Guess Who? Insider Risk Edition
Revisit the classic game of Guess Who? Only instead of your favorites (Bernard! That hat!), guess different characters who represent insider risks: they could be malicious or unintentional, compromised or vulnerable, an innocent bystander fooled by a social engineering attack, or simply an overprivileged user with too much access to things they didn't need.
Compromised Contractor: External vendors or consultants who have legitimate access to systems, data, and company resources.
What's the risk? They may have access to things they don't need - increasing the risk - and could be compromised or influenced by a third party to misuse their access.
Diabolical Developer: An unhappy employee who, due to dissatisfaction with the organization or personal grievances, might exploit access to the company's codebase or internal systems
What's the risk? They might introduce vulnerabilities, steal data, or cause other forms of harm.
Evasive Engineer: Someone who doesn't like to follow policy and security rules, leaving their access and systems more vulnerable.
What's the risk? Preventable and unintended, but unfortunate: now their credentials and systems are more likely to be compromised by external sources.
Exit-bound Exec: Someone on the brink of resigning, exiting, or retiring, but still has legitimate access to systems and data.
What's the risk? They might take proprietary information with them as a safety net for the future, or in preparation for a new role with potential competitors.
Inattentive Intern: New and inexperienced, they might inadvertently make mistakes that could lead to trouble
What's the risk? They could fall for phishing emails, use weak passwords, or share sensitive information without realizing the consequences.
Opportunistic Outsider: While not technically an "insider", this is someone who finds an unprotected entry point into the company's systems and data - possibly due to the negligence or oversight of an actual insider.
What's the risk? Sky's the limit!
Perilous PR Manager: Somebody who falls victim to a social engineering attack or phishing attack
What's the risk? They may have fallen victim to a phishing or social engineering scheme, unwittingly leaking credentials and confidential information to bad actors.
PWNED Product Manager: An employee who has access to non-public data and sensitive information.
What's the risk? They might inadvertently share or leak non-public and/or sensitive information publicly.
Risk-taking Researcher: Somebody who might leverage data they weren't supposed to have access to in the first place (but with the best intentions).
What's the risk? They might accidentally release sensitive data to be publicly accessible, which can then be leveraged for broader attacks.