Strategies for managing insider threats within organizations

Analyzing the SolarWinds Cybersecurity Incident

The SolarWinds hack, which was uncovered in December 2020, is a prime illustration of the level and sophistication of cybersecurity threats that modern organizations face. The incident involved an attack on the Orion software platform, developed by the IT management company SolarWinds. This platform is used by numerous government agencies, Fortune 500 companies, and other large organizations globally.

The Incident

The attackers infiltrated the Orion software's update system, embedding malicious code into legitimate software updates. With these updates, the attackers gained unauthorized access to the networks of organizations using the compromised software, leading to massive data breaches.

What made this incident particularly dangerous was the trust relationship between SolarWinds and its customers. Security teams, administrators, and automated tools all treated Orion updates as safe and necessary. By compromising the software supply chain, the attackers effectively “rode in” on that trust and bypassed many traditional security controls.

Link to Insider Threats

While the SolarWinds incident was perpetrated by external actors, it brings to light a critical aspect of cybersecurity often overlooked: the role of internal actors or “insiders” in facilitating data breaches. In this case, the breach was made possible by the malicious code being embedded in a legitimate update – a process that would typically be trusted by internal actors.

Insider threats are often framed as rogue employees stealing data, but they are broader than that. Insiders include:

• Employees and contractors with legitimate access
• System administrators and developers
• Third-party service providers and vendors

In the SolarWinds case, those who designed, approved, and deployed updates were not malicious, but their actions – underpinned by trust and a lack of rigorous validation – still contributed to the scale of the compromise. This illustrates a key reality: insider threats can be malicious, negligent, or simply the result of blind trust in internal processes.

Managing Insider Threats

1. Comprehensive Security Policies

Organizations should have clear and comprehensive security policies that cover all bases, including handling of software updates. In the SolarWinds case, those who installed the compromised updates were not necessarily malicious insiders, but they unknowingly played a key role in the breach due to lack of strict policies on software updates.

Effective policies should include:

• Formal change and update management processes
• Mandatory code integrity and digital signature checks
• Segregated environments for testing and validation before production deployment
• Approval workflows that require more than one person for high‑risk changes

Policies must be written in clear language, mapped to specific roles, and regularly reviewed as technologies and threats evolve. A policy that lives only in a binder or on an intranet page, and is never enforced, is effectively no policy at all.

1. Regular Training

Insider threats are not always due to malicious intent; often, they are the result of ignorance or negligence. Regular training sessions can ensure that employees are aware of the latest threats and know how to respond to them.

Training should be:

• Role-specific: Developers, HR staff, finance teams, and IT admins face different risks and need tailored guidance.
• Scenario-based: Walk employees through realistic examples, such as suspicious update notifications, requests for elevated access, or unusual data export patterns.
• Continuous: Short, frequent refreshers and micro-learning modules are more effective than a single annual presentation.

Reinforce the message that security is part of everyone’s job. When people understand why a control exists—not just that it exists—they are more likely to follow it and speak up when something seems off.

1. Least Privilege Principle

The principle of least privilege (PoLP) states that a user should be given the minimum levels of access – or permissions – that they need to perform their work functions. This principle can help in minimizing the potential damage caused by insider threats.

Practical ways to implement PoLP include:

• Role-based access control (RBAC): Assign permissions to roles rather than individuals, and ensure that roles are carefully scoped.
• Just-in-time access: Provide temporary elevated privileges only when required, instead of permanent admin rights.
• Regular access reviews: Periodically audit who has access to what, and revoke privileges that are no longer needed.

In a SolarWinds-style scenario, least privilege can significantly limit blast radius. Even if a compromised system is used as an entry point, the attackers’ movements and data exfiltration capabilities are constrained by strict access boundaries.

1. Monitoring, Detection, and Insider Threat Programs

Technology and process controls should be complemented by continuous monitoring. User and Entity Behavior Analytics (UEBA) tools can baseline normal activity and flag anomalies, such as:

• Unusual login times or locations
• Large, unexpected data transfers
• Access to systems or files unrelated to a user’s role

An insider threat program can bring together HR, legal, IT, and security to define how such alerts are investigated and handled. This multidisciplinary approach helps distinguish between benign anomalies, negligent behavior, and potential malicious activity while respecting privacy and legal requirements.

1. Vendor and Supply Chain Risk Management

SolarWinds also underscores that your insiders are not limited to your payroll. Vendors and partners often have deep access to your systems and data. Managing insider threats therefore includes:

• Conducting due diligence on key suppliers’ security practices
• Requiring security controls and reporting obligations in contracts
• Limiting vendor access to specific systems and time windows
• Monitoring vendor activity as closely as internal privileged users

Zero-trust principles—“never trust, always verify”—should extend to third parties as well as internal teams.

Conclusions

The SolarWinds incident underscores the importance of robust strategies for managing insider threats. Organizations should focus not only on preventing external attacks but also on minimizing the potential risks posed by insiders. This will require a multifaceted approach, including increased employee training, comprehensive security policies, better visibility into user behavior, and application of principles such as the least privilege principle.

Ultimately, trust must be backed by verification, oversight, and accountability. By designing systems and processes that assume any account, update, or connection could be misused, organizations can dramatically reduce the opportunities for insiders—whether malicious, negligent, or simply over‑trusting—to become the weak link in their cybersecurity defenses.

---

Related Articles

• Cybersecurity Analysis: Privileged access management for administrative and support staff
• Cybersecurity Analysis: How a medium-sized law firm implemented zero-trust architecture
• [St…]