• United States




Mitigating insider threats from a people perspective

May 05, 20165 mins
Data and Information SecurityData BreachInvestigation and Forensics

04 insider threat
Credit: Thinkstock

Cyber threats come in various forms. A diverse threat actor landscape consisting of criminals, espionage actors, hacktivists, and more have demonstrated how successful they can be launching remote attacks. Gaining unauthorized access into networks, stealing sensitive intellectual property, financial, and personal identifiable information, and conducting defacements and denial-of-service attacks, are just some ways these hostile elements target organizations in both the public and private sectors.

One class of actor that often gets overlooked is the insider threat, largely because they represent a hybrid type of actor that capitalizes on his physical access to conduct malfeasance, often leveraging some cyber aspect in the fulfillment of his goals.

[ ALSO ON CSO: Defending against insider security threats hangs on trust ]

Insiders can both be witting and unwitting. The unwitting or careless insider is an individual with legitimate accesses but who through poor judgment commits a security infraction that results in potential consequences for his organization (e.g., think the insertion of a USB key into an organization’s network).

The witting or malicious insider is an individual that makes the conscious decision to abuse his access in order to obtain sensitive and/or financial information for personal gain or purposeful malicious intent (e.g., an individual like Chelsea Manning or Edward Snowden fits this category). 

A third type of insider is the remote actor or masquerading insider who has compromised legitimate credentials in order to gain access as a trusted individual on an organization’s network. One thing that all of these three types have in common: once inside, perimeter security can do little to deter their actions.

Recent reports have discovered that insiders still constitute the biggest threat to most organizations. 

  • According to a 2015 PriceWaterhouseCoopers report, current employees were the biggest cause of security incidents surpassing hackers, contractors, and organized crime.
  • According to a 2015 Vormetric report, 89 percent of global respondents (800 senior managers and IT professionals) believed that their companies were at risk from the insider threat.
  • Negligent and malicious insiders constituted approximately 61 percent of security breaches, according to respondents (3,500 IT and IT security practitioners in eight countries) of a 2013 Ponemon Institute report.

One thing is certain: protecting, mitigating, and remediating against the insider threat is a complex and cross-functional matter. Technology alone cannot help mitigate the insider threat; human involvement is critical to helping identify and reduce the risk of this threat. For the purposes of this article, I would like to focus on the human aspects of mitigating the insider threat.

  • More robust screening process for employees: Mitigating the potential insider threat starts at the hiring table, which is the first opportunity an organization has to review and evaluate prospective candidates. All prospective applicants should undergo an extensive interview process as well as a background check that includes contacting professional references to help identify potential “red flag” areas. Early alerting can allow an organization to engage in more specific discourse with the applicant providing more opportunity to better evaluate the individual.
  • Limit/monitor employee access: Employees do not necessarily need authorized access to every network, database, and process. Organizations need to understand that by limiting access to only what employees need to fulfill their work responsibilities will ultimately reduce the chance of information spillover or leakage as a result of a security incident. While some organizations may balk at monitoring employees’ activities on the network, it is a proactive way to provide early indications of potential malfeasance particularly if an employee is trying to access an area to which he doesn’t have privileges.
  • Employee education: Employees need frequent and updated security awareness training to inform them of the latest tactics, techniques, and procedures used by hostile actors to include spearphishing, spoofing, and social engineering. Training needs should be specialized so that employees understand not only the threat but how to better secure the information and accesses that they have. Instilling this sense that security is everyone’s responsibility and not just the IT department is critical for individuals to be more vigilant in how to properly handle information. Considering that a recent survey by CoSoSys revealed that 35 percent of employees didn’t believe data security was their responsibility shows that more needs to be done with ensuring that the work staff is kept current on security matters.
  • Employee behavior: It may be difficult to identify anomalies in employee behavior without having set baselines of “normal” behavior for that individual. Absent having such baselines, there are some behaviors that may seem out of place or uncharacteristic that may solicit attention. Such activities such as (increased or first time) use of removable media, increased printing habits, working outside normal customary work times, or increased remote log-ins can be the types of indicators that warrant closer inspection.

Mitigating insider threats is an ongoing effort that requires a holistic approach that encompasses technological as well as human solutions. Additionally, organizational and situational factors can help mitigate the threat posed by these individuals such as familiarizing security policies with the staff and promoting a security conscious culture. 

[ RELATED: 11 tips for spotting insider threats ]

For addressing the motivating factors typically associated with insider threat activity, there are some initiatives an organization can undertake. For example, organizations can provide resources for employees to address complaints, concerns, and/or frustrations to combat dissatisfaction and resentment. 

For those driven by ego or reward, employee recognition programs that offer financial and/or praise employee achievements may help neutralize negativity. While not exhaustive, these people-perspective endeavors can proactively mitigate potential insiders from emerging in your workforce. 


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.