Insider Threat

What is an insider threat?

An insider threat is a malicious act by an employee, business associate, contractor or another person with access to an organization’s sensitive information. It can range from espionage (i.e., the theft of critical information) to unauthorized disclosure (for example, someone making confidential data available to others).

Insider threats are considered one of the most challenging security risks because it involves employees who know your systems and processes – and may be able to circumvent existing controls. If an insider commits criminal acts using that knowledge, they become much more difficult to detect.

The difference between insiders and outsiders

The difference between insiders and outsiders is more about access than intent. In many cases, insiders may not be aware that their actions violate policy and law. They could be leaving a company, going on a leave of absence or facing a significant personal issue.

They also have legitimate access to systems and information that would allow them to steal data if they were determined to do so – giving them time to plan an attack while evading detection at the same time. Insider threat is one of the most critical challenges facing every business today, regardless of size or sector.

Why insiders become malicious

There are many reasons an employee might engage in harmful behavior: financial pressures, job dissatisfaction, workplace hostility and interpersonal disputes. And this behavior isn’t always obvious; while some commit crimes after hours, others do so during business hours and still others on weekends and holidays. This makes it tough to detect when someone might be contemplating a crime.

What can an organization do

Prevention is the only way to defend against insider threats. Organizations need effective controls in place to monitor and detect suspicious activity while ensuring information access for authorized employees.

Unfortunately, there is no “silver bullet” for preventing insider threats; different organizations will require different solutions depending on their size, number of employees, security budget and many other factors. However some key elements are essential:

• visibility into what data (and more importantly who) has access to it – across the whole organization
• an analytics approach that pinpoints patterns of behavior related to normal user activity vs. criminal behavior
• the ability to act quickly when anomalies are detected
• improved collaboration among security teams, legal/compliance teams and senior management.

How to identify an insider threat in your organization

While there’s no single type of insider threat, the majority fall into one of three categories:

• Transient – Employees who seek out opportunities inside an organization to steal company data. This includes employees who are equipped with malware, password stealers and remote access tools (RATs).
• Determined – These employees go the extra mile to gain access to critical systems; for example, uploading a custom-built RAT or keylogger on a target system to steal sensitive information.
• Disgruntled – When employees feel like they’ve been treated unfairly by their employer, this can lead to intentional damage of system assets and/or stealing valuable company information including customer lists, source code and technical documentation.

Once you can identify when an insider is most likely to become a threat, it’s possible to put the right controls in place.

Who should be responsible for identifying and preventing insider threats

This responsibility typically falls on the organization’s security team; however, other departments such as HR and Legal/Compliance play important roles as well. Security teams need visibility into company data and systems – including who has access to them and when – so they can detect suspicious activity. HR professionals are often aware of internal disputes between employees, sudden changes in employee behavior or indications that someone may be looking for a new job (all potential warning signs that an insider might begin stealing information). Finally, legal/compliance professionals assist with monitoring Terms of Use and providing guidance on data retention policies.

The top insider threats

• Financial gain – employees stealing intellectual property, competitive secrets or personally identifiable information (PII) for personal financial gain. This can include: copying files and email attachments,  taking screenshots of critical system data and sometimes even video recording what they’re doing on a computer to provide proof of what they’re doing.
• Identity theft – individuals selling or trading social security numbers, bank account information and other personally identifiable data.
• Insider threat actors – employees who have access to critical systems and use their position to facilitate other types of cybercrime, such as: exchanging sensitive information for money or a job working with a third party to sell products/services the company has developed holding up organizations from being able to compete against them phishing attacks that open the door for further criminal activity.

How can organizations reduce their risk

Organizations need a multi-layered approach to detecting and preventing insider threats including both pre-attack prevention activities as well as having plans in place for post-attack recovery operations.  Prevention activities include background checks for new hires, a clear understanding of who has access to what company data and appropriate security training. Post-attack recovery operations include identifying the extent of the damage done, reviewing user behavior before and after the incident, prioritizing actions that need to be taken immediately to minimize lasting impacts and developing an action plan for how your organization will handle similar incidents in the future.

Insiders who steal company secrets

The first category is made up of employees, business partners and contractors with access to an organization’s most sensitive data. After gaining some understanding about what your proprietary information or intellectual property is (and how it might be used), threats can range from stealing some documents to giving your entire product line to a competitor.

Insiders may attempt to gain financial reward through theft, espionage or bribery by selling data internally or externally. They could also be breaching legal, regulatory or contractual obligations by sharing confidential knowledge with others not authorized to receive it. This includes executives looking for an edge in contract negotiations, business partners selling your trade secrets or employees taking company-sensitive data to their new job.

The impact of insider threats

For organizations – this could range from delaying milestones to allowing criminals entry into corporate and personal networks and stealing sensitive information. For individuals – the impacts could range from losing a job to identity theft and fraud.

Insider threats can come from within an organization and go unnoticed for long periods of time, causing extensive damage before they’re discovered. The motives behind insider attacks vary widely but all insiders exploit physical or remote access to systems and data they don’t own or have been granted permission to use in order to carry out their malicious intent. Once inside, attackers will search for any valuable data they can steal such as financial information, intellectual property, customer lists and other confidential business plans. They may also make attempts at sabotage by rendering computer equipment useless through deletion of files or corruption of software programs.

Insider threats can also include ex-employees and business partners who use legitimate credentials to gain access to company systems, set up command and control centers or provide remote support for other hackers. The damage done by this type of insider threat is no longer detectable after the person leaves their organization and they’ll most likely never be known by your security team unless you were monitoring them (which should be happening).

The motives behind insider attacks vary widely but all insiders exploit physical or remote access to systems and data they don’t own or have been granted permission to use in order to carry out their malicious intent.

Types of data leakage

There are two types of data leakage that occurs when an attacker steals information from your organization – either through taking physical documents or copying sensitive files. Physical document theft involves the attacker removing printed documents, laptop computers with sensitive information, USB sticks containing company records, etc.

The second method is file copying which is how attackers typically gain access to user credentials enabling them to move deeper into the network via email, social media, instant messaging platforms, and many others. The attacker will typically save the document they’re stealing in a temporary folder where they can find it later.

Once access is gained, attackers will look for any valuable data that might be useful to them such as financial information, intellectual property, customer lists and other confidential business plans. They may also make attempts at sabotage by rendering computer equipment useless through deletion of files or corruption of software programs.

Every company should have an action plan in place so when incidents do occur you’ll know exactly what to do – from contacting law enforcement to notifying regulatory bodies. By ensuring you have the right protections in place (such as web proxy filters), monitoring user activity, restricting USB use and enforcing security policies, your organization can dramatically reduce insider threats occurring through file copying and physical document theft.

Frequently asked questions about insider threats

How do I know if I have been attacked by an insider?

Because hackers are using legitimate credentials, the only way to tell if you’ve been breached is through monitoring user behavior and activity – which means having the right solutions in place such as web proxies and other forms of content inspection. If you have reason to believe that there may have been a breach, you should contact law enforcement immediately so they can start investigating what happened.

What steps could my organization take to prevent future attacks from insiders?

Every company should have an action plan in place so when incidents do occur you’ll know exactly what to do – from contacting law enforcement to notifying regulatory bodies. By ensuring your organization has the right protections in place (such as web proxy filters), monitoring user activity, restricting USB use and enforcing security policies, you can dramatically reduce insider threats occurring through file copying and physical document theft.

What steps should I take if my organization becomes aware of a data breach?

If your business suspects that any data leaks have occurred, the first thing you need to do is contact law enforcement immediately because chances are that there’s been a breach at another location too and every second counts. You should also notify customers or other partners affected by the incident so they can take necessary steps to protect themselves against identity theft.

What are the most common types of insider threats?

There are two main types of insider threats – those involving employees or contractors stealing information on purpose, and those who accidentally expose sensitive data due to errors. Every organization has put in place various controls to protect its data including security policies, network monitoring, access control lists on servers and networks, etc. However, it’s important that these measures are not so complicated that they become frustrating for users.

When is physical document theft an example of an insider threat?

Physical document theft involves the attacker removing printed documents, laptop computers with sensitive information, USB sticks containing company records, etc. The second method is file copying which is how attackers typically gain access to user credentials enabling them to move deeper into the network via malware (e.g. keyloggers, remote access Trojans, etc.).

How does file copying affect my business?

File copying can pose a significant threat because it enables intruders to gain access to your sensitive data. This could be customer records including credit card details or any number of other documents containing personal or financial data which hackers can use for their own gains. To combat this, companies should implement security solutions that provide comprehensive visibility into network activity – enabling them to monitor user behavior and activity in real-time so they’re aware when any incidents occur.

What are the most commonly used forms of attack?

Malware is one of the most common methods of attacking a business today – especially phishing attacks where an attacker tries to gain access to company records by sending out mass emails containing malicious attachments. Social engineering attacks are another popular method where the attacker tries to trick employees into revealing their login credentials or downloading malware onto their devices using methods such as phone calls, texts and other fraudulent communication methods.

What steps can I take to mitigate these threats?

The first thing you need to do is implement security solutions that provide full visibility into what’s happening on your network at any given moment – enabling you to identify suspicious activity, respond quickly when incidents occur and prevent data breaches from occurring in the first place. You also need to restrict USB use, enforce security policies across all devices, create awareness amongst users about the dangers of social engineering attacks and ensure all staff members receive adequate online safety training.

How can I reduce insider threats caused by employees or contractors?

Insider threats within businesses are mainly down to human error and occur when staff members unintentionally leak sensitive information which could pose a huge security risk if it ends up falling into the wrong hands. The best way to prevent this from happening is by implementing secure file sharing solutions across your entire organization that enable your employees to share files securely with one another but restrict them from printing documents containing sensitive information or removing confidential papers from the office.

What are some of the most common causes of insider threats?

There are several different factors that can cause an employee to become an insider threat – including mistakes due to lack of training, being unaware of security policies or simply being disgruntled at their employer. It can also be caused by employees deliberately leaking information about a company’s operations if they have strong political views or because they’ve been asked to perform unethical tasks on behalf of their employers.

How does an insider threat differ from a regular threat?

An insider threat is any individual – usually an employee or contractor – who gains access to your business’s networks and systems by exploiting vulnerabilities in the company infrastructure. This allows them to steal sensitive data that can cause huge damage if it ends up falling into the wrong hands. It doesn’t necessarily have to be done deliberately either, but it still poses a significant security risk because they have physical access to your network so are able to circumvent all security measures you’ve put in place.