Insider threat: definition, examples, telltale signs, and prevention best practices [2023]
Ever seen a horror movie where the protagonist, who’s home alone, starts receiving menacing calls from a stranger? After checking that all doors and windows are locked, they call the police – only to find out that the calls have been coming from inside the house... A nightmarish scenario, which can become somewhat of a reality for CIOs who ignore the notoriously hard-to-detect security risks that might originate from within their own organizations.
In this article, we’ll explore who risky insiders are and how they can turn into cyber liabilities, as well as how to detect insider threats and safeguard company data against associated data breaches.
What is an insider threat – and who is an insider attacker?
According to the Cyber and Infrastructure Security Agency (CISA), the definition of insider threat is “the potential for an insider to use their authorized access or understanding of an organization to harm that organization.” This harm might be caused through malicious, complacent or unintentional acts but in any case, it ultimately damages the integrity, confidentiality and availability of the company and its assets.
Who counts as an insider? Anyone who has or used to have authorized access to or knowledge of a business’s resources, whether it’s personnel, facilities, data, equipment, networks, or systems. They might be people who are trusted by an organization, such as employees, and are granted access to sensitive information, CISA explains. Other examples include individuals who:
- Have a badge or access device identifying them as someone with regular or continuous access, like a contractor or a vendor;
- Develop the organization’s products and services and know the secrets of the products that provide value to the organization;
- Are privy to the organization’s pricing and cost structure, strengths, and weaknesses as well as business strategy and goals;
- Work in government roles with access to information which, if compromised, can jeopardize national security and public safety.
The two types of insider threat – and their subtypes – explained
Insider threats come in all shapes and sizes, but most of them fall into two major categories: intentional and unintentional threats.
1. Unintentional threats are the result of either negligent or accidental insider behavior. The former usually manifests itself through security incidents caused by negligent insiders who are well aware of an organization’s cybersecurity protocols but deliberately ignore them. Think: failing to install software updates, including security patches, or reckless handling of devices containing sensitive company data. Accidental threats occur when insiders unwittingly expose company information to cybersecurity risk by, say, sharing a confidential file with the wrong person, falling prey to phishing or malware, or carelessly disposing of confidential documents.
2. Intentional threats can be just as, if not more, vicious. Malicious insiders are usually motivated by greed or vengeance, looking to harm an organization for financial gain or to “get even” for a real or perceived mistreatment. Typically, they do so by leaking sensitive information or trade secrets to sabotage a company’s productivity or reputation or as a form of espionage, stealing proprietary data or intellectual property for profit or to advance their careers at a new employer. A subset of this insider threat type is often referred to as moles, collaborators or collusive threats, aka insiders who have been talked, tricked or coerced into doing their bidding by cyber criminals.
What makes an insider threat? Four potential motives
- Financial gain – Malicious insiders are often driven by greed, either because they experience financial hardship or feel they aren’t properly compensated for their work.
- Revenge – Heightened emotions, such as frustration over being let go or disappointment over a poor performance review can turn employees into liabilities.
- Espionage – Albeit rare, business, criminal or political espionage can be a strong reason why people might want to get their hands on sensitive data assets.
- Ignorance – According to Gartner, 90% of insider incidents are caused by goofs, aka users who actively dismiss security controls out of convenience or incompetence.
What are some potential insider threat indicators?
Recognizing the telltale signs of ongoing or impending insider activity, often called potential risk indicators (PRI), is crucial to mitigate insider threats. According to the Center for Development of Security Excellence, PRIs cover a variety of individual predispositions, stressors, choices, actions, and behaviors, such as access attributes, professional lifecycle and performance factors, security and compliance violations, unauthorized use, or disclosure.
As a rule of thumb, it’s crucial that you keep an eye out for the following activities:
1. Unusual logins at work-off times
An employee suddenly showing a pattern of logging in to the corporate network outside office hours or from unusual remote locations can be a potential red flag.
2. Attempts to access unauthorized resources
If people in your organization are given the minimum permission that’s necessary for them to do their job, sudden requests to access sensitive files should be viewed with suspicion.
3. Irregular or excessive data transfers
Is a user downloading and moving large amounts of data from the company network or cloud infrastructure to outside locations or untrusted devices? That’s cause for alarm.
4. File name, content and format manipulation
Copying information into new files, or renaming and saving files in different formats are common obfuscation techniques malicious insiders use to cover up their activities.
5. Use of shadow IT tools or applications
Deploying hardware and software without the IT department’s approval might be an innocent workaround – or a sign of someone who’s intentionally trying to breach security protocols.
6. Hostile attitude or unexpected departure
Personal or professional conflicts with colleagues, abrupt changes in attitude, voicing a desire to quit, or a sudden resignation can all feed employee disgruntlement and insider risk.
The evolution of an insider threat: a real-life example
A case study cited by the Cyber and Infrastructure Security Agency perfectly illustrates how many potential insider threat indicators might be at play in creating a perfect storm.
The insider in question was working as an engineer for a supplier of aerospace parts for high-profile federal agencies such as NASA, the US Air Force, and the US Navy. The company’s insider threat unit uncovered concerning behaviors on the employee’s part, including copying entire folders with mechanical drawings and other valuable design information for a satellite program on a USB stick. Plus, he showed signs of poor judgment (spent thousands of dollars on a romantic interest he hadn’t even met), frustration for not getting promoted at work, and worry over mounting medical bills in the wake of his wife’s worsening health conditions.
The employee then contacted the Russian embassy about selling the stolen proprietary software technology and satellite information and met several times with an undercover FBI agent who he believed was a Russian intelligence officer. Thanks to the aerospace manufacturer’s vigilant insider threat specialists and their collaboration with law enforcement agencies, the malicious operation was nipped in the bud. The perpetrator was eventually convicted for the attempted illegal sale of proprietary trade secrets to a foreign government’s intelligence service and sentenced to five years in prison.
From vulnerability to strength: 4 insider threat prevention best practices
1. Insider threat detection should start at recruitment
“Insider threats can be fought on multiple fronts, including early in the recruitment and hiring process. Hiring leaders should look beyond the standard criminal background checks, and dig into a prospect’s history to look for anything that might render them susceptible to blackmail or bribery,” advises security and borderless networks expert Pete Burke. This might be excessive debt, bankruptcy, loan defaults, tax arrears, or any indicator of financial hardship that can be used as leverage against a future employee.
2. Boost cyber awareness about insider threats
A joint study by Stanford University Professor Jeff Hancock and security firm Tessian found that a whopping 88% of data breach incidents are caused by human error. Some 50% of the employees surveyed stated that they are “very” or “pretty” sure they had made a mistake at work that could have turned into a security risk for their company. This clearly underlines the need for employers to build a culture of vigilance within their organization through training their workforce to spot insider threat indicators before they turn into data leaks.
3. Tailor security protocols to your organization
Designing an effective program to assess and mitigate insider threat vulnerability should begin with asking yourself the question: “What critical assets does my organization have that need to be protected?” Physical or intellectual, technology or process, software or equipment – make sure to account for everything the loss, compromise, theft, or damage of could put business continuity at peril. As the next step, identify who has access to them and set up or re-evaluate permissions to limit them to a strict need-to-know basis.
4. Keep things transparent
Without visibility into users’ network activity, insider threat prevention will be an uphill battle. Set up controls to monitor and manage shadow IT risks, establish secure and easy-to-observe file sharing and access practices to track user behavior and file movement, and make sure your bring your own device policy is clear and comprehensive enough not to translate into a “bring-your-own-risk” reality. It’s also a good idea to invest in an end-to-end encrypted, zero-knowledge file-sharing and collaboration tool for maximum protection.