• United States



Do you actually understand what insider risk really is?

Dec 01, 20154 mins
Data and Information SecurityIT LeadershipTechnology Industry

The increasing focus on insider risk frequently overlooks the changing nature of our data, environments, and threat landscape

wolf sheep
Credit: Thinkstock

Are you worried about insider risk?

Most concerned organizations are acting based on an outdated definition of insider threat. That leads to solutions that no longer address the real nature and risk of the insider threat. 

A lot has changed in the last few decades. It’s time to step back to consider what changed. Explore the real nature of the risk. And with it, the opportunities for better solutions.  

The nature of the information we capture expanded. Our systems, environments, and methods of work changed, too. These changes made insiders more valuable. Consider how the threat shifts with the changes.  

The first insiders had limited data and access

The data that organizations gather, process, and store is valuable. Realizing the value of information means granting people access to the information. An insider is an employee, contractor, or anyone “authorized” to access the information. 

Do you remember using a mainframe? Limited data storage. Accounts for only those who needed them. In most cases, strict controls. 

When we look back, the mainframe days sometimes feel drastic in nature. For most, it was an upgrade from the manual processes they relied on. 

Limited access and strict controls created the sense that insider threat was minimal.  

Handling distribution requires privileged accounts

The progression to client-server solutions introduced a different model. Now we needed to protect the data, the servers, the network, and the clients used for access. 

The need for more people with more access to more data created new opportunities. We created “front ends” to interface with the systems housing the data. We started to provide limited access to some information over the Internet.  

The increase in complexity required dedicated administration. Accounts with higher levels of access to maintain solutions. They also created accounts for others and handled controls. This level of access created the need to “watch the watchers.”

Most organizations continue to struggle with this today.

We maintained an illusion of control. The bulk of the data remained on servers we owned. It traveled on networks we controlled. People accessed and processed the data with devices we approved. 

Apps with access to everything for everyone

Modern applications are the window to our data. And why not?

Applications have the power to transform business. Creates a push for more flexibility, more power, and ease of use. Sometimes the rush for progress makes it easier to bypass traditional controls. Or gain access to data in unintended ways. 

And now more people — insiders — have access to more data. They have more pathways than ever before. Not just more devices, but more ways to access the information, too. 

We’re a long way from mainframes with hardwired terminals. Have you stopped to consider the access authorized users have through your applications?

Attackers have.  

And they realized that they had two options. They could work through layers of traditional protection. Or they could get what they want by compromising an authorized account. 

For many attackers, insiders — without malicious intent — are the path of least resistance. 

Is that what you consider to be the insider threat?

Why the definition of insider risk needs to evolve with the actual threat

Most definitions (CERTFBIwikipedia) of insider threat focus on the malicious element. An emphasis on the intention of someone to exceed their authorized access. 

This definition made sense when we controlled the system, data, and means of access. We painted a clear picture of the risk of insiders. In most cases, the risk of malicious use was small in comparison to the need for access to do their jobs. 

Our current environments challenge the focus on intention and malice. The attacker is malicious. They hijack the authorized account of an individual with good intentions.

The common definition of insider risk places an emphasis on the individual. That changed. And it means one of two things: 

  • We didn’t realize that the risk shifted
  • We recognized the change, but struggle to articulate and communicate the risk

Our environments changed. Attackers adapted their tactics. That means both the definition of insider threat and the risk changed, too. 

How many organizations accept the risk based on an outdated perception? Focus on solutions and actions that overlook the real threat. 

The risk associated with insiders changed. 

It’s time to update our understanding and actions. Then we can find solutions that protect people and improve security. 


Michael Santarcangelo develops exceptional leaders and powerful communicators with the security mindset for success. The founder of Security Catalyst, he draws on nearly two decades of experience of success advancing security in variety of operational roles. He guides leaders and teams on the best next step of their journey.

More from this author