What is an Insider Threat in Cyber Security?

Insider security threats are a major problem that organisations must address. According to the 2021 Verizon Data Breach Investigations Report, insiders are responsible for 22% of all security incidents.

Meanwhile, a Ponemon Institute report found that the average global cost of an insider incident increased by almost a third between 2018 and 2020 – making them almost twice as costly as the average breach.

In this blog, we explain what insider threats are, how they occur and what you can do to prevent them.

What is an insider threat?

An insider threat is someone within your organisation who can jeopardise the confidentiality, integrity or availability of sensitive information.

This might be by inadvertently leaking sensitive information, falling for a scam, damaging physical assets, misplacing company devices or deliberately sabotaging systems.

Anyone with access to sensitive information or assets is a potential insider threat. This includes employees, contractors and partners. Former employees can be insider threats if they still have access to sensitive information after they leave the organisation.

Types of insider threat

There are two types of insider threat: malicious actors and negligent employees. Let’s take a look at the difference between the two.

  • Malicious insiders

A malicious insider is someone who deliberately steals sensitive data or sabotages an organisation. They typically do this for financial gain, using the stolen information to commit fraud or selling it to a third party, such as a competitor or criminal hacking group.

Another significant motivator for malicious insiders is revenge. This is most commonly the case for recently departed employees who hold a grudge against their former employer.

If the person still has access to sensitive systems – whether that’s because their company login credentials remain active or they have a key to the building – they are liable to cause disruption.

Existing employees can also be motivated by revenge. This often happens when they have been passed up for a promotion or otherwise feel unvalued. They can use their access to the organisation’s systems to disrupt them or steal sensitive information.

  • Negligent insiders

Negligent insider threats are the result of employees making mistakes, such as losing a company device or falling for a phishing scam.

These types of incidents fall into two sub-categories. The first are employees who exhibit good judgement but commit a data breach due to mitigating circumstances. For example, they might have made the mistake because they were overworked or distracted.

The second are employees who repeatedly flout the rules and are unresponsive to staff awareness training. They often justify their actions by claiming that the organisation’s policies and processes are unnecessarily bureaucratic or too inconvenient.

They may even use the fact that they haven’t yet caused a data breach as proof of their position. If this is the case, it’s more likely good fortune than good judgement, and a data breach will almost certainly occur at some point.

These types of employees are often senior executives, which can make it difficult for organisations to address the issue. More worryingly, such employees are often those most likely to be targeted by sophisticated scams, such as BEC (business email compromise) schemes.

How to detect insider threats

Whether you’re looking for malicious or negligent behaviour, the best way to detect insider threats is to keep an eye out for employees acting abnormally.

For example, if an employee appears to be dissatisfied at work, they might act less professionally in person and in correspondences. Likewise, the quality of their work might decline and they may show other signs of insubordination, such as turning up to work late or leaving early.

Anomalous activity can also include working at unusual times. If an employee logs in to their systems in the middle of the night, it suggests they are doing something that they don’t want their employer to know about.

Similarly, if there is a large volume of traffic, it might indicate that the employee is copying sensitive information to a personal hard drive, which they can use for fraudulent purposes.

Most telling, however, is if the employee accesses resources that they wouldn’t ordinarily need for their job. This suggests that they are using information for illegitimate purposes, whether that’s to commit fraud or to share with a third party.

Other signs of insider threats include:

  • Using unauthorised storage devices (such as USB drives and the Cloud);
  • Network crawling and searching for sensitive data;
  • Data hoarding;
  • Copying files from sensitive folders;
  • Emailing sensitive data to non-work affiliated accounts;
  • Attempting to bypass security mechanisms;
  • Violating the organisation’s security policies; and
  • Speaking to colleagues about resigning or looking for other jobs.

How to prevent insider threats

Insider threats can occur in any number of ways, which means there’s no single solution you can use to mitigate the risk. You instead need to take a holistic approach, with an overarching security mechanism to address your vulnerabilities.

You can start with technical controls to protect critical assets. This should include network monitoring so you can see when users are active, as well as the documents that they view.

Alongside this, you should implement access controls to ensure that employees can only view information that’s relevant to their job. This will take time to configure, as the requirements for each job role will differ.

However, you can cut down on the work by identifying information that’s suitable for everyone in the organisation to view as well as highly classified information that only senior personnel can access. From there, access to information can be controlled based on its purpose and who in the organisation uses it.

In addition to technical controls, you should adopt cyber security policies that outline employees’ requirements when handling sensitive information.

Likewise, you should take steps to promote the organisation’s security culture. This will give staff a greater understanding of insider threats and mitigate the risk of accidental breaches.

Demonstrating a company-wide commitment to information security will also dissuade malicious action, as potential wrongdoers learn about the measures the organisation has in place to detect and identify the source of data breaches.

The best place to start when developing a security culture is staff awareness training. An effective course will promote the importance of cyber security and demonstrate the technical and organisational measures that are in place to mitigate the risk.

You can give employees all the information they need with GRC eLearning’s Compliance Staff Awareness E-learning Suite.

These four courses and a game educate employees on their security responsibilities – from GDPR (General Data Protection Regulation) compliance to the dangers of email misuse – and ensure that everyone receives the same level and quality of training.