Insider Threats and Software Development: What You Should Know

Insider threats are a multi-million-dollar problem for many organizations, impacting organizations of all sizes and sectors. Although the methods of attack can vary, the primary types of incidents—theft of intellectual property (IP), sabotage, fraud, espionage, unintentional incidents, and misuse—continue to be the archetypes of insider threat events.

The Effect of Insider Threat Actors

According to Carnegie Mellon University, “Insider Threat [is] the potential for an individual who has or had authorized access to an organization's critical assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

The adverse effects on an organization may include the degradation of confidentiality, integrity, or availability of corporate systems, the disruption of business operations, reputational damage, or harm to employees and customers.

To understand the scale of the insider threat, it is essential to consider the following statistics offered by Carnegie Mellon University:

• Insiders commit one in three cybercrimes.
• One in three insider incidents is committed with malicious intent.
• Trusted external entities perpetrate one in four insider incidents.

In addition, the Ponemon 2022 Cost of Insider Threat report indicates that insider incidents have increased by 47% since 2018. As organizations increasingly rely on expanding their business through technology, insiders get more opportunities for threats.

Insider Threats in Software Development Lifecycle

No matter the level of automation introduced in the Software Development Lifecycle (SDLC), people are still the most essential element in producing high-quality, usable, and secure software products and applications. As organizations increasingly become software entities to improve business processes and offer omnichannel experiences to their customers, the impact of a potential insider incident is growing. 

The process of software development involves designing, documenting, programming, and testing, which requires technical and management expertise. Neglecting the risks involved with insiders in the software development life cycle (SDLC) can lead to unforeseen challenges for your business. Since software development is a complex process, taking a proactive approach to managing insider risks in software engineering is essential. This can help prevent potential issues and minimize the negative impact of any unexpected events.

Insider risk management begins with understanding what intentional or negligent threats may occur in each SDLC phase.

Requirements Definition

Failure to establish explicit authentication and role-based access control requirements can make insider attacks easier. Similarly, neglecting to define security requirements or separation of duties for automated business processes can make it easier for insiders to commit attacks. Additionally, not defining requirements for automated data integrity checks can give insiders the confidence that their actions will go unnoticed by the organization.

Design

Insiders can easily engage in malicious activity when security details in automated workflow processes are not given enough attention. This is especially true when there is not enough separation of duties or when it is not designed carefully. Additionally, failing to consider security vulnerabilities posed by “authorized system overrides” provides an easy way for insiders to bypass the rules.

Implementation

Backdoors can be inserted into the source code without proper code reviews, posing a security risk. Additionally, the inability to identify individual actions may lead to team sabotage among those involved in the development process.

Deployment

When documentation practices and backup procedures are not enforced, recovering lost source code for a production system becomes difficult if an insider deletes the only copy. Insiders can gain access to sensitive data from the operating system when they use the same credentials for development and the operating system. Giving malicious insiders unrestricted access to all customers’ systems may allow them to plant a virus directly on customer networks. Additionally, a lack of configuration control and well-defined business processes can facilitate the publishing of libelous material on the organization’s website.

Maintenance

Not reviewing code can make it easy for malicious code to be added. Poor configuration control can also lead to unauthorized code being released. Without effective backup processes, the loss of data can be devastating. Giving end-users access to source code can lead to the compromise or manipulation of security measures. Lastly, ignoring known system vulnerabilities can make it easy for hackers to exploit them.

Mitigating Insider Risks in SDLC

Insider risk management requires a multi-pronged approach using capabilities and resources across departments. An organization must deliberately implement and operationalize its strategy and consider organizational values and culture as guideposts to its success. 

Insider risk management should be an interactive process where strategy and implementation teams collect continuous feedback from stakeholders about the performance of the effort and how the progress aligns with the goal of reducing insider risk to acceptable levels, as described in the organization’s risk appetite statements.

Insider risk management is a balancing act. It balances risk across people, management, and organizational dimensions. However, even the most intentional and careful risk management programs generally allow some risk tolerance. The bottom line is that not all insiders can be stopped. Organizations must position themselves to sustain critical operations during and recover after an insider threat event.

Organizations must implement a strategy with the right combination of policies, procedures, and technical controls to help businesses “detect, investigate, and respond to insider threats to their data.” Management should align the insider risk management strategy requirements with the organization's business policies and processes, culture, and technological environment. Insider threats cannot be 100% prevented; however, organizations can achieve an acceptable level of risk and maintain operational resilience if a threat is realized.