to elicitation or directly situations of disgruntlement.

[Note: this article corresponds to a series that Kymatio is preparing on the best practices for insider risk prevention and is part of the initiative to give visibility and raise awareness about the main IRGs].

Two types of workers that can create cyber risk:

Insiders in the IRG malicious are those who seek, by the way, to benefit at the expense of the company or directly harming the organisation. It can encourage theft or directly steal data, commit fraud for financial gain, publicly expose confidential information to attract attention or sabotage IT systems. Most organizations focus their attention on people who use privileged information, using activity monitoring software and small investigation teams.

The members of the IRG negligence are prone to errors and they do not intend to intentionally damage the organisation, but they expose her to risks because of her mistakes or carelessness. This can happen in two ways. First, an employee can carelessly create a vulnerability, which can be exploited directly by the attackers (for example, a bad configuration of servers in the cloud, or someone can lose a hard drive with confidential data). Employees can also become personally vulnerable to attacks and inadvertently cooperation. For example, by sharing too much personal information online employees can become easy targets for phishing attacks, attackers attack a user’s account and employees to carry out a more harmful activities.

Briefly, internal threats arise from two types of employees: those who are negligent and those with malicious intent. Insiders belonging to IRG negligence are easy to understand for companies and their risk mitigation teams as long as they have the right tools. Through poor training, confused morale or pure carelessness, workers, who are generally trusted, can expose the company to external risks. In these cases the key is to work with the employees themselves to strengthen their position and minimise the risks.

However, organizations often misinterpret malicious insiders in two ways. First of all, malicious insiders do not always seek to harm the organization. Often, they are motivated by self-interest. For example, an employee may use customer information to commit fraud or identity theft, but the underlying motive is self-enrichment instead of harming the employer. In other cases, employees may be seeking attention or, as in the case of IRG activism, have a “hero complex” that leads them to divulge confidential information. They may even think that they are acting for the good of the public, but in reality they are acting for their own benefit.

Understanding the reason is essential to help companies model their mitigation strategies.

Secondly, insiders belonging to any type of IRG rarely develop overnight or join the company with the intention of hurting it. In the most recent examples of serious insider incidents, normal employees gradually became insiders, with months or years of warning signs leading to the culmination of an internal incident.

It is necessary to activate measures that collect these signals and help to prevent the incident.

The dimensions of the insider problem

In a universe of competing cybersecurity priorities, where needs always seem to outstrip budgets, it may be tempting to underinvest in the fight against the insider threat. In other articles we have analyzed the perceived risk against the real risk in relation to this temptation. It may be the case that the risk is not well understood and the solution seems “less tangible” than in other cyber areas. Executives with a long career know perfectly the history of insider incidents that the company has suffered, however the new executives ask themselves: Is this really an important issue? How much risk does it represent?

The necessary intervention of insiders as a central element of cybersecurity incidents is amply demonstrated. 60 percent of the incidents have a substantial insider component. In addition, they were not mostly malicious behavior, and unfortunately this is nevertheless the conceptual approach that many of the mitigation efforts of so many companies have. Negligence and unintentional collaboration represent percentages higher than 50 percent of infractions related to privileged information, which makes these problems even more important.

In addition to being frequent, security breaches by insider threats usually culminate in substantial damages. We have seen high cost incidents in which customer information was extracted in recent years by different types of insiders in financial services, medical care, retail, technology and telecommunications or governments among other entities. Some companies lost hundreds of millions.

Main affected by the insider threat

Financial services


Technological services

Sanitary Services


Problems of current solutions

To combat insider risk, most companies rely on user behavior monitoring software, generally of the UEBA type (User and Entities Behavior analytics). These applications, whether based on rules or machine learning, ingest significant amounts of data relative to the actions of employees, especially their network behavior, endpoint or the use they make of corporate systems. In general, they try to identify divergences of what is considered a “normal” behavior for that employee. When the software detects an anomaly, a small specialized team investigates the alert.

Common approaches failed in preventing the internal threat

Type of approach


Main issues

Prevention and monitoring

  • Attempts to cover the full monitoring of all employees at all times.

  • General controls and preventive measures.

  • Massive number of signals.

  • High risk of misuse of data.

  • Mitigations not personalized according to risk, actors and actions.

Analysis of behavior variations

  • Analyze the divergences with respect to the behaviors assigned as “normal”.

  • Risk behaviors can be incorporated into the baseline of normality (Equivalent to false negatives).

  • High number of false positives. Sometimes around 40%.


  • Manual investigation of numerous cases.

  • Usually the backlog of cases exceeds the capacity of the teams.

  • Inability to perform a real prioritization of individual signals and incidents.

Interdepartmental interaction

  • Focused on making decisions and actions on a case-by-case basis.

  • Actions with diffuse definitions or not well defined.

  • High uncertainty about the potential management between investigation and action.

While these methods may be useful to some extent, we find that they generally fall short, for the following reasons:

Problems of the standard internal threat programs

1.- At the moment in which negative behaviors are detected, the infraction has often already occurred previously. The organization is at a disadvantage and can not deploy appropriate measures. This puts the entity before an inadmissible situation of lack of proactivity in the prevention line.

2.- Monitoring based on “divergence of normal behavior” creates a lot of false positives, wasting a great part of the research team’s time.

3.- Insiders high risk behaviors may not be identified because the related activity can be integrated into the baseline of the “normal” activity.

4.- The collection of massive amounts of data on the behavior of employees can create data lake management problems and a clearly significant potential for a sense of abuse compared to other collaborative approaches (Win-Win).

Beyond the problems exposed, some organizations take this type of monitoring to the extreme, implementing military-level software and conducting full-fledged intelligence operations against their employees. Several recent cases have highlighted the risks of exceeding the organization’s cultural and privacy norms. The best practices and necessary precautions in the defense industry can be considered invasive in companies, such as a bank or insurer, not being the best approach to solve the basic problem. Another case is that of critical infrastructure such as nuclear power plants, gas, telecommunications, etc., which is not the subject of this article.

Finally, to the extent that companies pursue internal threats, they often focus on the search for malicious actions. While most organisations have learned that negligence is a fundamental problem and that studies are positioning it as one of the most urgent to address. It is common to see companies whose prevention efforts begin and end with anti-phishing employee education campaigns, and these very important measures must be recognized that only address a segment of the real insider problem.

Establishing the basis of a better preventive approach

Some leading cybersecurity teams use a different approach, based on three pillars.

Type of approachDetail


Micro-segmentation allows the organization to approach risk “hot spots” and adopt a specific approach instead of a general approach to threat monitoring and mitigation.

Cultural change

Cultural change makes insider risk events less likely, and puts the company in a preventive rather than a reactive position.


Prediction allows an organization to identify and make internal risk deactivation decisions much earlier in the life cycle of the threat.


Given the scale of the problem, instead of resorting immediately to a general supervision approach, organizations must adopt a much more nuanced approach, adapted to their information assets, identifying risk, impact and focusing on the workforce. The key to this approach is micro-segmentation, which identifies particular groups of employees who, depending on their role in the company, and their particular problems, are susceptible to create damage from significant to maximum. After segmentation, specific focused interventions are developed for these groups in order to address the mitigation of associated risks.

To perform micro-segmentation, the first step is to understand the reality of the company, its capabilities and where the assets reside and the most important assets and information to protect. Next, companies can use records of access and identity management (IAM), organizational information and human resources (HR), to determine which groups and individual employees have access to the highest value assets and where the impact can be maximum. Risk identification services such as Kymatio can greatly facilitate this initial assessment.

These groups determine the IRGs that are most important to the threat program. For each IRG, the company can determine which types of internal threats are most likely to cause damage and can create differentiated internal monitoring and mitigation strategies.

Imagine that a pharmaceutical company wants to protect the intellectual property created in the development of new medicines. An analysis of the IAM and HR data reveals that certain specific parts of its product development and its R&D units represent the greatest risk.

Kymatio can be key in determining assets according to impact and risk insider.

The company knows that the sabotage of this type of intellectual property is relatively rare, but existing, for example in the case of scientists who can take with them intellectual property when they are hired by the competition. Therefore, the company focuses on monitoring and designing strategies to identify risks of IRG disengagement or personnel in the IRG disgruntled, such as those who lost promotions, those who due to their situation feel a low job satisfaction and those perceived as members of the low-paid group in relation to their peers. Now the company is ready to design interventions, such as a complete array of retention programs, solutions specifically designed for the identified risks.

Micro-segmentation offers three key benefits.

Type of approachDetail

Understanding of risk

Create a clearer understanding of risk. Not all internal threat events are the same.

Remedial actions

It allows organizations to identify a clear set of remediation actions, adapted to a particular group of employees. This helps them move from reacting to internal threat events to preventing them.
Monitoring of individuals and groups

Monitoring of individuals and groups

Finally, the analysis allows the organisation to take the monitoring of individuals to a new level, allowing the monitoring of groups instead of using metrics such as employee attrition and the satisfaction of a team’s workforce instead of individual behavior. That provides important benefits in the field of privacy.

Cultural change

While many insider threat programs focus on detecting and responding to negative behavior, it is it is vital to address directly and assertively the cultural problems that generate other risky behaviors, such as those highlighted by IRG negligence.

To combat any of the risks that underlie IRG negligence, companies often perform rudimentary cybersecurity training, such as phishing tests. All too often, these trainings focus solely on behavior, educating employees about the appropriate cybernetic procedures, and leaving out of the equation the part of employees’ default attitudes and beliefs. Targeted interventions (such as periodic communications on cyber impact) help employees see and feel the importance of “cyber-hygiene,” and the intentional reinforcement of senior executives is essential to achieve participation and awareness of the force labor. The best positioned organizations rigorously measure behaviors and attitudes and develop comprehensive change plans to overcome cyber-neglect, with clear objectives and responsibilities within the organization.

Addressing the drivers of risk behavior is an even more detailed task. The drivers vary for each organization and, often, for each micro-segment. For example, they may include personal financial stress, discontent due to lack of promotion or risk of disengagement due to poor management. Organizations that successfully address risk behavior drivers often begin by analyzing workforce trends (insider risk level, IRG Disgruntled, IRG Overload, etc.) to determine potential hot spots. Then, changes are designed in the process, government, contracting, compensation, etc., specific to the identified risk areas aligned with their micro-segmentation strategy. For example, if groups of employees have a high prevalence of “untying risks” due to discontent with an area manager, the organization may require leadership training or even remove the person responsible for the group. If financial stress seems to be a problem, the organization can choose to provide free help for financial planning or re-evaluate their compensation model. There are multiple areas of intervention and improvement for each of the insider risk typologies.


Advanced organizations are taking a further step to identify groups or individuals at an early stage of the threat life cycle: predictive analysis of insiders. You have to determine which people present a risk, study them in depth and accompany them. The leading organizations in the internal threat program have identified the markers of these people and carry out the active monitoring of these markers for specific people, instead of looking for divergences over “normal”. This analysis can identify a collective, group or individual that probably represents a threat long before the event occurs; Companies can then take measures to mitigate the risk and even collaborate with their employees in an adequate strengthening of each situation. It is a predictive preventive approach.


The insider threat is one of the biggest problems of cybersecurity, since it represents a massive part of the attacks and financial damages. Monitoring technologies have their place in the cyber-arsenal of organizations, but their effectiveness increases significantly when combined with more nuanced approaches, such as micro-segmentation, prediction and direct cultural commitment.

Discover more about insider risk prevention on the site
More information about the author: