- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we’ll take a look at insider threats in cyber security and the dangers they pose. You’ll learn the insider threat definition, who the insiders are, the types of insider threats to be aware of, and how to detect threats. By the end of this article, you’ll have a clearer understanding of the entire insider threat ecosystem and the best practices you can use to protect your organization, data, and systems.
What Is an Insider Threat?
An insider threat is a threat to an organization that occurs when a person with authorized access—such as an employee, contractor, or business partner—compromises an organization’s data security, whether intentionally or accidentally.
Through negligence, ignorance, or malice, insiders can cause damage to your organization’s data, systems, networks, equipment, intellectual property, personnel, and facilities. In the process, they can do serious harm to your organization’s integrity and operations.
Who are the insiders?
Insiders are individuals with legitimate access to the organization’s buildings or computer networks. In addition to having authorized access to private resources, they often have knowledge of the organization’s finances, pricing and business strategies, IT infrastructure, or business goals.
Common examples of insiders include:
- Business partners or investors
Brief History of Insider Threats
Insider threats have existed throughout history—in religions, ideological groups, nations, government and financial institutions, and more. Those with special knowledge or access to ideas, information, money, and even other people often used their advantageous positions to block opposition, or to gain power, money, and influence for themselves. Espionage is a classic example of an insider threat.
Over time, the nature of insider threats has evolved and expanded. In today’s digital age, insider threats frequently involve a cyberattack or IT incident. These attacks occur across industries and institutions and are growing more prevalent as organizations shift to a remote work approach. In fact, 75% of insider threat criminal prosecutions in 2021 were the result of remote workers.
The Danger of Insider Threats
Today’s businesses are so reliant on information technology and systems to operate that any threat—whether malicious or not—opens up your organization to major financial, compliance, and legal fallout.
An insider data breach costs companies an average of $15.38 million and takes 85 days to contain.
Data breaches can expose a trove of sensitive and confidential information about your company and customers, seriously hurting your organization’s trust and credibility. Once trust is lost, customers take their business elsewhere, leading to lost revenue. If a law or regulation was violated during the data breach or its containment, your organization could face fines, penalties, and lawsuits.
Insider Threat Categories
There are two categories of insider threats: intentional and accidental.
An intentional threat is caused by a malicious insider—someone who aims to cause harm to or negatively impact the organization. This could be a recently terminated employee or someone gathering data for a competitor. A common technique a malicious insider might use is to sell sensitive or secret information.
An unintentional insider threat occurs when someone accidentally causes harm to an organization or exposes it to future risk. Common examples are employees or contractors who haven’t been given adequate security training, don’t know how to use a piece of technology correctly, or simply made an honest mistake.
What are the 3 motivators for insider threats?
Malicious insiders are often motivated by these reasons:
- Financial: Insiders are seeking personal financial gain or may owe money to another person or group.
- Emotional: Insiders are angry or disgruntled about work conditions or disciplinary actions, depressed or bored, or in open conflict with other people at the organization.
- Political: Insiders are working with or spying for a state-sponsored group or another corporation to seek a competitive advantage.
Types of Insider Threats
There are several different types of people who are included as insider threats. It’s helpful for your organization to recognize these types to know how breaches happen and who could be responsible for one within your ranks.
Accidental Insider Threat Types
- An unwitting person who is manipulated into performing a malicious activity and doesn’t realize they’re doing it—such as a phishing incident.
- A careless person who bypasses organizational security policies in an effort to cut corners.
Intentional Insider Threat Types
- An independent person who acts without outside help and usually has a privileged level of access to your organization’s most sensitive information.
- A collaborator who works with outside organizations, such as a competitor or a state-sponsored group, to steal information or commit some other crime.
Examples of Insider Threats
Insider threats can manifest in many different forms—from the innocent and accidental, such as falling for phishing scams, downloading malware, or inadvertently revealing sensitive data, to the more nefarious, such as committing financial fraud.
The following case summaries detail just a couple of accidental and malicious insider threat examples that some organizations have had to deal with:
- Accidental database leak: A police department employee without enough training improperly moved files from cloud storage, and in the process deleted over 8 million police files, or around 23 terabytes of data. The data loss impacted 17,500 cases.
- Malicious data breach: A former software engineer at a cloud hosting company hacked into and accessed more than 100 million customer accounts and credit card applications from a large bank that was using the hosting company’s services. The bank predicts the data breach will end up costing them around $150 million.
Insider Threat vs. Other Risks
Insider threat vs. insider risk
While an insider threat is characterized by the user’s actions, an insider risk is about the data itself. A lack of internal data governance within your organization exposes employees, customers, partners, products and services, and operations to risk.
Insider threat vs. outsider threat
An outsider threat comes from outside your organization and isn’t affiliated with it in any way, such as a cybercriminal or hacktivist. But they can appear to be an insider if they steal an authorized user’s credentials, for example, and use them to gain entry to a computer network.
Who Is at Risk of Insider Threats?
Any organization can fall prey to insider threats, especially if it deals with sensitive data. But while small and large organizations alike can both experience threats, the nature of the insider threat risk is different for each.
Small organizations tend to have fewer IT resources and smaller budgets, which limits how much they can devote to insider threat user activity monitoring and securing networks, infrastructure, and personnel. On the other hand, large organizations have a larger attack surface—with hundreds if not thousands of employees spread out across multiple locations.
How to Detect Insider Threats
Your organization’s cyber security team needs to have insider threat monitoring tools to flag unusual activity. The right technology will enable your team to easily monitor access, authentication, account logs, virtual private networks (VPNs), and endpoint logs across the organization to detect information system insider threats.
Adopting a privileged access management (PAM) solution enables your security team to centralize data, track infrastructure, understand user behavior, and assess levels of risk that are tied to specific events and users. Using the access management solution, the team can establish normal user behavior or the normal operating state of any particular system and detect notable changes—such as an irregular login time or multiple failed password attempts.
Insider Threat Detection Best Practices
Data loss prevention (DLP) includes the methods and tools that organizations use to safeguard their data from both insider- and outsider threats, and prevent that data from being lost or stolen by unauthorized users. In addition to other insider threat solutions, such as a PAM solution, your cyber security team should develop standard patterns of use, activity, and frequency statistics so deviations can be detected and investigated. The team can also monitor user connections and all endpoints for suspicious applications, such as malware.
Due to the prevalence of accidental insider threats, organizations should prioritize educating employees, contractors, and other insiders on evolving security practices and new detected threats, such as recent phishing scams, as well as insider threat prevention.
How StrongDM Simplifies Insider Threat Protection
StrongDM’s Infrastructure Access Platform enables authentication, authorization, networking, and observability to help protect your organization against insider threats.
Your team gets centralized access to user accounts while automated access workflows eliminate time-consuming manual tasks. Role- and attribute-based access control restricts network access to authorized users, and the system’s auditing capabilities provide a clear audit trail of privileged session activities.
The StrongDM platform also keeps your organization compliant with multiple regulations. Overall, StrongDM’s insider threat software helps your organization secure its infrastructure without disrupting ordinary workflows.
Insider Threats: Frequently Asked Questions
What causes insider threats?
Many accidental insider threats in cyber security tend to happen when employees are rushed and end up making mistakes or lack proper security training. In many cases, employees don’t realize that their actions breached data governance policies—such as employees who feel they have a right to share data they helped create. This exposes the need for ongoing education about what employees can and cannot do with data, as well as insider threat training.
What industries are more at risk of insider threats?
While some industries may experience more insider threat security incidents and data breaches than others, reporting practices can vary widely by industry, so it’s not always easy to know who is actually targeted more than others or just reports more than others. In general, the industries with the greatest risk are those that deal with large quantities of valuable data, including:
- Finance and insurance
- Information technology
- Federal government
What advantages do insider threats have over others?
Insider threats come from within the organization with insider knowledge of company practices. They may appear to be normal, everyday activities by authorized individuals—making them difficult to detect, especially if organizations don’t have threat detection tools in place.
What is an early indicator of a potential insider threat?
There are many potential insider threat indicators, and most are identifiable at a personal and organizational level. For example, a change in an employee’s general demeanor at work could indicate a potential insider threat. Some directly observable behaviors that should raise red flags include bullying, intimidation, or harassment. On an organizational level, changes in culture or workplace policies can create the opportunity for insider threats, especially if they’re met with resistance by some individuals.
Who do you report an insider threat to?
An insider threat management team can help mitigate threats by investigating reports of suspicious activity. If the threat is determined to be accidental, the team can recommend training to help the person understand best practices for safeguarding company data. If the threat is malicious, termination may be in order—and law enforcement may need to be involved if a crime was committed.
Minimize Insider Threats with Threat Detection Tools
Insider threats can come from anywhere, no matter the size or makeup of your organization. Employees and contractors who lack proper security training or insider threat awareness, or don’t know how to use technology tools appropriately, can inadvertently cause damage to your organization. Worse, malicious actors can use their privileged access to your data and systems to steal data, threaten your critical infrastructure, risk your company’s reputation, and cost your organization millions in damages.
By following insider threat detection best practices and using a secure access and auditing tool, you can gain broad visibility into your networks and infrastructure. You can lock down entry and endpoints, and create more secure access for privileged users—all from a centralized system that makes it easy to track normal activities and anomalies.
Want to learn how StrongDM can help safeguard your organization from insider threats? Get a demo of StrongDM today.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.