Mitigating Insider Threats: Five Strategies for Critical Infrastructure Entities this Cybersecurity Awareness Month

A New York Times Magazine expose detailed the complicated and shockingly brazen inner workings of international espionage. However, the spies profiled weren’t targeting government secrets. They were interested in corporate intellectual property, or IP, an equally valuable commodity in today’s highly competitive global economy.

Specifically, the publication reported systemic efforts to entice employees at critical infrastructure entities (including power generation facilities) to supply company data, produce product schematics, or install malware on corporate devices. The incident is emblematic of the significant cybersecurity threats experienced by critical infrastructure entities globally, an important topic during the upcoming Cybersecurity Awareness Month, held each October.


Cybersecurity experts often talk about their most common cause for concern: people. Even as critical infrastructure entities like power utilities invest heavily to harden their cyber readiness capabilities, many are not accounting for the reality that 82% of data breaches involve the human element.

As the National Counterintelligence and Security Center warned critical infrastructure entities in 2021, “While insider threats come in many forms, foreign adversaries often seek to exploit employees in U.S. and allied critical infrastructure entities to advance their interests.”

Isaac Kohen

These insider threats, including leaders, employees, contractors, and other trusted third parties with access to company data and IT infrastructure, are intentionally or accidentally the weak link and fatal flaw in critical infrastructure’s best-laid cyber-readiness plans.

For example, one compromised password for an outdated virtual private network (VPN) account allowed the costly and incredibly consequential Colonial Pipeline ransomware attack. According to the FBI Internet Crime Complaint Center’s annual report, 36% of all ransomware attacks were directed at critical infrastructure, underscoring the connection between people and security capability.

Collectively, insider threats pose a significant cybersecurity risk to power and energy providers as a core critical infrastructure entity. Here are five ways to mitigate that risk now.

Employee Training

While people are increasingly aware of our precarious cybersecurity environment, most employees don’t recognize the important role they play in protecting critical assets.

According to one industry study, 30% of employees don’t think they personally play a role in the company’s cybersecurity posture. Incredibly, just 39% of employees say they are likely to report a security incident, and 42% say they wouldn’t know if they had caused a cybersecurity incident.

Even many intentional cybersecurity violations are predicated on ignorance. As The Harvard Business Review recently explained, “the vast majority of intentional policy breaches stem not from some malicious desire to cause harm, but rather, from the perception that following the rules would impede employees’ ability to get their work done effectively.”

Fortunately, employee training can make an impact, equipping employees with skills and context to actively enhance the company’s cybersecurity capabilities. These trainings might include:

  • Phishing simulations
  • Security quizzes
  • Training materials
  • In-person workshops
  • Security awareness games

At the end of the day, most employees want to keep company and customer data safe, but they need the skills and awareness to do that.

Access Control

When it comes to data availability, access should be tightly restricted and entirely controlled. Rule-based access control policies allow cybersecurity teams and admins to customize access to sensitive systems, company or customer data, and other digital assets.

Additionally, leveraging zero-trust solutions can elevate these efforts. Unlike traditional access control models, zero trust access control solutions default to deny, only providing access to services the user has been explicitly granted.

Ensuring that data is accessed appropriately will help protect data and prevent accidental or malicious misuse.

Monitoring and Detection

User Activity Monitoring (UAM) is an essential tool in the toolbox of insider prevention instruments. This technology observes, analyzes, and records digital activity for insiders operating on a critical infrastructure entity’s network.

Often offering granular controls that personalize monitoring and detection efforts, UAM solutions allow cybersecurity teams to capture live screen and audio records, compile OCR and fingerprinting logs, and other relevant data to maintain accountability across the organizations.

What’s more, UAM solutions can provide real-time notifications for cybersecurity teams, alerting personnel of a potential problem and ensuring that emergency’s a met with the urgency they demand.

Incident Response

When cybersecurity incidents arise, critical infrastructure entities must be able to thoroughly investigate and respond to the breach. Incident response capacity is critical to maintaining internal accountability standards, progressively improving cybersecurity capabilities, and accommodating regulatory or investigative requirements.

For instance, in the aftermath of the Colonial Pipeline ransomware attack, cybersecurity teams were able to identify the vulnerability and improve their defensive posture moving forward. In fact, these learnings extended beyond the company, impacting critical infrastructure entities across sectors.

As one industry publication explains, “Because of the Colonial Pipeline attack, many CISOs became aware of significant blind spots in their security operations centers (SOCs) because they weren’t monitoring their operational technology (OT) networks.”

In a perfect world, critical infrastructure companies will always be one step ahead of the bad guys. However, if those efforts come up short, incident response capabilities will ensure they aren’t left vulnerable in the same way again.

Agile Leadership

Threat actors are highly motivated to remain agile and elusive, always devising new ways to undermine emerging vulnerabilities. Industry leaders need to remain similarly nimble.

This means that leaders can’t just approve increasingly large cybersecurity budgets and assume they are protecting the company and its customers. Instead, they must stay ahead of the latest threats, developing the skills and adopting the strategies necessary to protect critical infrastructure.

Today, that means accounting for insider threats by appropriately protecting their highly valuable data, IT access, and intellectual property from accidental or malicious insiders. Tomorrow, that risk could change, and leaders will need to adapt and change once again.

Isaac Kohen is Chief Product Officer & Founder of Teramind, a leading global provider of insider threat management, data loss prevention and productivity optimization solutions powered by user behavior analytics. Teramind has provided more than 10,000 organizations around the world with actionable, data-backed workforce insights that reduce risk, increase productivity, and streamline business operations.

SHARE this article