For the longest time, the minds of many business owners, managers, and security teams were conditioned to think that threats only come from malicious strangers hunting for vulnerabilities and hacking their way in. However, this assumption is not always accurate. Sometimes the most dangerous cyber threats can come from within.
The 2022 Ponemon Cost of Insider Threats Global Report provides insight into the impact of insider threats on organizations, revealing that incidents of insider threat have risen by 44% over the past two years, with costs per incident now averaging $15.38 million.
Let's also dispel the misconception that insider threat comes only from employees. This is not correct. Insider threats can originate from anyone who has formal contact with the company. Even a board member can pose a threat, knowingly or unknowingly.
At IT Companies Network, we're honored to work with many players at the top of the cybersecurity industry, providing us with unparalleled insight into threat trends across the corporate and SMB sectors. Backed with this experience and an unwavering commitment to staying on the cutting edge of security, we're excited to share our knowledge on the nuances of insider threat, the major types plus prevention tips for each.
What is an insider threat?
Insider threat is the potential risk or danger posed to an organization by people who have authorized access to its systems, such as employees, contractors, or business partners.
These individuals may be motivated by financial gain, revenge, ideology, curiosity, or other factors that lead them to abuse their access privileges or misuse sensitive information in their possession.
According to FinanceOnline, Fraud (55%) is the leading motivation for insider threat actors, followed by monetary gain (49%) and IP theft (44%). The leading actors include privileged IT users, managers with access to sensitive information, and contractors/sub contractors, in that order.
Insider threats are often challenging to detect since the individuals involved may have legitimate access to the systems and the data they are misusing. Furthermore, they can be difficult to distinguish from legitimate user activities, making it harder to identify and respond to them before they cause significant harm.
Types of insider threat
There are two main types namely involuntary and voluntary (intentional). These classifications are based on America's Cybersecurity & Infrastructure Security Agency (CISA).
As the name suggests, an involuntary insider risk is triggered unintentionally. The perpetrator does not initiate it out of will. It can take either of two forms: carelessness or accident
So you have this person who understands the company’s IT policies very well. But then they do some things the wrong way out of carelessness and this exposes the organization to risks.
Examples include misplacing a device, forgetting a reminder to update some software, or sharing logins with a stranger or colleague without taking the time to think about the consequences. This latter example is so serious in the workplace, where so many employees never consider sharing credentials to be a risky activity. An independent study covering 2000 professionals across the US and UK revealed that a shocking 52% of employees don't see any security risk to the organization if they share their login credentials.
An insider can cause a threat through accidental actions, or mistakes if you like. Examples could include mistakenly attaching the wrong file to an email, clicking on the wrong link when in a hurry, or sending an email with sensitive information to the wrong addresses, which can then initiate email attacks.
In their second edition of the Psychology of the Human Error, security firm Tessian and Stanford professor Jeff Hancock found that 43% of the surveyed people have made some form of mistake in the workplace that compromised the security of their organization.
2. Intentional insider threats
Employees or third parties who have access to an organization's sensitive information or assets can engage in deliberate harmful actions. The motivation can be for personal benefit, or simply to bring the organization down.
Examples include intentionally leaking the company’s sensitive information, sabotaging colleagues, supplying defective assets (in the case of third party vendors), stealing data, or harassing colleagues.
Often, intentional insider threat actors tend to fall in at least one of the below categories:
These types act purely alone. They hatch short term or long term attack plans, then execute them at the opportune moment.
As the name suggests, this type of intentional perpetrator will collaborate with other players within or outside the organization to inflict harm. They will use their proximity and permissions to help execute an attack targeted at the organization.
In this type, an innocent insider is used without their knowledge to perform a risky activity. In other words they are alive to what they are doing, but not aware that they are being led to commit a crime. For example, if a malicious third party sends an email with a malware-laden attachment to an employee and the employee ends up infecting systems by downloading it, then this employee will have been used as a pawn. They didn't download the attachment because they were careless or by intention to harm the company. But since they are familiar with the sending party, they did it out of trust.
This is the lot that acts with absolute impunity. Goofs believe they are above the law or any established policies. So they do the wrong things intentionally with a touch of impunity. While other actors can be intentional while being cautious not to be caught up and face the consequences, the goofs convince themselves that nothing can be done to them even if they were to be found. They feel untouchable.
Also Read: Dark Web Threats
Detecting Insider threats
Threats from within pose a monumental challenge because they can blend seamlessly into work routines. A prime example is an employee mistakenly attaching the wrong file to an outgoing email, which can be difficult to detect and prevent.
However, there are steps you can take to detect as many insider-driven risks as possible:
- Insider threat awareness: Train employees to recognize and report suspicious activity. This should not be confused with asking employees to keep an eye on their fellow team members. Rather, the aim is to make them aware of insider threat possibilities and give timely reports whenever they come across activities that could eventually create opportunities for threats to thrive. Please familiarize yourself with the benefits of awareness training.
- Red Teaming: Simulate an insider threat scenario from time to time to test the defenses. The goal is to put the organization’s preparedness to test and assess how well everyone, and particularly the security teams, are likely to respond to potential cases of insider threats.
- Data Loss Prevention (DLP): DLP solutions can detect and prevent unauthorized data transfers or copying. Copying in particular can be misused to stealthily get away with stealing company materials. Think of someone copying customer data and pasting it in a document on their personal device.
- Employee/contractor monitoring: Take care not to overdo it though. You simply want to have some visibility into the common activities that can potentially be used to trigger a threat. For example, you might want to constantly monitor outgoing emails with the intention to spot cases such as emails going to wrong addresses or those containing wrong attachments. Early discovery of such, whether intentional or by mistake, will give you enough time to safeguard systems against threats that might come from here.
- Risk Assessment: Make a point of conducting regular vulnerability assessment to identify potential insider scenarios that could be brewing up.
- Threat Hunting: Search actively for signs of potential insider threats by analyzing data from different sources, such as logs, network traffic, and endpoint data. The goal is to identify patterns and anomalies that could indicate a potential insider threat.
- Peer Group Analysis: Compare the behavior of an employee with that of their peers in the same role or department and look out for anomalies or deviations. Well, all forms of deviations may not necessarily point to danger. But occasionally you may come across anomalies that call for further scrutiny to rule out a threat.
Besides these approaches, the ultimate solution is to actively pay attention to warning signs, no matter how insignificant they may seem. Neglecting even the tiniest warning sign can lead to catastrophic consequences.
We’ll look at the top warning signs of insider threat.
Top 11 insider threat warning signs
These are the most common insider threat indicators that you need to watch out for:
1. Unauthorized access
If an employee is trying to access information or systems that they are not authorized to access, it could be a sign of insider threat.
For example, imagine an employee at a financial services company who is responsible for handling client data. This employee has access to sensitive financial information, including credit scores, social security numbers, and bank account information. However, they are only authorized to access this information for specific clients and under certain circumstances.
One day, the employee attempts to access the credit scores of a client they do not have permission to access. They do this by using the login credentials of a coworker who has access to the client's data. The employee's behavior is suspicious.
- Access controls: Always make a point of limiting employee access to sensitive information to only those who need it to perform their jobs. Revoke the access once the employee no longer requires it.
- Password policies: Implement password policies that compel (not request) employees to use strong passwords and change them regularly.
- Monitoring and logging: Be sure to constantly monitor access to sensitive data and log all access attempts. This will make it easier to identify unauthorized access attempts and provide evidence in case of a security breach.
2. Changes in work habits
If an employee's work habits suddenly change, such as working unusual hours, accessing systems outside of their normal routine, or copying large amounts of data, you need to check out what they could be up to.
These changes in behavior can indicate that an employee is engaging in suspicious activities, such as stealing data or attempting to cover up fraudulent behavior.
For example, consider an employee at a technology company who has access to sensitive information about the company's intellectual property. This employee has always worked regular hours and has never accessed sensitive data outside of their normal routine. However, over the past few weeks, the employee has been staying late and working weekends. They have also been accessing large amounts of data outside of their normal working hours.
This sudden change in behavior is suspicious and could be a warning sign of impending threat.
- Regular monitoring: Monitor your employee activities regularly to identify changes in work habits.
- Implement limits outside normal hours: For highly sensitive information, you might consider restricting access or privileges (what one can do) outside normal working periods.
3. Unexplained wealth
You have every reason to be very suspicious of any employee who appears to have come into a significant amount of money or assets that cannot be explained by their salary or legitimate sources of income. This sudden and unexplained increase in wealth could be a red flag that the employee is engaging in illegal activities, such as embezzlement, fraud, or other financial crimes.
- Conduct financial audits: Regular financial audits can help companies identify suspicious transactions or unexplained wealth. The goal is to detect any unusual activity and investigate it further.
- Background checks: Conduct thorough background checks on employees before hiring them. These checks can help identify any previous criminal activity or financial issues that could make an employee more susceptible to insider threats.
- Whistleblower programs: Consider setting up a whistleblower program that protects everyone to report suspicious behavior. Such programs reassure employees that they can always report concerns without fear of retaliation.
4. Poor performance reviews
If an employee's workplace performance suddenly drops or they start to receive negative feedback from colleagues, it could be a sign that they are experiencing professional problems that could lead to threats.
Poor performance reviews can also indicate that an employee is not meeting expectations or may be struggling to perform their job duties, which could create security risks for the organization.
For example, consider an employee who works in the IT department of a company. Over the past few months, their job performance has been declining, and they have received several poor performance reviews from their supervisor. The employee has been missing deadlines, making mistakes on projects, and showing a lack of attention to detail. These poor performance reviews could indicate that the employee is disengaged, unhappy, or struggling with their job, which could make them more susceptible.
- Employee engagement programs: Provide employees with engagement programs to help keep them motivated and engaged in their work. This can include things like training and development opportunities, recognition programs, or wellness initiatives.
- Exit interviews: When an employee leaves the company, an exit interview should be conducted to determine the reason for their departure. This can help identify any potential issues or concerns that need to be addressed to prevent future threats.
- Implement regular feedback mechanisms to assess employee satisfaction and identify any concerns that may be impacting job performance.
- Consider offering flexible work arrangements, such as telecommuting or flexible schedules, to help employees better manage work-life balance and reduce stress. According to a survey by IBM, 54% of US employees would prefer to switch to remote working. It means that increasingly, employees would like their organizations to be more flexible and facilitate them to work remotely. So in a case where an organization is rigid, we are most likely looking at over half of the company's workforce likely to slide to poor performance.
- Provide opportunities for development to help employees acquire new skills and knowledge.
- Establish a clear and transparent performance evaluation process to help employees understand what is expected of them and how they can improve.
- Provide adequate resources to avoid frustration due to under-resourcing
- Address poor performance in a timely and constructive manner. Delaying feedback and corrective action can create frustration and disengagement, making employees more vulnerable.
5. Disgruntled employees
Disgruntled employees are workers who are dissatisfied with their job, employer, or working conditions. They may feel unhappy, frustrated, or resentful towards their employer, their coworkers, their job responsibilities or managers. A report by Udemy on employee experience found that 60% of the surveyed employees feel that managers need more manager training. This alone is a huge testament to disgruntlement, considering that managers are key in the daily routine of ordinary employees.
Disgruntled employees may exhibit negative behaviors, such as complaining, or gossiping, which can impact the productivity and morale of the workplace. In some cases, they may resort to more extreme actions, such as sabotage, vandalism, theft, or workplace violence.
- Act on complaints: Listen to grievances from employees, and take action to address them.
- Open communication: Create an environment where employees feel comfortable approaching their managers or HR with any concerns. This can include regular feedback sessions, town hall meetings, and employee satisfaction surveys. A study by Qualtrics found that employees are fond of giving feedback, with 77% of the surveyed group saying they prefer to give feedback more than once annually.
- Employee support programs: Programs such as counseling, wellness initiatives, or financial planning services can go a long way to help employees manage stress and other issues that may contribute to disgruntlement.
One of the riskiest actions a disgruntled employee can commit is sabotage. For example, a disgruntled developer working for an organization can cleverly add malicious code to an app they are working on. The code can trigger vicious activities such as deleting some data at a given date when certain conditions are met. This kind of harm is known as a logic bomb.
6. Sudden departure
If an employee leaves the company abruptly or resigns without notice, it could be a sign that they have taken sensitive data with them or they plan to.
Sudden departure can also indicate that the employee has been suddenly terminated or laid off and may seek revenge against the organization.
- Implement a zero trust model: A zero trust model assumes that all users and devices accessing the network are untrusted until they can be verified. Any access to sensitive data is limited based on the user's role, location, and device. In this case an employee who has suddenly departed will not be able to login again as they are not likely to pass some verification checks, for example those that check their location or devices.
- Implement behavioral analytics: Behavioral analytics is all about analyzing user behavior to detect anomalies and potential threats. If for example an employee shows signs that indicate they may be leaving the company soon, the security team can take measures to start restricting their access. The employee support team can also take steps to talk to the employee.
7. Shadow IT
Shadow IT is the use of unauthorized technology (software or hardware) by employees, contractors, or partners without approval from the organization's IT department. This could be a sign of an insider threat, as the unauthorized use of IT resources can compromise the security of the organization's systems and data.
Insiders who use shadow IT may be unknowingly exposing sensitive data to unauthorized third parties, bypassing security protocols, and creating dangerous vulnerabilities.
- Training: Educate employees and partners on the risks of shadow IT. Make sure they understand the potential consequences of their actions and the impact it can have on the organization's security.
- Policies: Establish clear policies and guidelines around IT usage and security. Make sure employees and partners understand what is and isn't allowed plus the consequences for violating these policies.
- Alternative solutions: Insiders may turn to shadow IT because they feel the tools provided by the organization are insufficient. Sanctioning alternative solutions that meet their needs can curb this.
- Use shadow IT prevention tools: There are quite a number of tools in the market that are specifically designed to detect shadow IT and alert the relevant teams to act on it. We have an elaborate resource on this, please check this article on tools for combating shadow IT.
8. Conflict of interest
A conflict of interest occurs when an individual or entity has competing interests that could compromise their ability to act in the best interest of the organization. This could be a sign of an insider threat, as a person or organization with a conflict of interest may prioritize their own interests over the interests of the organization.
Conflict of interest can create a situation where insiders may make decisions or take actions that benefit themselves instead of the organization, potentially causing harm or loss to the organization.
A practical example of this is when an employee works for a company that provides a particular service, but they also own a competing business. In such a situation, the employee may be inclined to use their access to confidential information to gain an unfair advantage over the company they work for.
- Code of ethics: Establish and communicate a code of ethics that outlines acceptable behaviors and what constitutes a conflict of interest. This should include clear guidelines on financial and personal relationships that may create a conflict of interest.
- Reporting mechanism: Establish a clear and confidential reporting mechanism for insiders to report any conflicts of interest or suspected misconduct.
- Review processes: Conduct regular reviews of employee activities and financial transactions to detect any potential conflicts of interest. This will help to identify any conflicts early and prevent them from escalating.
- Separation of duties: Separate responsibilities among different employees and partners to reduce the likelihood of a single party having complete control over a process.
9. Violation of policies and procedures
Insiders who repeatedly violate the organization's policies and procedures, particularly those related to information security, are a threat. This could include employees or partners who ignore security protocols, insist on using personal email for business purposes, or mishandle sensitive data.
For instance, a vendor may intentionally transfer sensitive data to their personal device in violation of the organization's policy on data transfer. This data can then be compromised or stolen, resulting in a significant security breach.
- Clearly communicate policies and procedures: Ensure that all employees and non-employee insiders are aware of the policies and procedures that are in place to safeguard the organization's assets. This can be done through regular training and awareness programs.
- Regular reviews: Regularly review and update policies to ensure that they are current and effective in addressing the evolving threat landscape.
- Consider implementing tools such as data loss prevention (DLP) solutions, which can automatically identify and prevent sensitive data from being downloaded or shared in violation of policies.
10. Personal issues
Insiders who are dealing with personal issues such as financial problems, addiction, or relationship troubles may be more susceptible. These personal issues can lead to stress, desperation, or other emotional states that may compromise their judgment and increase the risk potential.
- Establish a culture that prioritizes employee well-being
- Provide support and resources for employees who are struggling with personal issues. This can include providing access to counseling services, financial wellness programs, and substance abuse treatment programs.
11. Weary workers
When workers become fatigued or burnt out, they may be more likely to engage in risky behavior, such as violating policies or sharing sensitive information with unauthorized parties. They may also become more susceptible to social engineering attacks, where attackers use psychological manipulation to trick them into divulging confidential information or performing harmful actions.
Furthermore, employees who are exhausted or overwhelmed may be more likely to make mistakes, overlook security protocols, or fail to detect and report suspicious activity..
Weary workers may also be more susceptible to coercion or bribery by external actors seeking to exploit their vulnerabilities. For instance, they may be more willing to accept monetary incentives or other benefits in exchange for providing access to confidential material.
General protection mechanisms for insider threat
While we have provided prevention tips for each of the warning signs, we acknowledge that you can encounter many other warning signs that aren't in the list. In this case, these general prevention techniques will come in handy:
If you can manage to have 100% visibility to all the activities in the workplace, then we can safely say that your organization may never suffer from insider threat. But it’s practically impossible to have complete visibility. However, the more visibility you have, the less your insider threat risks.
There are many tools you can use for visibility to various parts of your network, whether it’s people logging in to core company systems or contractors working on site. One tool may not be enough. So the best approach is to use a combination of visibility tools depending on priorities that are driven by what part of your ecosystem is most critical for you.
For example, a packet sniffer can capture and analyze traffic as it flows across a network. It can intercept and log the data packets that are sent and received over a network, making it possible to analyze the content of the packets, including the source and destination addresses, protocols used, and payload data.
Examples of packet sniffer tools include ManageEngine's Network Sniffer and SolarWinds' Network Performance Monitor which performs deep packet inspection.
Everyone with any form of contact with the organization, from employees to contractors, should have a clear understanding of what is acceptable behavior, and what behavior is not acceptable.
Don’t let people guess around or assume things. Instead, everyone should have access to a very simple document that spells out behavioral expectations and consequences. This policy document should always be included in the agreement that employees and other third parties normally sign before being officially welcome to work with or for the organization.
Nurture prudent culture
Frankly speaking, the root cause of insider threat has almost everything to do with culture. If everyone had the right culture set, then we would not be talking about insider cyber dangers. If every employee made an effort to ensure they don’t commit a careless mistake here and there, if every contractor came to just do their work, if every board member just focused on their role and nothing more, then it’s difficult to imagine where insider threats will possibly come from. But because of poor culture, we end up here.
So what can you do to inculcate a culture that increasingly thwarts both intentional and unintentional insider threats?
- Instill the value of being attentive to detail and precise in one's work
- Lead by example (for top leadership and departmental heads)
- Encourage accountability, meaning individuals should be ready to take ownership of their work and are responsible for their mistakes
- Recognize and reward those who demonstrate carefulness in their work. According to TINYpulse's Employee Engagement Report, 24% of employees who felt they had not been recognized enough in the last two weeks were likely to interview for another job or may have already interviewed for one.
Insider threat detection solutions
Not many tools have been developed precisely for insider threat. But there are a couple of solutions that you can incorporate into your security stack to enhance your watch against insiders who may cause harm.
Generally, any tool that can be classified in any of the following categories can be used as an insider threat detection solution for various purposes:
- User behavior analytics (UBA) tools: Can detect anomalies in user behavior, such as accessing sensitive data outside of normal business hours or using unauthorized applications.
- Data loss prevention (DLP): Designed to prevent the unauthorized transmission of sensitive data outside of the organization. They can detect and block attempts to exfiltrate data, such as sending files to personal email accounts or cloud storage services.
- Identity and access management (IAM): Used to manage user access to systems and applications. They can detect and prevent unauthorized access to sensitive data and systems.
- Endpoint detection and response (EDR): Used to monitor and respond to threats on individual devices, such as laptops or mobile phones. They can detect and isolate threats such as malware infections, unauthorized access attempts.
- Security information and event management (SIEM): Used to collect and analyze security event data from systems and applications. They can help detect insider threats by identifying unusual patterns of activity.
Also Read: The Emerging Deepfake Threat
Popular examples of insider threat at corporate level
As you can expect, there is no shortage of insider threat in the corporate world.
Here are some notable cases which serve to show that this is indeed a worrying danger that is right here with us and growing fast.
In May 2022, Microsoft confirmed that several of its employees inadvertently leaked login credentials for its Azure cloud service on GitHub. The exposed credentials were in plain text, making them easily accessible.
As a precaution, Microsoft revoked the exposed credentials and urged its customers to reset their passwords.
A former Cisco engineer intentionally accessed the company's Amazon Web Services (AWS) account and deleted 16,000 Webex Teams accounts, including those of critical healthcare providers during the COVID-19 pandemic. Sudhish Kasaba Ramesh, who had resigned from Cisco in 2018, retained access to the AWS accounts and deployed a code that caused Cisco $2.4 million in losses.
Ramesh was sentenced to 24 months in prison and ordered to pay $1.5 million in restitution after pleading guilty to intentionally accessing a protected computer without authorization and recklessly causing damage. The judge noted that Ramesh had used his knowledge and skills maliciously and that the act was particularly heinous as it occurred during a time when the healthcare system was heavily reliant on platforms like Webex Teams for communication.
Also Read: Attacks on US Hospitals
In 2022, Yahoo sued a former employee, accusing them of stealing trade secrets upon receiving a job offer from The Trade Desk, a rival online advertising company. The employee allegedly downloaded confidential information from Yahoo’s database and copied it onto an external hard drive, intending to use it to benefit The Trade Desk.
According to the lawsuit, the employee did not disclose the job offer to Yahoo and violated a nondisclosure agreement that prohibited the sharing of confidential information.
In 2022, Proofpoint, a cybersecurity firm, filed a lawsuit against a former executive who allegedly took trade secrets to a competing company, Abnormal Security. The lawsuit claimed that the former executive downloaded sensitive information, such as customer lists, product information, and confidential financial data onto a personal device before leaving the company.
Proofpoint claimed that the executive violated the terms of a confidentiality agreement and company policies by taking the sensitive information to a competitor.
In May 2022, Apple filed a lawsuit against Rivos, a startup, alleging that the company had poached its engineers to steal trade secrets. The lawsuit claimed that Rivos had hired several former Apple engineers who had access to confidential information and had worked on projects related to autonomous vehicle technology.
According to the lawsuit, Rivos used the stolen information to develop its own autonomous vehicle technology, which it then planned to sell or license to other companies. The alleged theft was carried out through the use of a cloud storage account that was accessed by the former employee, which contained confidential information related to Apple's autonomous vehicle project.
The rise of insider threats has become a significant concern for organizations worldwide. With the rapid advancements in technology and the increasing amount of sensitive data stored in digital format, the potential for an insider to cause harm has grown exponentially. Whether through malicious intent, carelessness, or lack of knowledge, insiders can wreak havoc on an organization's reputation, financial stability, and overall security. Therefore, it is essential to recognize and address this growing threat.
As we mentioned at the beginning, it’s not just employees that you need to monitor. The entire ecosystem that makes up your organization ought to be monitored. From vendors to board members and all different types of partners, these too can pose insider risk.
Insider Threat FAQ:
What is an insider threat?
Insider threat is the potential risk or danger posed to an organization by people who have authorized access to its systems, such as employees, contractors, or business partners. These individuals may be motivated by financial gain, revenge, ideology, curiosity, or other factors that lead them to abuse their access privileges or misuse sensitive information in their possession.
Can insider threats be completely eliminated?
No, insider threats cannot be completely eliminated. However, organizations can implement strategies and policies to minimize the risk of insider threats and detect them early on.
How can an organization create a culture of security to prevent insider threats?
Prioritize security in your policies and procedures, provide ongoing training to employees on security best practices, encourage reporting of suspicious activity, promote transparency and communication around security risks.
How can my organization balance security with employee privacy?
Implement security policies that are clear and transparent, using technology that respects privacy. It’s also important to involve employees in the development of security policies.
What are the legal implications of an insider threat incident?
Civil liability, criminal charges, and regulatory penalties are some of the major legal implications. Make a point of involving legal professionals in the incident response process to ensure compliance with applicable laws.
What is the most common insider threat?
The most common insider threat is employee negligence or accidental actions, such as clicking on a phishing link, misconfiguring security settings, or sharing sensitive information with unauthorized individuals. These actions can inadvertently put an organization at risk, and they often occur due to a lack of security awareness and training.