Employees conducting attacks on their own employers \u2013 known as insider threats \u2013 are becoming increasingly common and costly. According to a CA report, over 50 percent of organizations suffered an insider threat-based attack in the previous 12 months, while a quarter say they are suffering attacks more frequently than in the previous year. Ninety percent of those organizations claimed to feel vulnerable to insider threats.Insider threats can take the form of the accidental insider who inadvertently leaks information, the imposter who is really an outsider using stolen credentials, or the malicious insider to wants revenge or money. While spotting internal threats can be difficult, there are warning signs that can alert the organization of a potential incident before it occurs and data has left the boundaries of the network.These attacks can be costly. According to Ponemon, a successful malicious insider attack costs an average of $600,000. These attacks can come in all shapes and sizes, from all classes of employees.The insider threat \u2013 who are they, what are they stealing and why?A key part of creating a risk profile of potential insider threats is knowing who the likely perpetrators are, what data they may be targeting, and why. This will enable you to put greater restrictions on potential threat actors and more controls on vulnerable data.An older study from 2013 by the Centre for the Protection of National Infrastructure found insider attacks were more likely to be committed by men aged 31 to 45. Attacks were more likely to be from permanent staff than contractors or partners, and the majority of insider attacks were committed by employees who had been at the company for less than five years. A study by Carnegie Mellon University found that insiders usually act alone, but when there is collusion, whether willingly or as a result of social engineering, attacks "will have a duration that is nearly four times as long as one that is committed solely by a single insider."\u00a0Why do insiders attack? Usually it will be for financial gain. Either someone is offering money for certain information, or they believe they can sell it online. Sometimes the motive will be revenge for a slight against them. It may be in retaliation for receiving a warning or disciplinary action or poor performance review, being passed up for a promotion or project, disagreements around salaries of bonuses, or being laid off. Sometimes it will be for a career benefit, for example taking contact details for customers or valuable intellectual property (IP) to a new employer.\u201cFor a lot of people, it\u2019s about the contacts they make and how that could be useful in their new job \u2013 they see this as \u2018their information\u2019, not the company's,\u201d says Dr. Guy Bunker, senior vice president of products at Clearswift. \u201cSo, they will take copies of the information which could be useful: people\u2019s names, emails, telephone numbers, information on deals done or opportunities.\u201dCommon failures or issues that enable insider attacks to succeed include:Excessive access privilegesA growing number of devices and locations with access to sensitive data \u2013 such as mobile devices and cloud-based offerings \u2013 that often exist beyond companies\u2019 networks and are harder to track and controlA growing use in the number of third parties touching network dataThe use external storage such as USBsPoor control over non-IT approved apps such as DropboxPoor controls around access can also be a factor. A report from Varonis found that 21 percent of all folders inside organizations are open for everyone in the company to access, while at least a third of companies have 1,000 sensitive folders open to everyone.Given the easy access to large amounts of storage and increasingly fast internet speeds, it can be trivial for an insider to move data off-site. A Cisco study of data exfiltration from the cloud found just 750 malicious users were able to 3.9 million documents from corporate cloud systems (an average of 5,200 each) during a six-week period.All types of data can be at risk from insider threats. The CA report found that confidential business information such as financials and customer or employee data was the most vulnerable, followed by privileged account information such as passwords, personally identifiable and health information (both of which are heavily regulated), and then the intellectual property.Insider threat examplesPerhaps the most well-known insider attack was by\u00a0Edward Snowden,\u00a0a contractor who leaked thousands of documents revealing how the National Security Agency (NSA) and other intelligence agencies operate. Another famous insider, Chelsea Manning, leaked a large cache of military documents to WikiLeaks.This year Tesla CEO Elson Musk\u00a0said an insider had was found making \u201cdirect code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive data to unknown third parties.\u201dAnother example from the car world is Anthony Levandowski. The Otto Motors founder reportedly stole 14,000 files from Google\u2019s Waymo autonomous car project to start his own company. The move cost Otto\u2019s acquirers Uber heavily, and resulted in the company giving a stake in its business over to Google.However, not all insider threats involve such big names or hit the headlines. Stephan Jou, CTO at security analytics company Interset, saw one customer suffer a raft of insider threats. \u201cAn employee (who was on a termination list) took dozens of screenshots of proprietary source code and other IP and subsequently emailed those screenshots to their personal account,\u201d he said. \u201cAt the same firm, a disgruntled employee emailed 500 MB of sensitive data to personal email accounts and tried to hide the data exfiltration by spreading the activity across three different personal email accounts. In a third instance, a different employee copied more than 2 GB of data onto a USB drive and emailed additional data to a personal email account."Dr. Giovanni Vigna, co-founder and CTO at Lastline, told CSO of an incident with a with a fashion designer where the company detected a connection to a host in China, which was unusual. After investigation, this connection was found to be part of a plan to steal proprietary designs and create knock-offs in China.These are the warning signs that an insider might become a threat.1. Major changes at the organizationWhile potential insider threats leave many digital clues, there are almost always more obvious physical warning signs before that. \u201cIt's incredibly rare for someone just to blow up and go and steal everything, stuff all the hard-disks in their pockets and run out of there,\u201d says Dr. Jamie Graves, vice president of product management, security analytics at ZoneFox, a behavioral analytics company acquired by Fortinet earlier this year. \u201cUsually, there is some sort of organizational change or event that precedes an attack. The most common are if, as an organization, you go through great change-- you're going to be acquired or you're going through redundancies.\u201d\u201cIf you dig into it, there'll be a reason why in there. There could be in indicating factor, and then when you talk to people in your organization they say, 'Oh yes, Bob, he's coming up for redundancy, or he's failed a review, etc.' You need to have your ducks in a row when it comes to monitoring for that sort of [malicious] behavior,\u201d says Graves.2. Personality and behavioral changesPersonality and behavioral changes will be the first sign of a potential insider threat. Perhaps they are clearly and vocally unhappy at work or lacking motivation, or talking about money troubles, or openly disagreeing with superiors in the office. Working longer hours, over the weekend, or increasingly from home or remote locations could also be indicators.Openly speaking ill of the company or talking about hunting for new jobs \u2013 whether in the office, in company chat systems, or on social media \u2013 should be noted as a warning sign. \u201cIf you use LinkedIn Recruiter, you can see if your employees are searching for new roles when they opt in to the option of \u2018Looking for New Opportunities\u2019,\u201d says Tom Huckle, lead cyber security consultant and head of training and development at cyber security training firm Crucial Academy. \u201cIf you do not have access to this, other tell-tale signs could include them engaging with suspicious parties [on social media] through likes and comments.\u201d3. Employees leaving the companyThose leaving the company \u2013 whether by their own volition or not \u2013 are likely thinking about taking data with them. Most IP theft by insiders happens within 30 days of leaving an employee leaving an organization. It\u2019s also worth noting that those with a history of ignoring security protocol need closer monitoring. Another Deloitte study found half of employees known to have been involved in insider attacks had previous history of violating IT security policies.4. Insiders accessing large amounts of dataIf the behavioral warning signs are missed, there will be digital clues that someone may be considering a malicious act, as well as clear warnings that an insider is conducting an attack. \u201cInsiders no longer have to photocopy, photograph, or remove large swaths of physical documents from an office space,\u201d says Tom Tahany, intelligence analyst at Blackstone Consultancy. \u201cRather, the downloading of several terabytes of data from an online reservoir can be done within minutes from a remote location and distributed rapidly.\u201dThis accessing and download of large amounts of data is less of a warning sign than a smoking gun that you are suffering an insider threat. Usually before we reach the actual exfiltration there will be digital warnings that something may be about to happen.5. Unauthorized insider attempts to access servers and dataMany insiders will go through a reconnaissance stage first, where they explore what data and systems they have access to. \u201cWarning signs include attempts by authorized users to access servers or data they shouldn\u2019t be, authorized users accessing or requesting access to information that is unrelated to their roles or job duties, and theft of authorized user credentials,\u201d says Carolyn Crandall, chief deception officer at Attivo Networks.\u201cWhether the activity is from an authorized employee just poking around where they shouldn\u2019t be out of curiosity, an authorized employee with malicious intentions accessing servers or data to cause damage or steal information, or an external attacker that has obtained valid credentials of an authorized user, if any of these activities are detected it is cause for alarm,\u201d says Crandall.6. Authorized but unusual insider access to servers and dataOther clues may include accessing areas of the network or files they have the required permissions for but would never normally access during their day-to-day functions, modifying large numbers of files in a short period of time, staying later or arriving earlier than they have previously or accessing systems remotely at weekends, or repeatedly trying (and failing) to access areas they do not have permission for. Establishing normal behaviors and flagging abnormal is important in these situations.7. Attempts to move data offsiteThen the final stage is the actual attempts at exfiltrating data. These include any large downloading to external storage such as a USB stick, large uploads to personal cloud apps such as Dropbox when your company doesn\u2019t use that service, or large numbers of attachment-heavy emails sent outside the company.While USBs remain a viable option for removing large data sets and leaving less of a digital footprint, remote late-night downloads are not uncommon. Cisco\u2019s cloud data exfiltration study found 62 percent of suspicious downloads occurred outside of normal work hours, with 40 percent taking place on weekends. While gigabytes or terabytes of data are a smoking gun for suspicious activity it\u2019s worth remembering sensitive information can be contained in a small amount of data.\u201cA credit card is 12 digits from 0 to 9, easily stored in 6 bytes,\u201d says Jeff Williams, CTO and co-founder at Contrast Security. \u201cThat means 100,000 credit cards fits into 60KB, a million is only .6 megabytes. You could easily hide that data in a picture or document and nobody would ever detect it.\u201dMaintaining employee trustHowever, it\u2019s important to remember there should be an element of trust between the business and its employees. One anomalous action does not necessarily make one guilty; an employee may only need to access a certain file or folder once a month or even once a quarter, for example, and regularly accusing employees of malicious actions could impact morale. A deadline for a project may be coming up, causing people to work more hours or over the weekend.\u201cOne of these warning signs alone may not be indicative of a malicious internal actor,\u201d says Nathan Little, lead investigator and partner of Gillware Digital Forensics. \u201cBut when you diligently monitor these warning signs simultaneously, the patterns and behaviors become more apparent.\u201dVisibility and monitoring are keyWhile no single technology is likely to completely protect against insider threats, a combination of technologies such as data loss prevention (DLP), encryption at rest, identity and access management (IAM), behavioral analytics, tailored log and event management, and maybe even honeypot files will reduce the chance of data making it beyond your network. \u201cIt's essential for organizations to implement robust, well-known reporting procedures for potential insider threats, and parallel human-side defenses with technical ones,\u201d says Justin Sherman, cybersecurity policy fellow at U.S. think tank New America. \u201cEmployees should be accessing what they need in order to effectively function in their job, and that's about it."Prevention is better than the cure, however, and one of the best ways to prevent data escaping your network is to create risk profiles on the people who may be a risk within your organization. Cooperation, collaboration and communication between departments is key to an effective insider threat management program.\u201cThere's always going to be a dislocation between what HR know about individuals and telling,\u201d says Matt Lock, director of sales engineers at Varonis. \u201cYou need to get HR to start thinking about how they can tell security that there is this person leaving, or we have a round of redundancies coming up. And if this is the case, then you can add this extra level of risk to these particular users and groups by putting them into a watch list.\u201d\u201cIt's also important a SOC analyst can go back to a manager and fire off an email to individuals within the company to get confirmation that this is something that they shouldn't be doing, or something that should put them on the radar because they may be looking to steal information,\u201d Lock adds.