How penetration testing can prevent insider threats

Over the past few years, cyber security has become a big concern for many organisations. With continual stories of data breaches leading to reputational damage, loss of customers and disciplinary action, organisations are more aware than ever of the consequences of not staying secure – but they’re not always aware of what they should be doing.

One of the biggest threats that organisations face is insider threats. These include the accidental loss of data and malicious actors who steal information or compromise systems. In many of these cases, the loss of data could have been mitigated – or prevented altogether – with effective penetration testing. However, too few organisations are aware of the benefits of regular penetration testing and are leaving themselves open to breaches.

Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.

The first blog in the series looks at web application attacks in highlighting recent security incidents and explaining how pen testing could have helped the affected organisation.


  • Anthony Levandowski, a former engineer at Google’s parent company, Alphabet, is currently being sued for allegedly stealing 14,000 internal files. Levandowski, who was instrumental in developing the company’s self-driving car technology, resigned in January 2016 to form his own company, Otto, which was bought by Uber seven months later. Alphabet also accused Levandowski of receiving $250 million in shares from Uber the day after he left the company.
  • In August, Bupa admitted that one of its employees stole information relating to 108,000 customers. Bupa revealed that the data included names, dates of birth, nationalities and some contact and administrative information. It’s not yet known why the employee took the data, but common motives are financial gain (by selling the data to other criminals) and revenge (to disrupt business and cause reputational damage).
  • In April, Allegro MicroSystems filed a lawsuit against a former systems administrator who allegedly installed malware on the company’s network. The employee resigned from the company in January 2016, but is accused of returning to Allegro’s premises three weeks later to install a malware time bomb that would eventually cause Allegro a reported $100,000 in damages.
  • In November 2016, a Boeing employee emailed a spreadsheet containing sensitive information about 36,000 colleagues to their spouse. The document was sent to the spouse – who doesn’t work at Boeing – to help with a “formatting issue”, and contained employees’ full names, places of birth, employee IDs and, in hidden columns, Social Security numbers and dates of birth.

How can penetration testing help?

As these examples show, the motives and methods of insider threats are varied, which can make them hard to anticipate. After all, anyone and everyone in your company is a potential security vulnerability, and you can’t keep an eye on everyone. But organisations need to do something, because according to McAfee’s Grand Theft Data report, internal actors are responsible for more than 40% of serious data breaches.

To mitigate insider threats, you need to isolate two broad categories and plan accordingly.

The first threat is insider error. This is the result of employees or contractors being unaware of their security obligations. The Boeing incident is a typical example of this. The employee in question was unaware that they weren’t supposed to email information to someone outside the company, and they weren’t aware that the spreadsheet contained sensitive information.

The second threat is insider wrongdoing. This is potentially harder to mitigate, as it is caused by employees with legitimate access to the information or former employees whose access hasn’t been revoked.

Regular penetration testing can address both of these problems. The tests check for misconfiguration in both networks and web applications, such as faults in error handling and configuration management, that would allow employees to access and inadvertently leak information online.

The tests can also identify areas of information or other assets that are exposed to an unauthorised user who has network-level access to the organisation’s corporate IT environment.

IT Governance’s penetration testers will also provide recommendations for improving your security posture. Depending on the vulnerability, they might advise adjusting your organisation’s processes to keep untrusted data separate from commands and queries, developing strong authentication and session management controls, or separating untrusted data from active browser content.

We offer fixed-price and bespoke CREST-accredited penetration tests, and all our tests are followed by reports that rank and rate vulnerabilities in your systems.

If you want to learn more about penetration testing and how we conduct our tests, you should watch our webinar Cyber security: protecting your business with cost-effective penetration testing. You’ll find out:

  • How penetration testing can help prevent the most common types of attack;
  • The differences between a penetration test and a vulnerability assessment;
  • Why penetration tests are vital to uncovering vulnerabilities before criminals do; and
  • How to conduct a penetration testing programme.

This webinar will take place on 9 November 2017, from 3:00 pm. If you can’t make it, the presentation will be available to download from our website.