The 3 types of insider threat

While the motivations are usually the same, there are three distinct, but different, types of insiders that can pose a threat to your organization's security. Jeffrey Jones and Ryan Averbeck detail what to look for to avoid unpleasant surprises

By Jeffrey R. Jones and Ryan Averbeck

May 12, 2011CSO

Why does your competitor have your latest research or financial figures? It must be an insider — or is it?

Before the digital revolution, security professionals were kept awake at night worrying about the potential threat posed by an untrustworthy member of their organization. Commonly referred to as the "insider threat," this person possibly had privileged access to classified, sensitive or propriety data; providing the insider a unique opportunity, given his or her capabilities, to remove information, predominately in paper form, from the facility and transfer it to whomever they desired.

See also: Are you an insider threat?

Over the years, extensive knowledge has been accumulated on ways to identify and counter the insider. Centuries of experience indicates that insiders are mainly motivated to steal information for money, ideology, ego or due to coercion. Through understanding these motivations, personnel security programs were established to help identify employees who may be potential insider threats. For instance, if an employee in serious financial debt is determined to be vulnerable to one of these motivations, then the security professional may deem it best, with the Commanders approval, to temporarily suspend their access to sensitive information.

The insider in previous days could do great harm to an organization. However, research and tools were developed to help mitigate the threat. Primary controls revolved around the previously mentioned personnel security measures, physical security measures such as storing the information in a safe, and procedural mechanisms such as establishing access to information based upon a "need-to-know" basis. These safeguards helped make it more difficult for an insider to steal documents.

While protecting sensitive information in paper form is still a daunting task for security professionals, today is different as the previously one-dimensional insider threat now has three dimensions. Though there are many areas to consider when discussing the insider threat (i.e. mergers, acquisitions, supply chain interaction, globalization), there are three classes of insiders: trusted unwitting insider, trusted witting insider and the untrusted insider.

We now live in the digital world, where the binary 1s and 0s of information travel at the speed of light. As such, the insider has a greater ability to pass the information we protect to outsiders with a lesser chance of being detected. The trusted unwitting insider threat is predominately a person with legitimate access to a computer system or network, but who errs in judgment. For instance, this insider may find a USB thumb drive in the companys restroom and, in an effort to be a good employee, plugs it into his or her company computer to determine the owner. Unbeknownst to this user, the drive was strategically placed in the restroom by an outsider with the hope that an employee would find it and use it on a company computer system. Once the drive is accessed it installs malicious software, which leads to the compromise of that computer system and potentially the overall network An innocent effort to help a fellow employee, who may have misplaced a USB drive, turns out to be a classic case of the trusted unwitting insider.

RESOURCE CENTER