What Is an Insider Threat?
An insider threat is a person within an organization who poses a cyber security risk. This person uses their credentials and trusted status to compromise a network or leak data to unauthorized people outside the organization.
Insider threats can happen intentionally or by accident. And they’re a complex challenge to organizations since employees inherently have access to sensitive data and networks. Rather than having to bypass a firewall, for example, an insider threat is already behind an organization’s security.
To fully understand insider threats, it's important to understand who counts as an insider. Some examples include:
Employees
Contractors and vendors
Executives
Former employees
Partners
Any person with privileged access to sensitive information or networks is capable of being an insider threat.
Learn about different types of insider threats, common examples, indicators of an inside threat, and which threats carry the most risk.
Types of Insider Threats
The CISA defines two types of insider threats: intentional and unintentional. They can both cause significant harm to a network despite their differences in intent and execution.
Intentional Insider Threats
A cyberattack with malicious intent from an insider (like an employee) is an intentional insider threat. The motivation behind malicious insiders may be for personal gain like money, or to get revenge for a perceived grudge.
According to the CISA, hostile insiders "use technical means to disrupt or halt an organization’s regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems."
Unintentional Insider Threats
An unintentional threat usually happens by accident or negligence. An inadvertent incident can occur when an insider doesn't follow cybersecurity policies, falls victim to a phishing email, or ignores notifications to update software.
Insiders don't intend to harm the organization, but their actions result in some form of compromise, like a data breach. An IBM report on insider threats found that 63% of insider threat incidents were due to negligence.
Third-party Threats
While third-party persons like vendors and contractors aren’t formal insiders of your organization, they may have access to other employees, proprietary data, and sensitive materials.
They’ve also established themselves as a legitimate source. Working with vendors means you have built trusted relationships with them which can be exploited by criminals. Third-party threats may happen accidentally or intentionally, and they can involve collusion with an outsider actor.
Supply chain attacks are an example of a third-party threat. Consider this scenario: an account takeover compromises a vendor, and criminals use the account to trick employees into paying an invoice, downloading malware, or sharing sensitive data. These types of attacks are particularly insidious because they are difficult to detect.
Insider Threat Examples
There are many examples of insider threats in recent years. Some of these incidents include:
HackerOne: HackerOne had an employee who improperly accessed security reports for personal financial gain.
OpenSea: The NFT company had its entire email list stolen by an employee at a vendor company and then shared with an unauthorized external party.
Cisco: A former engineer deleted 456 virtual machines and 16,000 Webex accounts, costing Cisco $2.4 million to repair.
Organizations should also prepare for attackers to solicit employees to take part in insider schemes. Abnormal recently detected emails asking a company’s employees to intentionally deploy DemonWare on a company's server or computer. In exchange, the employee would receive $1 million in bitcoin from the ransom money.
As attackers adapt to new cybersecurity policies, organizations must protect themselves from new tactics and identify new insider threats quickly. The DemonWare attacker first sought to send phishing emails to compromise accounts, but email security blocked such attempts. So he adapted by directly soliciting employees to download ransomware.
What Are Potential Indicators of an Insider Threat?
Insider threats are difficult to detect and prevent, but there are still some indicators of compromise. These employee activities can indicate a potential insider threat:
Downloading unusually large amounts of data
Accessing data unrelated to their job
Using external storage devices
Downloading files with private information
Emailing outside emails with sensitive data attached
Unusual user geography changes
Turning off encryption
Violating cybersecurity policies
While this isn't always an insider threat blossoming, it's important to note if employees are accessing or using data in a way that's unnecessary for their job. Even if it is part of their job duties, behavioral analysis can help detect if unusual incidents are taking place.
How To Prevent Insider Threats
Detection, mitigation, and prevention of insider threats is a tall task. The insidious nature means traditional cybersecurity measures aren’t enough.
This disconnect has compounded with the growth of remote work. The lack of security visibility, growth in cloud application use, and decentralization of both employees and server traffic complicates external and internal threat monitoring.
Security teams need applications that create baseline models of standard employee activity. Using these baselines, they can automatically highlight anomalies in user behavior that indicate an insider threat or an account compromise. Red flags can include geographic irregularities and unusual login hours.
Behavioral baselining helps detect unusual behavior, but it doesn’t necessarily prevent it. Organizations need to enact basic security measures, including:
Restricting sensitive data to privileged accounts.
Strict credential monitoring, with strong password requirements and multifactor authentication.
Stringent data security and sanitization.
Universal offboarding procedures for departing employees.
Preventing insider threats (or any cyberattack, really) is a journey, not a destination.
To learn more about how Abnormal can improve your email security, request a demo.