What is an insider threat? 7 warning signs to watch for

Most data loss is done by internal threat actors. They give plenty of warning ahead of time if you know what to look for.

CSO slideshow - Insider Security Breaches - Two-faced businessman removes his mask in a binary world
Stockfinland / Getty Images

Employees conducting attacks on their own employers – known as insider threats – are becoming increasingly common and costly. According to a CA report, over 50 percent of organizations suffered an insider threat-based attack in the previous 12 months, while a quarter say they are suffering attacks more frequently than in the previous year. Ninety percent of those organizations claimed to feel vulnerable to insider threats.

Insider threats can take the form of the accidental insider who inadvertently leaks information, the imposter who is really an outsider using stolen credentials, or the malicious insider to wants revenge or money. While spotting internal threats can be difficult, there are warning signs that can alert the organization of a potential incident before it occurs and data has left the boundaries of the network.

These attacks can be costly. According to Ponemon, a successful malicious insider attack costs an average of $600,000. These attacks can come in all shapes and sizes, from all classes of employees.

The insider threat – who are they, what are they stealing and why?

A key part of creating a risk profile of potential insider threats is knowing who the likely perpetrators are, what data they may be targeting, and why. This will enable you to put greater restrictions on potential threat actors and more controls on vulnerable data.

An older study from 2013 by the Centre for the Protection of National Infrastructure found insider attacks were more likely to be committed by men aged 31 to 45. Attacks were more likely to be from permanent staff than contractors or partners, and the majority of insider attacks were committed by employees who had been at the company for less than five years. A study by Carnegie Mellon University found that insiders usually act alone, but when there is collusion, whether willingly or as a result of social engineering, attacks "will have a duration that is nearly four times as long as one that is committed solely by a single insider." 

Why do insiders attack? Usually it will be for financial gain. Either someone is offering money for certain information, or they believe they can sell it online. Sometimes the motive will be revenge for a slight against them. It may be in retaliation for receiving a warning or disciplinary action or poor performance review, being passed up for a promotion or project, disagreements around salaries of bonuses, or being laid off. Sometimes it will be for a career benefit, for example taking contact details for customers or valuable intellectual property (IP) to a new employer.

“For a lot of people, it’s about the contacts they make and how that could be useful in their new job – they see this as ‘their information’, not the company's,” says Dr. Guy Bunker, senior vice president of products at Clearswift. “So, they will take copies of the information which could be useful: people’s names, emails, telephone numbers, information on deals done or opportunities.”

Common failures or issues that enable insider attacks to succeed include:

  • Excessive access privileges
  • A growing number of devices and locations with access to sensitive data – such as mobile devices and cloud-based offerings – that often exist beyond companies’ networks and are harder to track and control
  • A growing use in the number of third parties touching network data
  • The use external storage such as USBs
  • Poor control over non-IT approved apps such as Dropbox

Poor controls around access can also be a factor. A report from Varonis found that 21 percent of all folders inside organizations are open for everyone in the company to access, while at least a third of companies have 1,000 sensitive folders open to everyone.

Given the easy access to large amounts of storage and increasingly fast internet speeds, it can be trivial for an insider to move data off-site. A Cisco study of data exfiltration from the cloud found just 750 malicious users were able to 3.9 million documents from corporate cloud systems (an average of 5,200 each) during a six-week period.

All types of data can be at risk from insider threats. The CA report found that confidential business information such as financials and customer or employee data was the most vulnerable, followed by privileged account information such as passwords, personally identifiable and health information (both of which are heavily regulated), and then the intellectual property.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)