Here is all you need to know about insider threats – what they are, how they operate, the common types – and how to protect your organization.
The human factor is often the most difficult to control and predict when it comes to data security and protection. This means that internal threats are a major (and increasing) problem for organizations. With digitization, the amount of digital data is growing exponentially, and together with this, the number of interactions with the data is increasing too. Taking it one step further, more interaction involves exposing the data to more security vulnerabilities.
The potential risks of internal threats are numerous, including financial fraud, data corruption, theft of valuable information, and installing malware. These incidents can lead to data breaches that expose sensitive information such as Personally Identifiable Information (PII) or Intellectual Property (IP) and can result in high fines.
What are internal threats in cybersecurity?
Insider threats are cybersecurity risks originating within the organization itself. They can be caused by users with legitimate access to the company’s assets – including current or former employees, contractors, business partners, third-party vendors, etc. Insiders can vary significantly in awareness, motivation, intent, and access level.
Traditional security measures such as firewalls or antivirus systems focus on external threats and are not always capable of identifying threats emanating from inside the organization. Besides being invisible to traditional security solutions, insider attacks can be harder to detect or prevent than outside attacks and go unnoticed for months or years.
Insider threat facts and figures: how big is the problem?
The 2020 Cost of Insider Threats Global Report from Ponemon Institute reveals a worrying trend in the rise of insider threats both in terms of overall cost and number of incidents. According to the study, the number of cybersecurity incidents caused by insiders increased by 47% since 2018. At the same time, the cost of these incidents has surged 31%, from $8.76 million in 2018 to $11.45 million in 2020.
In a Wall Street Journal Pro Research Survey of cybersecurity executives at nearly 400 companies, 67% said they were concerned about malicious employees. Published in June 2020, the results of the survey show a correlation between the size of the company and the concern about insider threats: the bigger the company, the greater the concern. Additionally, according to the survey, the concern about insiders grows to a higher degree than concern about other cybersecurity threats.
As the insider threat landscape continues to evolve, and the number of incidents is rising, it’s time for companies to become more alert about these threats. Insiders usually know where the sensitive data lives within the organization and often have elevated levels of access. Thus, distinguishing between a user’s normal activity and potentially malicious activity is a challenge.
Let’s have an overview of the types, detection, and mitigation of insider threats.
Types of insider threats
Malicious insider or Turncloak:
This is someone who uses their access privilege to exfiltrate or steal data and use it with the goal of personal or financial gain. Malicious insider threats include accessing and disclosing confidential information without authorization, carrying out fraudulent transactions, and sabotaging the organization’s systems, network, or data. Departing and disgruntled employees, as well as those with high-level access, can cause these types of incidents.
Negligent insider or Pawn:
A negligent or careless insider has no malicious intent but mistakenly gives away sensitive data or inadvertently puts company data at risk. These threats include misusing assets, mishandling data, and installing unauthorized applications (shadow IT). Negligent insiders may be well-intentioned, but they can become victims of phishing attacks or social engineering.
This type will collaborate with malicious external threat actors to compromise the organization. These cases usually involve fraud, data theft, or a combination of the two. Although it is the rarest form of criminal insider risk, it can still come with high costs.
The Ponemon Institute identified the most common type of insider threat as a negligent employee or contractor, while credential thefts were the least reported and the most expensive incidents.
Insider threat motivations
Motivations can vary – malicious insiders might act out of a grudge towards their employer, might simply want money, or it could be an act of corporate or nation-state espionage. Unintentional internal threats could happen due to a lack of knowledge, out of curiosity, or convenience as well as misplaced technology. By understanding the motivations, security teams can be more proactive in their approach to insider threat defense.
Insider threats in the era of work from home
The coronavirus pandemic has set the remote work revolution on a fast track, and many companies have been forced to shift to work from home policies and enabling remote staff overnight.
Remote work is opening up new insider security threats, and companies are scrambling to keep up with these unprecedented risks. The new norm of remote work means no face-to-face supervision and little to no training for handling new security risks. Employees can also face more distractions in their home settings, coupled with the overlying stress of the pandemic and regular work pressure. Accidental disclosures can easily happen, as the lines between work and home, professional and family are more blurred than ever.
Working remotely can also open up data theft opportunities. These include the loss or unlawful appropriation of physical devices, the possibility of sharing passwords, encryption keys, and company laptops with unknown third parties.
The insider threat is very present when using workstream collaboration (WSC) platforms like Slack or Mattermost. Employees can accidentally share a customer database, intentionally disclose a trade secret or share Social Security numbers in the public cloud. The increased data portability is another threat factor, posing a high risk of data loss or theft. Employees working from home can easily transfer, share or remove data, and cause the organization to lose revenue, get a penalty for non-compliance or damage the reputation.
Thus working remotely, especially for organizations with no solid remote work plans, means that their assets and confidential data are more vulnerable during the global pandemic. Implementing the right tools and technologies and paying closer attention to company data can decrease the risk of cyber incidents.
Common types of insider attacks
We have collected the most prevalent internal incidents and practices that represent a threat to a company’s data security.
1. Social engineering
Recognized as one of the biggest security threats facing companies, social engineering is a malicious threat that implies human interaction. Usually, it involves tricking someone inside the organization to make a security mistake or reveal sensitive information. Social engineering attacks have different forms, including phishing and baiting. Malicious actors who engage in social engineering manipulate human feelings, such as curiosity or fear, and compromise their targets’ information.
2. Data sharing outside the company
Employees sharing confidential data, either publicly or with unauthorized third parties, can cause serious problems. This type of incident usually happens out of carelessness: information is sent to the wrong email address, a reply all button is hit instead of a simple reply, confidential data is accidentally posted publically.
3. Shadow IT
The use of unauthorized devices, software, applications, and services in the workplace is often hard to trace by IT departments and this is where the term shadow IT comes from. While it can improve productivity and drive innovation, shadow IT also poses a serious threat to data security. It can lead to data leaks, compliance violations, and more.
4. Use of unauthorized devices
With the rise of Bring-Your-Own-Device (BYOD) policies and the proliferation of mobile devices, organizations encounter many internal security problems. These include the risk of losing data due to employee negligence or malicious intentions. Portable devices and USBs, in particular, although convenient to use, are easy to lose or steal. Thus negligence can easily lead to disastrous data breaches, such as the infamous Heathrow Airport security incident in which a careless employee lost a USB device with over 1,000 confidential files.
5. Physical theft of company devices
Nowadays, it is becoming increasingly common that employees take their work computers or portable devices out of the office. This can happen for several reasons, including remote work, attending an industry event, or visiting a client. By leaving the security of company networks, work devices become more vulnerable to physical theft and outside tampering.
Insider threat mitigation best practices
Organizations should start developing guidelines and implementing comprehensive insider threat programs to reduce risks while ensuring that they have the right balance between people, processes, and technology. Being proactive may allow organizations to catch malicious insiders and avoid data breaches caused by employee negligence, thus protecting their assets and reputation.
1. Security awareness
Organizations must ensure that all employees are aware of the critical asset they are dealing with and how they need to manage it securely. Information security technology continues to progress, but human behavior changes much more slowly.
Educating entire teams with little to no technical background can be difficult. Still, everybody should know the importance and best practices of cybersecurity within the company. Employees need to be prepared to recognize phishing and other social media threat vectors, as well as how outside attackers might approach them.
2. Security policies
Clearly documented organizational policies are another critical aspect when looking to prevent insider threats. By enforcing these, it can also help to avoid misunderstandings. Policies should include procedures to prevent and detect malicious activity, as well as an incident response policy. A third-party access policy, account management, and password management policy are also extremely useful.
When developing cybersecurity policies and procedures, companies should also consider locating where their sensitive data resides, monitoring data flows, and determine who can have access to confidential data.
3. Cybersecurity tools
Implementing robust technical controls are also an essential step in mitigating insider threats. To efficiently protect all assets, companies shouldn’t rely on a single solution. For a successful insider threat detection strategy, it is advised to combine several security tools that increase visibility and keep track of employee actions. Insider threat management tools include User Activity Monitoring (UAM), Secure Information and Event Management Systems (SIEM), User Behavior Analytics (UBA) software, and Data Loss Prevention (DLP) solutions.
DLP software is intended to discover sensitive data, address data loss across multiple channels, detect data use policy violations, and offer remediation actions. User Activity Monitoring tools are user-centric rather than data-centric. Unlike DLP solutions that manage data activity, UAM does not limit or reject any action.
UBA software promises to identify potential insider threats before they happen, based on previous behaviors. However, usually doesn’t provide any action outside of an alert when an insider threat risk has been detected. SIEM tools can track anomalies across an entire network and flag up dangerous events to the security teams. However, these tools are typically focused on spotting external threats, not internal ones.
When looking for solutions that help mitigate insider threats, organizations should consider the following:
- the performance impact,
- the ease of management and deployment,
- the stability and flexibility of the solution.
Insider threats can be challenging to identify and even can be even harder to stop them from causing harm to the company. However, by implementing preventive measures and best practices, organizations can mitigate common insider threats. By combining training, organizational alignment, and technology, the risk of these threats can be significantly reduced.
How does Endpoint Protector help to mitigate insider threats?
Endpoint Protector is an advanced Data Loss Prevention (DLP) solution that minimizes the risk of cyberattacks carried out by insiders. By deploying it, enterprises can ensure the security of their sensitive data and reach compliance with regulations such as the GDPR, PCI DSS, HIPAA, or CCPA. Our DLP software comes with the following features and benefits:
- Offers a data-centric approach to protecting sensitive information;
- Keeps track of sensitive data and ensures that its transfer, whether by email or other internet services, is limited or blocked altogether;
- Protects data regardless if it is stored in a physical or virtual environment;
- Offers cross-platform protection for sensitive data, being compatible with Windows, macOS, and Linux operating systems;
- Discovers sensitive data stored on computers, laptops, etc. and provides remediation actions;
- Is easy-to-use and does not require advanced technical knowledge to run;
- It provides the option to easily create granular security policies for users, computers, and groups.
- Monitors and controls USB ports and portable storage devices;
- Offers real-time retailed reports of user activity and gives valuable insights about what sensitive data is being transferred where and by whom;
- It is easy to scale and has several deployment options depending on the existing infrastructure of the organization;
- It provides seamless integration with Active Directory (AD) and SIEM technology.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.