Blog Post
October 6, 2023 | Cybersecurity education
What is an insider threat in cybersecurity?
By Field Effect
Last updated: January 19, 2024
Cyberattack stories often focus on the remote hacker using complex code to access your organization’s systems. There are always images of a dark basement, a few bright screens, and the silhouette of a hooded figure. However, the attacker isn’t always on the outside.
An insider threat originates from within an organization. It may be a current or former employee, intern, contractor, consultant, or stakeholder—basically, members of the organization with significant access or knowledge of its infrastructure and data.
When their internal privilege is abused, either through deliberate action or unintended error, it can cause serious harm to business operations, reputation, customers, and assets.
What organizations are affected by insider threats?
The UK’s Cyber Security Breaches Survey 2022 found that larger organizations are more likely to report unauthorized use of computers or networks by insiders compared to smaller businesses. That said, insider threats can happen to any business—regardless of size.
Other studies confirm that specific industries are more vulnerable to insider threats than others. Healthcare, social assistance, and public administration all report the most damage, and healthcare is the only sector to experience more insider threats than external ones.
Organizations of every size and in every industry should keep insider threats on their radar, and there are a few reasons why.
The big problem with insider threats
Insider threats are a critical cybersecurity concern because they evade traditional defence measures. Most policies, technologies, and systems focus on preventing and eradicating external threats, leaving the organization more vulnerable to attack from an insider.
How do you determine if an employee accessed confidential files to complete a task for work or to sell the data to a competitor? How do you stop a contractor from intentionally launching ransomware as part of a bribe from an external threat actor? It’s tough to decipher between normal, abnormal, and malicious insider behaviours.
Insider threats can also—intentionally or unintentionally—cause significantly more damage than an external party because of their familiarity with the organization’s processes, data, and vulnerabilities.
It’s disappointing to think a trusted member of your organization could use their status or intel to act maliciously. However, it has been known to happen.
LAPSUS$ takes advantage of insiders
LAPSUS$, a ransomware group, has stolen from massive enterprises by social engineering the employees. They also post on social media, encouraging potential malicious insiders to help facilitate an attack for payment.
Microsoft released a statement on this:
“Unlike most activity groups that stay under the radar, [LAPSUS$] doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations.”
They added the ransomware group offers to pay insiders—employees, suppliers, and business partners—for access to corporate credentials and multi-factor authentication (MFA) approval.
Types of insider threats
Insider threats may be negligent, unknowingly causing damage to the organization, or malicious.
Negligent insider threat examples
Many insider threats may be causing harm unintentionally—consider the following:
- Falling victim to a phishing email
- Sending confidential data to the wrong person
- Leaving corporate devices unattended
- Downloading malicious applications or plugins
- Sharing login credentials with others
Not everyone is familiar with cybersecurity best practices or may not know the corporate policies put in place to protect the company, which is why it’s so important they’re clearly communicated.
In 2021, an IT professional in Dallas deleted a significant volume of confidential data on three separate occasions. Millions of files were destroyed, including:
- 13 terabytes of Dallas police data
- 2 terabytes of secretarial materials
- 7.5 terabytes of case notes, images, etc.
The investigation found that this employee’s actions were not malicious in nature. Instead, they did not follow the organization’s data backup process and accidentally deleted both the original and backup files.
Malicious insider threat examples
If an insider threat isn’t negligent, it’s malicious. There are a few reasons why a trusted member of an organization would intentionally try to cause harm.
Verizon sums up several motivations behind insider threats in their report:
- Financial: An insider facing financial problems shares confidential credentials in exchange for a monetary reward.
- Espionage: An opportunistic insider collects trade secrets to build a competing business or uses them as leverage when applying for a job at a competitor.
- Ideology: An insider who opposes the organization’s mission, goals, or values intentionally causes harm.
- Grudge: A former employee seeking revenge against their past employer purposefully launches ransomware on the network.
- Fear: An external hacker threatens or blackmails an insider to inflict damage on the organization.
Malicious insider threats aren’t overly common but, like an external threat, can cause significant harm to the victim organization.
What are some potential insider threat indicators?
As discussed earlier, detecting an insider threat can be difficult. However, there are still indicators that something's amiss and is worth investigating.
From a digital standpoint, look for internal individuals logging on at unusual times, accessing unnecessary files, or requesting access to unnecessary files. Monitor traffic volume as well—unless there's a legitimate business reason, large volumes of data should not be leaving your network.
Insider threat prevention: 4 steps
Due to their nature, organizations cannot eliminate the risk of insider threats entirely. Instead, you should focus on creating a layered strategy. With proper training, corporate procedures, access policies, and threat monitoring and detection solutions, organizations can significantly reduce their risk of insider threats.
Conduct internal training and education
Cybersecurity training can help to prevent errors and mistakes—in other words, the leading causes of negligent insider threats.
The primary goal of awareness training is to help those in the organization make better decisions to limit accidental or unintentional exposure. Provide training to anyone who uses the company's IT infrastructure and resources such as company laptops or email.
Recognize phishing emails
For training, educate employees on technical and behavioural indicators of a social engineering scam. For example, technical indicators of a malicious email may include:
- Suspicious links
- Suspicious attachments
Behavioural indicators, on the other hand, may include:
- Urgent requests
- Changes to financial details or transactions
- Unusual or unexpected senders
- Changes in behaviour
Follow password best practices
Passwords are the first and sometimes only line of defence stopping attackers from accessing corporate accounts and compromising data. Far too many choose weak credentials, such as “password”, “123456”, and “qwerty” for corporate email or cloud services.
The truth is simple passwords are easy to remember but also easy for others—including insider threats—to guess.
Train all members of your organization on the elements that constitute a strong password. They should be long and complex with a mix of upper and lowercase letters, numbers, and symbols and only shared with others if absolutely necessary.
Don't forget about physical security
Remind employees and other members of the organization that corporate devices need to be physically secured as well. Insider threats may use an unattended device as an opportunity to access confidential data or files.
You don’t know who in your office could see something they’re not authorized to, whether it’s a colleague in another department or a new candidate walking past for an interview.
How to detect and report potential incidents
All employees should be trained on the digital and behavioural indicators of an insider attack. Further, they should know what to do if they suspect an insider attack is happening and the reporting mechanisms in place.
Implement policies that combat insider threats
Another step you can take to reduce the risk of insider threats in your organization is to establish proper policies and procedures. For example, the Human Resources department can mitigate risk proactively by properly vetting candidates via interviews, background checks, and more.
Establish formal processes to disable user accounts (including remote access and email accounts) after an employee has left the organization so they cannot continue to log in and access data or other sensitive files. There should be processes to retrieve corporate property after an employee leaves the company, too.
Here’s why. Block—formerly known as payment company Square—experienced a data breach affecting more than eight million users in late 2021. The breach occurred when a former employee accessed confidential reports containing sensitive customer information, including full names, brokerage account numbers, portfolio values, holdings, activities, and more.
According to the victim organization, “this employee had regular access to these reports as part of their past job responsibilities, in this instance, these reports were accessed without permission after their employment ended.”
Set and manage access permissions to reduce risk
Limiting a user's access to networks, systems, and data can help prevent intentional and unintentional actions that could lead to a breach. Most people in an organization won't require administrative privileges, and those with unnecessarily high access can present a significant threat. Strict access controls are more important than ever with the rise in hybrid work environments.
The principle of least privilege, where a user only has access to the files and tools needed to do their job, limits unauthorized access or potentially damaging mistakes. In certain circumstances, an employee will need temporary access to specific files or data but ensure that this is only granted as needed and revoked once no longer needed for their role.
Limiting access control is essential not only to mitigate the risk of internal threats but external ones as well. In late 2021, Microsoft said that NOBELIUM, a threat actor engaged in nation-state activity, had been “targeting privileged accounts of service providers” and that “these attacks have highlighted the need for administrators to adopt strict account security practices.”
Monitor for signs of an insider threat
Another way to mitigate the risk of insider threats is to achieve rich visibility to accurately detect anomalous behaviour and activities that may indicate a threat. You need a solution that can create a baseline of normal user and device behaviour, and then flag deviations.
Ideally, this monitoring would extend to endpoints, cloud services, and network traffic. Having visibility into all of these increases your chances of identifying a threat.
To learn more about choosing a cybersecurity solution that adequately defends against a wide range of cyber threats, download the Choosing a Cyber Security Solution: Your Guide to Getting it Right eBook.