Insider threats are one of the most difficult security challenges that organisations face. Staying safe isn’t simply about stopping criminal hackers from breaking into your systems, because the vulnerabilities already inside your organisation.
A malicious threat can be an employee, contractor or business partner who is liable to leak sensitive information. Preventing this from happening requires a nuanced approach to information security, and it’s one that organisations are increasingly struggling with.
According to the 2022 Verizon Data Breach Investigations Report, insider threats account for 18% of all security incident.
Meanwhile, a Ponemon Institute report found that data breaches caused by insiders increased by 14% between 2018 and 2022.
But who exactly is causing these incidents and why? We explain everything you need to know in this blog.
Who are insider threats?
An insider threat is someone who works for, or with, an organisation and uses their legitimate access to company data to breach sensitive information or damage systems.
Insider threats fall into two categories: malicious or negligent. Malicious insiders act deliberately, and they often use the same techniques as criminal hackers, such as planting malware or exploiting an unprotected database.
By contrast, negligent insiders act carelessly but have no intent to harm the organisation. They can cause data breaches and other forms of disruption by mistakenly damaging the organisation’s systems or by enabling a cyber criminal to act.
Within this dyad, insider threats can be further divided into three types.
- Financially motivated malicious insiders
Security experts often say that ‘personal data is the new currency’. That’s a slight exaggeration (good luck trying to pay rent with your email address), but the point remains: legitimate organisations and cyber criminals alike are trying to get their hands on personal data.
Indeed, many business activities are designed with information-gathering potential in mind, while cyber criminals want personal information to commit fraud.
Personal data is therefore abundant within organisations and extremely valuable to cyber criminals. An employee hoping to make some extra cash is liable to take that information and sell it on the dark web.
As with crime generally, the two biggest obstacles that prevent people from doing this are their moral compass and their fear of being caught. These factors don’t go away just because you’re dealing with virtual loot and a faceless buyer over the Internet.
But things can change if you put someone in the wrong circumstance. There are countless examples of people who have turned to crime when they need money or they want more.
They might know their actions are wrong but tell themselves that there’s no other option and what they’re doing isn’t that bad. Or that it’s a one-time thing, or a victimless crime.
These motivations are much easier to reconcile with one’s sense of right and wrong when it comes to cyber crime, because the culprit isn’t causing any damage directly. They are, in effect, a middleman, and the knock-on effects of their actions aren’t immediately obvious.
- Vengeful malicious insiders
Business is full of tough decisions, and that sometimes means employees feel hard done by. Perhaps they have been turned down for a promotion or a pay rise, or they feel as though they have been treated poorly by their boss.
Or, in the most common instance of vengeful malicious insiders, they have been fired or forced out. This kind of insider is particularly dangerous if they can log in to their work account remotely and the organisation doesn’t remove their access rights immediately.
That’s because the employee will be acting on emotion, recklessly sabotaging the organisation without considering the consequences of their actions.
A more subtle form of this occurs when perpetrators are unhappy with their employer but are otherwise getting on with their work.
These types of attacks will usually be more thought out and harder to detect. The perpetrator will take a more deliberate approach and could involve personal gain, such as embezzling money or stealing information to sell on the dark web.
However, they might simply want the organisation to suffer, for example by shutting down business processes or redirecting information.
- Negligent insider
Negligent insiders don’t set out to cause damage, but that doesn’t make them any less dangerous.
They pose a problem because they make mistakes while performing normal work duties. This might be because they don’t understand the rules or the organisation doesn’t have properly defined processes and policies in place.
Alternatively, they might simply be tired or slip-up due to a lapse in concentration.
Their actions might result directly in a data breach, such as emailing sensitive files to the wrong person. Or they can make an error that creates opportunities for malicious actors to pounce, such as inadvertently allowing an unauthorised person into the building.
Why do they pose a threat?
Insider threats can result in a range of negative outcomes, from the theft of sensitive data and unauthorised access to the sabotage of their systems and equipment.
In every case, insider threats can jeopardise the confidentiality, integrity and availability of sensitive information and systems.
Confidentiality refers to an organisation’s ability to keep sensitive information private and secure. Whether they’re acting maliciously or negligently, an insider is liable to leak information to a third party. They might hand the information to a cyber criminal or a rival firm, or leak it publicly online.
Integrity refers to the completeness and accuracy of data, as well as the organisation’s ability to protect it from corruption. Insiders could deliberately or inadvertently tamper with information in order to disrupt its operations.
Availability refers to an organisation’s ability to access information when needed. For example, this could happen if an insider damages the organisation’s server or deletes information from its Cloud systems.
The risks presented by negligent insiders are, by definition, harder to define. They aren’t operating with malicious intent, so it’s impossible to say exactly what outcome their actions will have.
The best-case scenario is that the vulnerability caused by their negligence is spotted before any adverse consequences occur. However, in organisations where information security practices are lacking, continuous mistakes could result in long-running and extensive-ranging breaches.
Examples of insider threats
1. Theft of trade secrets
The US multinational company General Electric learned in July 2022 that an employee had stolen more than 8,000 sensitive files in a breach that spanned more than eight years.
An engineer at the firm, Jean Patrice Delia, had persuaded an IT administrator to grant him access to sensitive information, which he siphoned off with the intention of starting a rival company.
The FBI investigated the incident and learned that Delia emailed commercially sensitive information to a co-conspirator. He eventually pleaded guilty to the charges and was sentenced to up to 87 months in prison.
Phishing is perhaps the biggest cyber security risk that organisations face, with organisations of all sizes and in all sectors being at risk.
The NHS learned that to its cost this year, after more than 130 email accounts were compromised in a prolonged phishing campaign.
The Cloud security firm Inky found that scammers sent 1,157 phishing emails originating from NHS mail between October 2021 and March 2022.
The emails contained a link that directed to a bogus Microsoft 365 login page, asking them to provide their login details.
Inky reported that at least 139 NHS emails were compromised in the attack, but the true scope of the campaign was likely much larger, because the organisation only analysed phishing attacks made against its own customers.
A system administrator who lost his job at a paper mill served 34 months in prison after tampering with the control systems of his former employer and causing $1.1 million (about £900,000) in damages.
Brian Johnson, who had been made redundant by the paper manufacturer Georgia-Pacific after 15 years’ service, was able to use login credentials that remained valid. He accessed servers via a VPN in his home, installing his own software and altering the industrial control systems.
In a two-week-long attack on the firm’s factory in Port Hudson, Louisiana, Johnson created a series of delays that cost his former employer huge sums in missed deadlines.
4. Financially motivated
In June 2022, a Taco Bell employee was caught stealing customers’ credit card details and using the numbers to buy items for herself.
Police were called after a victim reported that someone had tried to use their credit card at a nearby Pizza Hut.
The investigation soon led to 36-year-old Laquawanda Hawkins, who worked in Taco Bell’s drive-thru. CCTV footage revealed that she had taken photographs of customers bank cards and used the information to make a series of purchases locally and online.
5. Internal error
Pegasus Airline accidentally left 23 million files containing personal data exposed online after an employee improperly configured a database. The incident was reported in June 2022 after the Turkish airline discovered the error.
Organisations often use third-party services to store sensitive information, because it saves them money and resources. With a Cloud service provider, the data is stored on a central server that can be accessed online.
Because the information is stored online, organisations must adopt appropriate controls to ensure that only authorised people can access the information.
In this case, an employee misconfigured the security settings, exposing valuable information such as fight charts, navigation materials and information data of flight crew.
The database also contained up to 400 files with plaintext passwords and secret keys, as well as the source code for the software.
How to detect an insider threat
Whether you’re trying to spot malicious or negligent behaviour, the best way to detect insider threats is to keep an eye out for employees acting abnormally.
If an employee appears to be dissatisfied at work, they might act less professionally in person and in correspondences. Likewise, the quality of their work might decline and they may show other signs of insubordination, such as turning up to work late or leaving early.
Suspicious behaviour can also include working at unusual times. If an employee logs in to their systems in the middle of the night, it suggests they are doing something that they don’t want their employer to know about.
They might also take a more cavalier attitude towards work and their professional standards. An insider threat might talk often about how much they dislike their job and make reference to the fact they are planning or hoping to quit.
If there is a large volume of traffic, it might indicate that the employee is copying sensitive information to a personal hard drive, which they can use for fraudulent purposes.
Most telling, however, is if the employee accesses resources that they wouldn’t ordinarily need for their job. This suggests that they are using information for illegitimate purposes, whether that’s to commit fraud or to share with a third party.
Other signs of insider threat include using unauthorised storage devices (such as USB drives and the Cloud), network crawling and searching for sensitive data and data hoarding.
They might also copy files from sensitive folders, email sensitive data to non-work affiliated accounts or attempt to bypass security mechanisms.
How to protect against insider threats
Insider threats can occur in any number of ways, which means there’s no single solution you can use to mitigate the risk. You must instead take a holistic approach, with an overarching security mechanism to address your vulnerabilities.
You should start with technical controls to protect critical assets. This should include network monitoring so you can see when users are active, as well as the documents that they view.
Alongside this, you should implement access controls to ensure that employees can only view information that’s relevant to their job. This will take time to configure, as the requirements for each job role will differ.
However, you can cut down on the work by identifying information that’s suitable for everyone in the organisation to view as well as highly classified information that only senior personnel can access.
From there, access to information can be controlled based on its purpose and who in the organisation uses it.
In addition to technical controls, you should adopt cyber security policies that outline employees’ requirements when handling sensitive information.
Likewise, you should take steps to promote the organisation’s security culture. This will give staff a greater understanding of insider threats and mitigate the risk of accidental data breaches.
Demonstrating a company-wide commitment to information security will also dissuade malicious action, as potential wrongdoers learn about the measures the organisation has in place to detect and identify the source of data breaches.
The best place to start when developing a security culture is staff awareness training. An effective course will promote the importance of cyber security and demonstrate the technical and organisational measures that are in place to mitigate the risk.
You can give employees all the information they need with our Complete Staff Awareness E-learning Suite.
This online course offers a quick, affordable and comprehensive solution to your training needs.
It contains all eight of our e-learning courses, covering essential topics such as the GDPR, ISO 27001 and phishing.
All you need to do is purchase a licence for the number of staff taking the courses.
The suite is available on a one-year, easily renewable licence, and the courses can be taken as many times as you like.