By Angela Mutiso And Ochara Clive
Tackling Insider Cyber-Security Threats
Kenya’s rapid adoption of digital technologies has unlocked immense opportunities but also introduced significant vulnerabilities, exposing financial institutions and critical infrastructure to escalating cyber threats.
Recently, the Directorate of Criminal Investigations (DCI) apprehended 20 individuals suspected of operating a debit card fraud scheme targeting Equity Bank. The bank’s risk department identified suspicious transactions, leading to an internal investigation. This revealed that fraudsters had exploited customer debit card details, likely obtained through hacking. This type of fraud, known as “card-not-present,” involves electronically capturing card details to facilitate unauthorized withdrawals.
The incident at Equity Bank accentuates the growing cybersecurity threats in Kenya, extending beyond the financial sector to areas like government systems, healthcare, and telecommunications. These challenges highlight the urgent need for robust cybersecurity measures to protect Kenya’s digital infrastructure from financial losses, data breaches, and diminished public trust. From April to June 2024, the National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC) detected a significant increase in cyber threat events. In response, the Communications Authority of Kenya (CA) has increased the dissemination of cyber threat advisories and prioritized addressing vulnerabilities related to insecure IoT devices, outdated software, and system misconfigurations, along with the challenges posed by advancing technologies like AI.
While external cyber threats often dominate discussions, insider threats are an equally potent danger. Incidents like the Equity Bank case highlight that malicious or negligent insiders with privileged access can undermine even the most advanced cybersecurity systems. Insider threats often evade detection by exploiting trusted systems, operating unnoticed until significant damage is done. For Kenya’s financial institutions and other critical sectors, managing insider threats is essential to building resilient digital defences.
The Spectrum of Insider Threats
According to IBM’s 2016 Cyber Security Intelligence Index, 60% of cyberattacks were linked to insiders, with three-quarters involving malicious intent and the remainder resulting from inadvertent actions. Industries like healthcare, manufacturing, and financial services are particularly vulnerable due to their reliance on sensitive personal data, intellectual property, and substantial financial assets.
The trouble with insider cybersecurity threats is that they come from within. Trusted insiders operate within the system, often bypassing detection technologies and, in some cases, erasing evidence to hinder forensic investigations. This makes insider threats particularly dangerous and, in some instances, akin to the “perfect crime.”
Some organizations have responded by adopting “zero trust” policies to minimize these risks. However, such approaches often clash with operational realities, as overly restrictive security measures can disrupt productivity, stifle innovation, and frustrate employees. Security teams must balance robust defences without affecting functional and efficient workflows.
Cyber experts group insider threats into three major categories:
Sneaky links
Human error is one of the leading causes of security breaches, often attributed to complacent insiders—trusted employees who overlook basic security protocols. Simple mistakes, such as failing to update security patches, misaddressing emails, or sending confidential data to insecure systems, can have costly consequences. Complacent insiders are particularly vulnerable to phishing attacks.
Saboteurs within the System
While remedies for negligent or complacent insiders may involve strict compliance and awareness programs, the situation regarding malicious insiders is much more complex. These individuals intentionally and deliberately compromise the security of company data, often driven by personal vendettas, financial incentives, or a desire to harm the organization. They pose a significant risk, as they may steal sensitive information, sell data or intelligence, or even orchestrate attacks in collaboration with external agents. The damage they cause can be far-reaching, as these trusted insiders—often with access to critical systems—can bypass security measures and cause substantial harm. In some cases, it’s not just about theft; it’s about destruction, revenge, or undermining the company for personal gain, making them one of the most dangerous threats a business can face.
Identity theft
Cybercriminals are good at stealing identities to infiltrate systems. Some achieve this by compromising an employee’s account through phishing schemes or malware, while others exploit stolen credentials, often sourced from social media profiles. Experienced cybercriminals only need to have someone’s name and know their place of work. If the target hasn’t secured their social media accounts, the criminal can find out all sorts of information about them and their place of work. They could set up an email address with the target’s name and send a malicious file to a colleague. Once inside the system, attackers frequently escalate the compromised user’s access, enabling them to reach even more sensitive information.
What to look out for
Identifying early signs of insider threats is vital to safeguarding your organization’s sensitive data and systems. Here are some key indicators to watch for and their implications:
Irregular System Access
If an employee accesses systems or information outside their regular work hours or engages with data unrelated to their role, it could indicate suspicious activity. For instance, an employee in marketing accessing financial records or engineering blueprints may warrant further scrutiny. Regular monitoring of access logs and patterns can help detect these anomalies early.
Unusual Data Activity
An employee’s noticeable increase in data downloads, transfers, or copies, particularly involving sensitive files, is a significant red flag. This could suggest preparations for data theft, corporate espionage, or sabotage. Automated tools like Data Loss Prevention (DLP) software can be instrumental in promptly promptly flagging and investigating such activities.
Use of Unapproved Devices and Applications
Introducing unapproved devices, such as USB drives, or using unauthorized applications within the network exposes the organization to vulnerabilities. These actions bypass established security protocols, potentially enabling data exfiltration or malware infections. Enforcing strict endpoint protection and device management policies can mitigate this risk.
Frequent Policy Violations
Employees who consistently disregard security protocols, such as sharing passwords, turning off security settings, or neglecting mandatory updates, pose a considerable risk. These violations could stem from negligence, complacency, or deliberate attempts to exploit weaknesses. Regular audits and strict policy enforcement are essential for mitigating these risks.
Frequent Security Warnings
Repeated security incidents, like failed login attempts, triggering security protocols, or accessing restricted areas, could signal a compromised account or malicious insider testing boundaries. These incidents should be investigated immediately to determine intent and potential harm.
Strategies for a Resilient Cybersecurity Framework
Addressing insider threats requires a multi-faceted approach, combining training, advanced technological solutions, and proactive monitoring to safeguard sensitive information. One effective strategy is to educate employees on cybersecurity risks and equip them with best practices to minimize negligent behaviour. Regular training sessions, complemented by simulated cyberattacks, provide practical experience and help employees understand how to counter threats effectively. A test-based approach further strengthens cybersecurity knowledge, allowing organizations to identify and address vulnerabilities. Establishing a system of escalating penalties for repeated failure to follow protocols can be effective for complacent insiders. However, care must be taken to ensure penalties do not alienate employees or inadvertently turn them into malicious insiders.
Adopting a Zero Trust Approach (ZTA) is highly recommended for more sophisticated threats from malicious insiders. ZTA operates on the principle that no user or system should be trusted by default, requiring constant authentication, authorization, and validation for data access. This methodology creates micro-perimeters around sensitive data, restricting access to only those who need it. Even those with access must continuously verify their identity, leaving a detailed activity trail via security information and event management (SIEM) tools. This makes it significantly harder for malicious insiders, particularly those in high-level positions, to operate undetected. Enhanced by machine learning models, ZTA also tracks typical user behaviour, enabling faster detection of anomalies and prompt responses to threats.
Another essential tool in the fight against insider threats is User Behavior Analytics (UBA). Using artificial intelligence and machine learning, UBA examines extensive datasets to identify patterns that could indicate security violations, data theft, or other harmful actions. By transforming raw data from sources such as network probes, security devices, and threat intelligence databases into actionable insights, UBA helps organizations assess risks and address them before they escalate. UBA tools often come with user-friendly dashboards for visualizing trends, generating reports, and issuing real-time alerts, enhancing their effectiveness in monitoring and mitigating threats.
Integrating these solutions into existing cybersecurity frameworks is critical. Many tools, such as intrusion detection systems, identity security solutions, SIEM systems, and network monitoring software, now include UBA functionality. Additionally, stand-alone UBA solutions offer specialized features such as reporting for audits and interoperability with external ticketing and help-desk systems.
While it is impossible to eliminate insider threats, combining training, ZTA, and UBA offers a robust defence. These strategies ensure compliance with regulatory standards and provide organizations with the tools to address evolving security challenges effectively.
Benjamin Franklin’s timeless wisdom ultimately rings true: “Distrust and caution are the parents of security.” Regarding insider threats, you need to have cyber security on your mind the second a potential employee walks in your door for an interview.
Find out how careful they are when browsing the web, and look for any signs that they might harbour malicious intentions. Vigilance and proactive measures are essential. By nurturing a culture of awareness and prioritizing security at every level, you can significantly reduce risks and protect your organization from potential harm.
Angela Mutiso is the editorial consultant of the Accountant Journal Email: cananews@gmail.com Ochara Clive is a business writer and entrepreneur