Insider Threat

What Is an Insider Threat?

An insider threat is one or more people within an organization who compromise – or have the potential to compromise – that organization on an internal level. It can also be anyone, including external contractors, whose access to internal systems puts them in a position to be a malicious or unintentional threat to that business.

Insider threats can affect one or both of an organization’s two types of security, physical or digital/cybersecurity.

If someone puts a company’s security in jeopardy, they are an insider threat regardless of whether they mean to do so. Most companies have many opportunities for this kind of compromise to develop. Examples include:

• An innocent employee who accidentally breaks a keycard reader is an unintentional insider threat on a physical security level.
• A fraudster posing as a legitimate contractor who intercepts sensitive information from their organization’s database is a malicious insider threat on a cybersecurity level.

The Goals of Insider Attacks

The goals of insider attacks are varied but chiefly tend to be related to financial gain, espionage, or sabotage. Methods include the pilfering of valuable, sensitive information, as well as theft and embezzlement. Some may even have the intention to compromise the entire target organization.

As is the case with many forms of crime, the fundamental motivation behind malicious insider attacks is not always financial. Criminal motivations could also be personal or ideological, with the goal of working towards:

• espionage
• terrorism
• sabotage
• retribution
• loss or degradation of departmental resources or capabilities

An example of an ideological attack might be an employee at an oil company who is concerned about the associated environmental dangers and decides to infiltrate and jeopardize the stability of that company.

Some insider threats believe that they aren’t acting in their own interest at all; rather, they feel that their goals are based on what they believe to be a noble cause.

How Do Insider Threats Work?

Insider threats require at least two elements: a vulnerability and an individual to (intentionally or unintentionally) exploit it. Malicious insider threats often work by the insider attackers infiltrating their target organization through evasion and/or deception.

These intentional insider threats are especially effective – and therefore compromising – when the attacker convinces an employer to give them a full-time, permanent, or senior role within that company. Employees at this level are often trusted with the most sensitive information, which gives them opportunities to attack their hiring organization.

However, individuals who cause unintentional damage to an organization are also considered insider threats. Even blameless, absent-minded employees can be a type of insider threat.

If they leave, say, company data on-screen in public, they inadvertently become a negligent insider threat. Such threats can lead to malicious individuals gaining access to company accounts or possibly even more parts of the physical or digital infrastructure.

Potential Insider Threat Indicators

Indicators of insider threats include antisocial or unusual behavior, as well as and red flags raised by the organization’s infrastructure – such as alerts generated when users access sensitive data. Here are some indicators:

• unusual queries or complaints from managers, peers, or clients e.g. about business expenses
• consistently turning up very early for work and staying late
• suspicious disappearances of company resources
• requests for unnecessary access e.g. to information that is not related to the person’s work
• staff accessing information and asking questions that are not reflected by their job remit
• the use of equipment that is either suspicious or should not be needed or useful for their duties
• frequent emails to recipients outside of the individual’s reasonable network of contacts
• moving, downloading, and/or sending files in contexts that are irrelevant to their role

Note that the word potential is crucial here. There are plenty of individuals who work alone and forget their passwords and keycards, for example, who are only guilty of human error. However, human error can also lead to unintentional insider threats.

What would an individual need to do to raise fair suspicions that their activity is questionable – and not just down to an honest mistake?

The answer is simpler than one might expect: It does not matter. Someone who increases the risk for the company unintentionally can be just as harmful as someone who intends to harm it. However, with an intentional threat, you are likely to see the same behavior repeating, while an honest mistake is not likely to happen frequently.

Generally, though, the idea is similar to the old cybersecurity adage: A company is as secure from threats as its weakest link. A frequently careless yet well-intentioned employee can provide an opportunity to an external malicious actor to attack the company, or even enable an internal threat who is more junior.

Types of Insider Threats

There are various types of internal threats, but at their core, they boil down to any combination or variation of data sabotage, data theft, unauthorized access and insider fraud.

While these are all separate approaches to compromising an organization’s security, they are not mutually exclusive. In fact, they are often used in conjunction with each other. They involve:

• Data sabotage, when an insider threat damages or eliminates an organization’s information and other resources.
  • removing company data accidentally or so that the business suffers organizational losses
  • doctoring company data accidentally or so that staff access misleading information
  • corrupting company data so that the organization’s public-facing infrastructure becomes malware
• Data theft, when an insider threat steals an organization’s information, documentation, and/or systems, especially sensitive or even classified data.
  • copying and pasting company data into a separate file or system, even if by accident
  • downloading company software to use for purposes unrelated to their intended designs
  • hacking staff profiles to steal personal information
• Unauthorized access, when a malicious insider threat gains entry to an organization’s premises, facilities, or resources.
  • breaking and entering
  • trickery or bribery, e.g. impersonating a member of staff or paying off security guards
  • finding log-in details on staff members’ desks and using them to access private documents
• Insider fraud, when a malicious insider threat abuses an organization’s resources in order to commit fraud.
  • embezzlement of any type
  • money laundering via company resources
  • fraudulent lending, which can happen when the insider works for a lending company.

Why Are Insider Threats Important to Stop?

Insider threats are important to stop because allowing them to continue would compromise the security of the organization and, by extension, the livelihoods of the various people unwittingly involved in the security breach.

Insider threats are also important to stop because doing so helps security researchers to understand what does and doesn’t work in the fight against fraudsters and other malicious entities.

While the above reasons to stop insider threats may seem obvious, it is important to note that organizations must not just stop these threats, but also learn how to stop them surreptitiously. This is because when an organization announces how it thwarted an insider threat, as well as more details about it, this may prepare fraudsters for their next attack.

In other words, every failed attempt by a would-be malicious insider threat could teach them another way to not infiltrate or threaten an organization.

A thwarted insider threat of today must also be considered ammunition against the further insider attacks of tomorrow. Some of the ways that business owners and other decision-makers can act on this are:

• communicate with your trusted employees how the insider threat was both discovered and ultimately stopped
• ensure that your infrastructure has been improved to combat similar attempts in the future
• tread carefully – while some staff should be notified of the risk of insider threats, it is often beneficial not to disclose too much about how such threats will be detected and thwarted, as this knowledge may be exploited by the next malicious individual

All in all, there is no understating how important it is to both stop insider threats as well as do so in the safest possible way. Organizations must therefore bear in mind that insider threat prevention should be treated with urgency and sensitivity.

How to Protect Against Insider Threats

To protect against insider threats, organizations must provide their systems, and employees with the right resources to detect, flag, and mitigate suspicious activity. Employees must also be kept aware of the potential for such threats and the associated protocols around them.

Where possible, focus on prevention as opposed to damage mitigation after the fact. Successfully keeping your domain fraud free relies on proactively addressing organizational vulnerabilities, minimizing them as much as possible.

A fraud risk assessment may evaluate indicators of insider threats – often missed due to poor staff training, a lack of fraud prevention resources, or flawed attitudes inherent in the company culture. They help determine the extent to which systems and overall infrastructures are safe from fraudulent activity. They help to detect potential vulnerabilities, including those open to insider threats, and potentially insider threats themselves.

Certain types of insider threats can also be addressed through the use of security and fraud prevention software. For example, an employee trying to access sensitive information can be flagged by the system, while a fraudster masquerading as a legitimate job candidate may be caught using reverse email lookup and similar tools.

Misconduct is also a significant factor in rendering an organization vulnerable to internal threats. It can stem from a lack of staff training and resources, but also a lack of – or even absence of – vigilance from individuals in the business. Whistleblowing policies are important in this regard. Give your employees the opportunity to flag anything and anyone suspicious.

Employee awareness and training go a long way. Consider how important it is that employees are trained to look out for suspicious colleagues in their company. In fact, it is not uncommon for some organizations such as government facilities to order their staff to not open the door to anyone who wishes to enter their workplace – even if they recognize them as their own coworkers!

Ultimately, the methods to combat insider threats vary from business to business and institution to institution. And while everyone should be cognizant of insider threats, it is important that the seriousness of their insider threat prevention measures is directly proportionate to the sensitivity of their data and operations.

Related Terms

Related Articles

Sources