December 9, 2022

Threats from insiders — employees, contractors, and business partners — pose a great risk to the enterprise because of the trust organizations put in their access to the network, systems, and data. Whether they’re acting negligently, unwittingly, or maliciously, they don’t have to break in through a firewall or other safeguards. That means identifying insider threat indicators and mitigating insider threats require different kinds of controls than organizations use for perimeter defenses. 

What Is an Insider Threat?

Insiders are individuals who have or had authorized access to organizational resources or knowledge of its operations. In the context of cybersecurity, this includes the IT landscape — networks, computing systems, devices, data, etc. — as well as other aspects that impact security. 

Employees, contingency workers, contractors, vendors, service providers, consultants, and board members are all considered insiders who may have authorized access to sensitive resources and information about the enterprise. An insider threat is the potential for an insider to use that knowledge or access to compromise cyber or data security. 

Insider threats fall into two main categories: unintentional and intentional. 

Unintentional Insider Threats

Insiders don’t have to intend harm to pose a risk. Employees, especially, are more likely to act carelessly or negligently — or simply make a mistake – than to deliberately try to harm their employers. In fact, error is the third most common type of action involved in a data breach (following hacking and social engineering). 

External actors frequently take advantage of unwitting insiders, whether it’s to steal login credentials or trick them into infecting systems with malware. For example, it’s much more effective for cyberattackers to gain access to a network by logging in than hacking in. And, unless organizations have certain controls in place, they are more likely to fly under the radar longer by trying to behave as close to a legitimate user as possible. 

Intentional Insider Threats

After ransomware and social engineering, malicious insiders are the top threat for organizations. Actors such as disgruntled former (or soon-to-be-former employees) or financially motivated business partners can misuse their authorized access for personal benefits or gains.  

Since they’re conscientiously trying to compromise the confidentiality, integrity, or availability of information systems or data, malicious insiders can cause tremendous harm.  

A data breach involving malicious insiders is the third most expensive type of breach; only breaches due to business email compromise and phishing are more costly. 

How Do Insider Threats Affect Organizations?

The potential implications of insider threats are many, including: 

  • Data privacy and confidentiality violations (or data breaches) when sensitive information is disclosed to an unauthorized party 
  • Disclosure of intellectual property and other proprietary information for the purposes of corporate espionage 
  • Sabotage or disruptions of operations due to systems downtime, ransomware, etc. 

Many major cybersecurity incidents that have been in the news in the past few years were due to insiders. The consequences have ranged from data breaches affecting millions of consumers to disruption of essential services. Other potential outcomes include malware infections, financial losses, reputational damage, loss of customers, and criminal activity such as financial fraud. 

Insider Threat Indicators 

Indicators of insider threats generally center around information collection and transmission activities, as well as generally suspicious behavior. 

Unusual Logins and Out-of-the-Ordinary Access Requests

Warning signs of unusual activity include users logging in outside of their typical work hours or IP location, repeated failed login attempts, and access of systems of data that are uncommon for the specific role. While some of these activities may have legitimate reasons, organizations often flag these requests and investigate or apply additional controls. 

Use of Unauthorized Applications within Systems

Diving deeper into unusual requests, application access may be another red flag. For example, a marketing employee shouldn’t need access to a human resource application while a human resource specialist shouldn’t need to use a customer resource management (CRM) app. 

Increase in Admin Access

Administrators have broad access to systems and accounts, and privileged escalation for themselves or for other unauthorized users may indicate an attempt to gain access to sensitive areas. Admin access can be increased by means such as exploiting vulnerabilities (e.g., programming errors), circumventing weak security controls, or taking advantage of weak policies. 

Downloading Excessive Amounts of Data

Some functions require downloads of large sets of data. Examples include finance or compliance teams running regular reports, or the payroll department preparing annual tax documents for employees. But any activity that’s unusual or outside of the user’s role should be investigated. 

Unusual or Suspicious Employee Behavior

Other types of suspicious behaviors include repeated security violations, frequent work activities outside of regular hours or typical requirements, escalating conflicts with peers and superiors, decline in work performance, and financial or other stress. Many of these activities can’t be observed through technology use, but could be identified by other team members if properly trained. 

How to Respond to an Insider Threat 

Once an insider threat is detected, organizations must act quickly to mitigate it. As noted earlier, insiders can quickly cause a great deal of damage because they have trusted access to systems. Fast response will help minimize the impact. 

Insider Threat Detection Plans

As with any incident, cybersecurity or otherwise, all organizations must make a plan for responding to insider threats. A plan achieves a variety of goals, such as: 

  • Ensuring the organizational response is consistent and complies with all company, regulatory, and other requirements. With employees in particular, there may be other factors at play, such as human resource policies. 
  • Providing a documented strategy that organizational leaders can review and approve. This documentation may also be necessary for regulatory compliance. 
  • Enabling the response team to act quickly to investigate the incident and contain the threat. 

Seek Out Trusted, Validated Information Regarding the Threat

Avoid immediately jumping to conclusions. A red flag is not proof of wrongdoing or error — it’s simply an indication that something may be amiss. Whether the threat was observed by other personnel or identified through a technical means such as SIEM logs, there may be a reason for the suspicious activity. Investigate it by gathering and analyzing evidence, and follow response plan protocols. 

Temporarily Limit User Access While Investigating

Limiting user access helps ensure the incident doesn’t escalate while it is being investigated. Let say, for example, a user is downloading large amounts of data. An investigation shows that an employee clicked on a malicious link, enabling an attacker to steal the employee’s login credentials.  

By limiting the user access during the investigation, the organization will prevent the attacker from using those logins in the meantime. Once the root cause is determined, appropriate steps can be taken to remediate while limiting the potential damage. 

Apply the Lessons Learned from Each Investigation

Once the investigation is concluded, findings can be used to continuously improve insider threat detection and response, as well as to identify gaps in organizational defenses. This could include revising policies, updating playbooks, and implementing additional technology solutions that can help the company prevent those threats. 

Securing Digital Identities 

One of the most effective ways to prevent insider threats is through controls that ensure only the right people have access to sensitive resources. By following best practices for securing digital identities, organizations can limit unauthorized access to critical data and systems and act quickly to mitigate threats. This approach is especially important as organizations digitize more areas of the business and expand their footprints into the cloud. 

SailPoint’s Identity Security solution delivers a variety of capabilities to help enterprises monitor for insider threat indicators. Learn about Identity Security and contact us to learn how your company can benefit. 

Take control of your cloud platform.

Learn more about SailPoint Identity Security.

Get Started Today