September Is National Insider Threats Awareness Month

September is National Insider Threat Awareness Month. And if you pay a visit to the The Office of the Director of National Intelligence website, you’ll see this message:

The Acting Director of the National Counterintelligence and Security Center has issued his letter of endorsement for the fourth annual National Insider Threat Awareness Month in September 2022.  Please join us during September to emphasize the importance of safeguarding our nation by detecting, deterring, and mitigating insider threats.  If you would like to increase awareness in your workforce, visit the National Insider Threat Awareness Month website to learn more about the serious risks posed by insider threats and how to recognize and report anomalous/threatening activities to enable early intervention. The web page of the National Insider Threat Task Force also has resources available.

Keep in mind that an insider threat is someone who will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States (as well as any other country or company). This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.

I have commentary from three industry sources on National Insider Threat Awareness Month.

Don Boxley, CEO and Co-Founder, DH2i ( 

“Over the past couple of years, work from home (WFH) has morphed into work from anywhere (WFA). While few would argue the horrors of the pandemic, WFA could be viewed as one small positive. Organizations and their employees have learned that we can work from virtually anywhere given the right circumstances. And by circumstances, I mean, support from leadership and the right technology.

Unfortunately, the WFA paradigm has also led to an exponential increase in cybersecurity attacks – not just from external cyber criminals but from malicious internal bad actors as well. And what makes the internal threat even more dangerous is that many of these bad actors are armed with knowledge of confidential internal security procedures, which adds to their ability to cause serious harm to your organization.

We saw quite a bit of this at the start of the pandemic when people were first sent home virtually overnight to work. Many organizations were forced to depend upon their virtual private networks (VPNs) for network access and security and then learned the hard way that VPNs were not up to the task. It became clear that VPNs simply were not designed or intended for the way we work today. Both external and internal bad actors could, were and are still exploiting inherent vulnerabilities in VPNs. Instead, forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while slamming the door on potential cybercriminals.”

Surya Varanasi, CTO, StorCentric (

“This September 2022 marks the fourth annual National Insider Threat Awareness month. It aims to shine a spotlight on the critical importance of defending against, detecting and mitigating damages from insider threats. Indeed ransomware and other types of malicious malware attacks are not only perpetrated by external cybercriminals, but internal bad actors as well. And, the expense is not only measured in ransomware payments, but also the almost incalculable cost of operations downtime, lost revenue, legal fees, regulations compliance penalties, a rise in insurance premiums, and/or a loss of customer trust. 

The need to backup data has become ubiquitous. But now, as ransomware and other malware attacks continue to increase in severity and sophistication, we understand the need to protect backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted. 

What is required is an Unbreakable Backup solution that is able to create an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. Additionally, the Unbreakable Backup solution should include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention. Ideally, it should also deliver high availability with dual controllers and RAID-based protection that can provide data access in the event of component failure. In deployment of such a solution, recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about their ability to recover — and redirect their time and attention to activities that more directly impact the organization’s bottom-line objectives.”

Brian Dunagan, Vice President of Engineering, Retrospect, a StorCentric Company ( 

“During National Insider Threat Awareness month we are reminded of the multitude of reasons a sound data backup strategy and proven solutions are critical. Given today’s economic and geopolitical climate it is a given that at some point virtually all organizations will suffer a successful cyber-attack be it from internal or external forces. Given this inevitability, it makes sense that the end customers I speak with, whether they are from private, public, or government organizations, are putting an increasing focus on their ability to detect and recover as quickly, cost-effectively and painlessly as possible. 

A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.

Certainly, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (a.k.a., object locking) which makes certain that the data backup cannot be altered or changed in any way.”

Bob Erdman, Director of Development, Threat Intelligence For HelpSystems 

Insider threats are not only malicious, but many times they are accidental. 

A purposeful user may be upset and want to cause damage to the organization, or they may be motivated by monetary gains (bribes) and disclose information to third parties. They may even be placed there by outside actors looking to gain knowledge of practices, procedures and intellectual property. More and more there are instances of nation states engaging in this industrial espionage.

On the other hand, accidental compromise is also very common. Users fall victim to malicious phishing or BEC scams and expose their credentials or other damaging information about the organization that is then used by malicious actors to gather intelligence and potentially cause damage to the user’s company. This is not only a problem for the employees of the organization but also can be caused by any third party partner, contractor or member of the supply chain that can be used as an initial entry point into the final target’s enterprise.

John Grancarich, EVP, Strategy For HelpSystems 

One click – that’s all it takes for an unsuspecting user to be lured down the path of credential theft. And once the first set of credentials has been compromised, the front door of your organization is wide open, and it won’t stop there. So, take the time to invest in awareness and in training. It turns out that our parents’ advice to us as we were growing up is relevant to security as well: an ounce of prevention is worth a pound of cure.

Tom Huntington, EVP of Technical Solutions For HelpSystems 

When is the greatest threat to an organization’s intellectual property?  It is when that insider decides to move on to their next career advancement and they decide to take along a little intelligence that they deem not harmful but certainly puts the incumbent company’s property at risk to be shared to a competitor or outside threat.  End point security should be able to monitor this activity and provide comprehensive reporting of all the ins and outs of the data.  Did they print, use a USB or email something to their external provider?  What really happened during their exit from the company?  Proper data loss prevention technology should provide the tracking of your data and the prevention of this activity.

Donnie MacColl, Senior Director of Technical Support For HelpSystems 

“It is far better to prevent than to detect and remediate. There are now many factors that may persuade insiders to act as a threat. Financial motives are always attractive, and now with a poor global financial situation and the rising cost of living, simple acts like handing over a password for monetary gain are becoming more attractive to many people who would have never usually considered it. Anybody who has or had privileged access needs to be thought of as a part of the data lifecycle from their first day to their last. Companies are great at giving new employees access (usually too much access) to items they need to perform their role. However, if they move roles, they tend to cumulatively inherit more rights and access rather than close off previous access and start again. Imagine giving a tradesperson a key to your house, but never asking for it back when the job is done! That is what happens when an employee leaves and their access is not fully and immediately removed. This calls for a need for technology such as automated onboarding and offboarding, so no one slips through the cracks.”

Leave a Reply

%d bloggers like this: