7 warning signs of an insider threat

Most data loss is done by internal threat actors. They give plenty of warning ahead of time if you know what to look for.

Employees conducting attacks on their own employees – known as insider threats – are becoming increasingly common and costly. According to a CA report, over 50 percent of organizations suffered an insider threat-based attack in the previous 12 months, while a quarter say they are suffering attacks more frequently than in the previous year. Ninety percent of those organizations claimed to feel vulnerable to insider threats.

Insider threats can take the form of the accidental insider who inadvertently leaks information, the imposter who is really an outsider using stolen credentials, or the malicious insider to wants revenge or money. While spotting internal threats can be difficult, there are warning signs that can alert the organization of a potential incident before it occurs and data has left the boundaries of the network.

These attacks can be costly. According to Ponemon, a successful malicious insider attack costs an average of $600,000. These attacks can come in all shapes and sizes, from all classes of employees.

The insider threat – who are they, what are they stealing and why?

A key part of creating a risk profile of potential insider threats is knowing who the likely perpetrators are, what data they may be targeting, and why. This will enable you to put greater restrictions on potential threat actors and more controls on vulnerable data.

An older study from 2013 by the Centre for the Protection of National Infrastructure found insider attacks were more likely to be committed by men aged 31 to 45. Attacks were more likely to be from permanent staff than contractors or partners, and the majority of insider attacks were committed by employees who had been at the company for less than five years. A study by Carnegie Mellon University found that insiders usually act alone, but when there is collusion, whether willingly or as a result of social engineering, attacks "will have a duration that is nearly four times as long as one that is committed solely by a single insider." 

Why do insiders attack? Usually it will be for financial gain. Either someone is offering money for certain information, or they believe they can sell it online. Sometimes the motive will be revenge for a slight against them. It may be in retaliation for receiving a warning or disciplinary action or poor performance review, being passed up for a promotion or project, disagreements around salaries of bonuses, or being laid off. Sometimes it will be for a career benefit, for example taking contact details for customers or valuable intellectual property (IP) to a new employer.

“For a lot of people, it’s about the contacts they make and how that could be useful in their new job – they see this as ‘their information’, not the company's,” says Dr. Guy Bunker, senior vice president of products at Clearswift. “So, they will take copies of the information which could be useful: people’s names, emails, telephone numbers, information on deals done or opportunities.”

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!