What Is an Insider Threat? How to Detect and Prevent It

With each passing day, we grow more dependent on apps and devices to manage our lives, both inside and outside work.

Because of this, data is everywhere, and there are plenty of gaps through which it can leak, and anyone can misuse it. We are conditioned to think that data leaks come from strangers hacking into our systems, but that isn't always the case.

Sometimes the most malicious cyber attacks on our data come from the inside in the form of an insider threat. Companies use tools like security information and event management (SIEM) software to monitor user activity and multi-factor authentication tools to strengthen account security and prevent insider attacks.

This sort of attack doesn't have to necessarily be a current employee or stakeholder. It can come from a former employer, board member, or anyone who had access to an organization's confidential and private information.

Insider threats occur when someone close to an organization has authorized access, and they misuse it to negatively impact critical information or systems.

Types of insider threats

There are three main types to watch out for when it comes to insider threats.

Malicious

A malicious insider threat comes from someone deliberately trying to sabotage an organization. The goals are typically espionage, fraud, and intellectual property theft.

An example of this would be a disgruntled employee with the intent to steal information after quitting or being fired. There's also a type of insider threat called a Logic Bomb. It happens when former employees install malicious software on computer systems.

Inadvertent

An inadvertent insider threat comes from human error or poor judgment. This includes anything from opening a phishing email, triggering malware, engaging in Shadow IT, and unintentionally aiding the threat actor.

In 2020, a study conducted by Verizon found that 2% of employees targeted in a phishing campaign click on malicious links.

Mole

A mole in an outsider who has access to an organization's network. This can be anyone from outside the organization posing as an employee, contractor, or partner. 

Some businesses leverage multi-factor authentication to restrict moles to some extent by protecting user accounts.

How to detect insider threats

Insider threats are more challenging to identify and block than other attacks. Even if you're using Security Information and Event Management (SIEM) software, a former employee using their login to hack your system won't raise the same alarms as a high-level hacker taking over your network.

The best way to stop insider threats is to continuously monitor all user activity and take action when incidents happen. You can implement threat intelligence software that uses state-of-the-art tools and methods to pinpoint cyber threats.

What are some potential insider threat indicators?

It's essential to be aware of the warning signs of a potential insider threat.

• Theft and corruption: Keep an eye out to see if your employees' user activity deviates from the norm. Perhaps they have accessed an account for the first time in a while or from a new location.
• Damaging mistakes: This is when your employees are acting carelessly. It entails anything from users opening personal accounts on enterprise servers, sharing credentials for a VPN, and checking emails using a third-party provider.
• New openings for outsiders: These are signs that a cybercriminal has already infiltrated an organization. Look out for an increased number of data transfers, a higher than expected amount of logins, attempts to change privileges and credentials on an existing account, or opening many new accounts.

How to prevent insider threats

Organizations can set policies and procedures to mitigate insider threats and control damages if an unfortunate incident occurs. Below are some best practices to help you protect yourself from insider threats.

Document and enforce policies and controls

Create policies around how employees interact with an organization's IT environment and enforce them. 

Below are some standard policies that companies should establish.

• Data protection regulations
• Thrid-party access policy
• Password management policy
• User monitoring policy
• Account management policy
• Incident response policy

Ensure that your legal department verifies these policies and employee success or IT department effectively communicates it to everyone in the organization. 

Perform organization-wide risk assessment

An organization-wide risk assessment will help you identify critical assets, vulnerabilities, and associated risks. You can prioritize mitigation measures and strengthen your IT infrastructure against any cyber attack or insider threat based on the nature of risks.

You can use IT risk management software to protect business data against all risks associated with software and hardware.

Implement strict account and access management practices

Users should be challenged to prove their identities not just by entering passwords but through several other ways. You can adopt multi-factor authentication software to set up more challenges. These software would need users to authenticate through multiple mechanisms such as biometric authentication or by entering one-time passwords (OTP) to prove their identity.

Find risky actors and respond promptly to suspicious activity

Keep a close watch on security systems and respond to any suspicious activity according to your incident response plan. It's essential to monitor and control remote access to systems and ensure that you get alerts through multiple channels whenever any suspicious activity is detected.

Consider using user and entity behavior analytics (UEBA) software to identify patterns, monitor user or machine behaviors, and notify stakeholders in case of any abnormal activity.

Real-life examples of insider threats

For all you true-crime enthusiasts out there, let's look at some insider threat examples and the companies that paid the price.

General Electric: employee steals valuable data and trade secrets

In July 2020, details emerged from an eight-year-long insider job at General Electric (GE). The scam saw employee Jean Patrice Delia steal valuable proprietary data and trade secrets to use this information to start a rival company. 

After being granted access to the files he had requested from an IT administrator, Delia emailed commercially-sensitive calculations to his co-conspirator. After pleading guilty to the charges, Delia faced up to 87 months in jail.

Cisco: Ex-employee sabotages user data

Sudhish Kasaba Ramesh of San Jose, California, received two years in prison for deploying malware that deleted over 16,000 user accounts on Cisco's systems and caused $2.4 million damage. The incident underscores the need to secure data from inside and outside threats. 

It serves as a reminder that it's not just your current employees that pose a potential internal threat–but your ex-employees, too.

Anthem: employee data infiltration

Between 2014-2015, Anthem experienced a data breach in the form of insider theft where attackers stole the personal data of over 18,000 Medicare members. It wasn't until April 2017–nearly three years later–that the Medicare insurance coordination services vendor. 

The employer behind this insider threat had emailed a file containing Medicare ID numbers, Social Security numbers, Health Plan ID numbers, member names, and more to their email address.

Target: third-party credential threat

In 2013, Target went through a highly-publicized credit card data breach due to a third-party vendor that took the credentials of critical systems outside of an appropriate use-case. This information made it possible for hackers to infiltrate Target's payment systems, gain access to the customer database, and install malware.

Doing so allowed them to steal information from Target's customers, including names, phone numbers, email addresses, and payment card details.

RSA: employees falling for a phishing attack

In March 2011, the RSA fell victim to an insider threat when employees clicked on a targeting phishing attack, leading to 40 million employee records becoming compromised.

The two hacker groups behind this attack launched the phishing scam by pretending to be trusted coworkers and contacts within the organization. The RSA is the security arm of the EMC, and this attack showed that no one, not even a security vendor, is safe from an inside data breach.

Rockwell and Boeing: employed a spy

Think spies are just for TV dramas and Hollywood films? Think again.

Spies come in all shapes and sizes; in this case, they come in the form of Greg Chung, who spied for China while both Rockwell and Boeing employed him. Between 1979 and 2006, Chung stole hundreds of boxes worth of documents regarding plans for U.S. military and spacecraft expeditions.

This nation-state-sponsored insider threat is one of the ways other countries can gain access to valuable and highly classified secrets and intellectual property.

Protect yourself from the inside out

With insider threats posing such a tremendous financial risk, it's more important than ever to make use of awareness training and be able to spot the signs of an insider threat before it happens. Never stop monitoring user activity, as the root cause of all insider threats to your systems is the people using them.

Interested in learning more about the threats out there? Check out how to identify the different types of spyware.