Insider threats are a particularly difficult type of cybersecurity challenge, because insider threat indicators can be hard to catch. Since insiders are authorized users who have been legitimately granted certain access privileges, they are inherently trusted. Knowing what insider threat indicators are is crucial to identifying and stopping individuals who are doing harm to an organization intentionally or accidentally.
What is an insider threat?
An insider threat is a security compromise that originates from within an organization. When insider threat indicators go unnoticed, damage is caused by malicious, negligent, or unintentional acts by insiders who have authorized access privileges and knowledge of an organization’s processes and procedures.
Failure to heed insider threat indicators can compromise the confidentiality, integrity, and availability of an organization’s vital resources, such as data, equipment, facilities, finances, networks, operations, personnel, and systems.
| Understanding insider threat indicators by knowing who and what is considered an insider |
| “An insider is any person who has or has authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. Examples of an insider may include: -A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access. -A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person). -A person to whom the organization has supplied a computer and/or network access. -A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization. -A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses. -A person who is knowledgeable about the organization’s business strategy and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people. -In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.” Source: CISA (Cybersecurity & Infrastructure Security Agency), a Division of the U.S. Department of Homeland Security |
Insider threat indicators provide warnings about a number of potential risks to an organization, including:
- Corruption
- Degradation of an organization’s resources or capabilities
- Espionage (e.g., corporate, criminal, or nation-state)
- Sabotage
- Terrorism (e.g., state, religious, or political)
- Unauthorized access and disclosure of information
- Workplace violence
Types of insider threats
Inside threat indicators, when followed, can identify the various types of insider threats. These fall into two main categories—intentional and unintentional.
Intentional insider threats
An intentional insider threat is caused by a malicious insider who takes advantage of the access privileges and knowledge of the organization to deliberately commit or facilitate misdeeds, such as data theft or leakage, disrupting operations fraud, revenge, sabotage spying, or stealing money or other assets. Among the many motivations for malicious insiders’ nefarious acts are a desire for financial gain or vengeance.
Intentional insiders who use their positions and access to commit malicious acts include:
- Collusive insiders—one or more insiders collaborate with someone or a group outside of the organization
- Third-parties—trusted third parties (e.g., contractors or vendors) who have insider access
- Lone wolves—individuals inside an organization who act alone
Unintentional insider threats
An unintentional insider threat is caused by an insider who inadvertently compromises an organization with no intention of committing malicious acts.
Although unintentional insider threat actors have no ill intent, they can pose a more significant risk than malicious insiders.
Studies have shown that unintentional insiders are responsible for far more compromises than intentional insiders. While much is made of the malicious insider, detecting insider threat indicators should also focus on the various types of unintentional insiders and their mistakes, including:
- Accidental insiders who make honest mistakes such as:
- Being manipulated into opening an attachment in a phishing email that contains a virus
- Improperly disposing of sensitive documents
- Mistyping an email address and accidentally sending sensitive information to an unauthorized recipient
- Careless insiders do not pay attention to security procedures and unwittingly:
- Allow someone to “piggyback” through a secure entrance point
- Misplace or lose a portable storage device containing sensitive information
- Ignore messages to install new updates and security patches or change their passwords
- Store confidential information on their personal devices
- Third-party insiders who are either careless or make honest mistakes that give a malicious actor access to an organization’s systems and resources
Insider threat indicators
Insider threat indicators are behavioral patterns or activities that identify a person or other entity as a potential security risk. The wide range of insider threat indicators that can indicate a problem are grouped into two categories—behavioral and digital.
Digital insider threat indicators
Regardless of the type of insider (e.g., malicious or accidental), digital insider threat indicators can provide clear alerts that inappropriate activities are occurring. Examples of digital insider threat indicators include:
- Data accessed by users who do not need it for their job function
- Files renamed in a way that does not match the content
- Network crawling and searches for sensitive information
- Repeated requests for escalated privileges or permissions to access system resources that are not associated with the job function
- Resources accessed without authorization
- Sensitive information emailed outside the organization
- Logins to an organization’s applications and networks at unusual times
- Surges in the volume of network traffic that could indicate large downloads or volumes being copied
- Unsanctioned software and hardware in use
- Use of unauthorized devices, such as USB drives
Behavioral insider threat indicators
Both malicious and accidental insiders can be identified by being vigilant about behavioral insider threat indicators. Less quantitative than digital insider threat indicators, behavioral insider threat indicators still effectively surface potential risks. Behavioral insider risk indicators include:
- Actions associated with disgruntled employees, such as:
- Arriving late and leaving early
- Conflicts with managers and coworkers
- Decline in work performance and quality
- Unexplained absences
- Attempts to circumvent security controls
- Discussing resignation and potential new opportunities
- Displaying resentment, disappointment, or dissatisfaction toward management, coworkers, or the organization at large
- Drastic changes in personality
- Engineering situations to compromise managers or coworkers
- Routine violation of organizational policies
Insider threat prevention
Administrative, technical, and physical threat detection can minimize the risks associated with intentional and unintentional insider threats. Tools and strategies that can be used as part of insider threat indicator monitoring and identification include:
- Conducting cybersecurity awareness training with a focus on insider threats regularly
- Developing and enforcing policies for data and network security
- Establishing baselines for users’ normal activities
- Following a zero trust approach to security
- Implementing robust access controls
- Monitoring logins, logs, and physical activities
- Protecting and backing up all data
Avoiding complacency when it comes to insider threat indicators
For many people, it is difficult to believe that a coworker or partner would hurt an organization, but it happens every day. The stakes are high, too.
Compliance rules consider a breach a breach, whether it was intentional or unintentional. And with many data breaches resulting from unintentional insider missteps, staying vigilant about insider threat indicators is imperative.
Savvy organizations utilize the right technology and encourage team members to pay attention to particular activities and behaviors and look for possible risks. Using all available resources and staying alert to insider threat indicators is the best way to mitigate these risks.
