Insider threats are a serious risk to any organization. They can come
from employees, contractors, or even partners who have been granted
access to an organization’s systems and data. Whether they are
intentional or unintentional, they can cause significant damage
to an organization.
To protect against insider threats, organizations need to have a
comprehensive security strategy that includes insider threat awareness.
This means educating employees about the risks of insider threats and
providing them with the tools and resources they need to identify and
report suspicious activity.
How to Detect an Insider Threat
Insider threats can be difficult to detect because malicious insiders are
often aware of security measures and know how to avoid them. Their tactics
can be hard to distinguish from regular work routines, making them difficult
to detect. As a result, organizations must implement appropriate security
measures and monitor for specific indicators of malicious activity.
Some of the most common indicators of an insider threat include:
Behavioral Indicators
- A dissatisfied employee, contractor, vendor, or partner
- Shows resentment towards co-workers
- Attempts to bypass security
- Working unusual hours
- Repetitive violation of organizational policy
- Considering leaving the organization or discussing new opportunities
Digital Indicators
- Attempting to access resources they normally wouldn't have or aren't allowed to use
- Logging into business applications and networks at unusual times
- Accessing information that is not related to their work
- Trying to copy large amounts of data over a network
- Repeated requests to access system resources unrelated to their job duties
- Attempting to look at sensitive information
- Sending confidential information outside of the organization
Types of Insider Threats
Negligent Insider -
An employee who does not comprehend how to follow appropriate IT operations.
Exposes an organization to a threat based on carelessness. Typically,
negligent insiders are familiar with security policies but choose to ignore them.
Negligent employees might:
- Leave their laptop unattended
- Send an email containing personal information to the wrong person
- Forget to shred personal records before discarding them
Malicious Insider -
An employee who knowingly seeks to steal information or cause disruption to
operations. Intends to cause damage to an organization for their own personal
gains. Waiting for the right opportunity to steal valuable information they can
sell or use it in ways to hurt an organization. An employee with malicious intent might:
- As a recently fired employee, sell sensitive information to an organization's competition
- Be recruited by external parties to steal, tamper with, or delete valuable data
- Expose trade secrets to the public
Compromised Insider -
An employee whose computer has been infected with a virus. This typically
happens by clicking on phishing attempts or by clicking on links that lead
to malware downloads. Most of the time employees do not realize that they have
been compromised. Threat actors then pose as authorized users by using stolen
credentials to access sensitive data.
Resources
- CISA Insider Threat Mitigation Guide
- CSDE Insider Threat Awareness Course