An insider threat is a category of risk posed by those who have access to an organization’s physical or digital assets. These insiders can be current employees, former employees, contractors, vendors, or business partners who all have — or had — authorized access to an organization’s network and computer systems.
While external threats are more common and grab the biggest cyberattack headlines, insider threats—whether malicious or the result of negligence—can be more costly and dangerous. According to IBM’s Cost of a Data Breach Report 2023, data breaches initiated by malicious insiders were the most costly—USD 4.90 million on average. This is 9.5% higher than the USD 4.45 million cost of the average data breach.
Also, a recent report from Verizon revealed that while the average external threat compromises about 200 million records, incidents involving an inside threat actor have resulted in the exposure of 1 billion records or more.
Understanding insider threats
An insider threat is a security risk that originates from within the targeted organization. It typically involves a current or former employee or business associate who has access to sensitive information or privileged accounts within the network of an organization, and who misuses this access.
Typically, an insider threat in cybersecurity refers to an individual using their authorized access to an organization’s data and resources to harm the company’s equipment, information, networks, and systems. It includes corruption, espionage, degradation of resources, sabotage, terrorism, and unauthorized information disclosure. It can also be a starting point for cybercriminals to launch malware or ransomware attacks.
Insider threats are increasingly costly for organizations. The Ponemon Institute’s 2020 Cost of Insider Threats research found that this form of attack cost an average of $11.45 million and that 63% of insider threats result from employee negligence.
Traditional security measures tend to focus on external threats and are not always capable of identifying an internal threat emanating from inside the organization.
Insider threat individuals
Insider threat individuals are typically split into two types of actors:
- Pawns. These are company employees manipulated into carrying out malicious activity, such as disclosing their user credentials or downloading malware. Pawns are often targeted by attackers through social engineering or spear-phishing campaigns.
- Turncloaks. A turncloak is an employee who actively turns on their employer. Turncloaks often act to gain financially or to cause harm to an organization. However, turncloaks also include whistleblowers, who serve to bring public attention to the failings of their employers.
Additional insider threat individuals include:
- Collaborators. This is an employee who collaborates with a cyber criminal and uses their authorized access to steal sensitive data, such as customer information or intellectual property. Collaborators are typically financially motivated or reveal information to disrupt business operations.
- Goofs. A goof is an employee who believes they are exempt from their organization’s security policies and bypasses them. Whether through convenience or incompetence, goofs’ actions result in data and resources going unsecured, which gives attackers easy access.
- Lone wolf. These are attackers who work alone to hack organizations or seek out vulnerabilities in code and software. They often seek to gain elevated levels of privilege, such as database or system administrator account passwords, that enable them to gain access to more sensitive information.
Types of insider threat
Types of insider threats include:
Malicious insider
Also known as a Turncloak, someone who maliciously and intentionally abuses legitimate credentials, typically to steal information for financial or personal incentives. For example, an individual who holds a grudge against a former employer, or an opportunistic employee who sells secret information to a competitor.
Malicious insiders are usually disgruntled current employees—or disgruntled former employees whose access credentials have not been retired—who intentionally misuse their access for revenge, financial gain, or both. Some malicious insiders ‘work’ for a malicious outsider, such as a hacker, competitor, or nation-state actor—to disrupt business operations (plant malware or tamper files or applications) or to leak customer information, intellectual property, trade secrets, or other sensitive data.
Turncloaks have an advantage over other attackers because they are familiar with the security policies and procedures of an organization, as well as its vulnerabilities.
Careless insider
This is an innocent pawn who unknowingly exposes the system to outside threats. This is the most common type of insider threat, resulting from mistakes, such as leaving a device exposed or falling victim to a scam. For example, an employee who intends no harm may click on an insecure link, infecting the system with malware.
Careless insiders do not have malicious intent but create security threats through ignorance or carelessness. This includes falling for a phishing attack, bypassing security controls to save time, losing a laptop that a cybercriminal can use to access the organization’s network, or emailing the wrong files (e.g., files containing sensitive information) to individuals outside the organization.
A mole
An imposter who is technically an outsider but has managed to gain insider access to a privileged network. This is someone from outside the organization who poses as an employee or partner.
Insider threat warning signs
To build awareness and improve the detection of insider threats, the following common signs could indicate the presence of inappropriate insider activity in an organization:
- disgruntled employee behavior, such as displays of anger, exhibiting a negative attitude or talking about quitting;
- evidence of a user trying to circumvent access controls;
- dismantling, turning off or neglecting security controls, such as encryption or maintenance patches;
- frequently working late or in the office during off-hours when few others are present;
- violation of other corporate policies that may not be related to computer use;
- accessing or downloading large amounts of data;
- accessing — or attempting to access — data or applications that are not associated with an individual’s role or responsibilities;
- connecting outside technology or personal devices to organizational systems or attempting to transmit data outside the organization; and
- searching and scanning for security vulnerabilities.
How to defend against insider threats
Because insider threats are executed in part or in full by fully credentialed users—and sometimes by privileged users—it can be especially difficult to separate careless or malicious insider threat indicators or behaviors from regular user actions and behaviors. According to one study, it takes security teams an average of 85 days to detect and contain an insider threat, but some insider threats have gone undetected for years.
To better detect, contain, and prevent insider threats, security teams rely on a combination of practices and technologies.
Offensive security
Offensive security (or OffSec) uses adversarial tactics—the same tactics bad actors use in real-world attacks—to strengthen network security rather than compromise it. It is conducted typically by ethical hackers—cybersecurity professionals. They use hacking skills to detect and fix not only IT system flaws but the security risks and vulnerabilities in the way users respond to attacks.
Offensive security measures that can help strengthen insider threat programs include phishing simulations and red teaming. In this scenario, a team of ethical hackers launch a simulated, goal-oriented cyberattack on the organization.
Identity and access management
Identity and access management (IAM) focuses on managing user identities, authentication and access permissions, in a way that ensures the right users and devices can access the right reasons at the right time. (Privileged access management, a sub-discipline of IAM, focuses on finer-grained control over access privileges granted to users, applications, administrative accounts and devices.)
A key IAM function for preventing insider attacks is identity lifecycle management. Limiting the permissions of a departing disgruntled employee or immediately decommissioning accounts of users who have left the company are examples of identity lifecycle management actions that can reduce the risk of insider threats.
Protect critical assets
These can be physical or logical, including systems, technology, facilities, and people. Intellectual property, including customer data for vendors, proprietary software, schematics, and internal manufacturing processes, are also critical assets.
Form a comprehensive understanding of your critical assets. Ask questions such as: What critical assets do we possess? Can we prioritize our assets? And, What do we understand about the current state of each asset?
Employee and user training
Continuously training all authorized users on security policy (e.g., password hygiene, proper handling of sensitive data, reporting lost devices) and security awareness (e.g., how to recognize a phishing scam, how to properly route requests for system access or sensitive data) can help lower the risk of negligent insider threats. Training can also blunt the impact of threats overall.
For example, according to Cost of a Data Breach Report 2023, the average cost of a data breach at companies with employee training was USD 232,867 less—or 5.2% less—than the overall average cost of a breach.
User behavior analytics
User behavior analytics (UBA) applies advanced data analytics and artificial intelligence (AI) to model baseline user behaviors and detect abnormalities that can indicate and emerging or ongoing cyber threats, including potential insider threats. A closely related technology, user and entity behavior analytics or UEBA, expands these capabilities to detect abnormal behaviors in IoT sensors and other endpoint devices.
UBA is frequently used together with security information and event management (SIEM), which collects, correlates and analyzes security-related data from across the enterprise.
Insider threat detection solutions
Insider threats can be harder to identify or prevent than outside attacks, and they are invisible to traditional security solutions like firewalls and intrusion detection systems, which focus on external threats. If an attacker exploits an authorized login, the security mechanisms in place may not identify the abnormal behavior.
Moreover, malicious insiders can more easily avoid detection if they are familiar with the security measures of an organization.
To protect all your assets, you should diversify your insider threat detection strategy, instead of relying on a single solution. An effective insider threat detection system combines several tools to not only monitor insider behavior, but also filter through the large number of alerts and eliminate false positives.
Tools like Machine Learning (ML) applications can help analyze the data stream and prioritize the most relevant alerts. You can use digital forensics and analytics tools like User and Event Behavior Analytics (UEBA) to help detect, analyze, and alert the security team to any potential insider threats.
User behavior analytics can establish a baseline for normal data access activity. Also, database activity monitoring can help identify policy violations.
Recommended Articles
- VPN Benefits: Pros & Cons of a VPN in Everyday Use
- What to Do If Your Identity Is Stolen: Easy Recovery Guide
- How Do Instagram Accounts Get Hacked & What to Do?
- Spoof Calling: What Is It & How Do You Avoid It?
- Juice Jacking: What It Is & How To Prevent It
- Smishing and Phishing: What Is The Difference?