An insider threat is a security risk that originates within an organization and is activated by employees, former employees, and third parties. While commonly associated with malicious intentions, an insider threat can also result from innocent accidents. An insider threat usually refers to cyber events that result in legitimate user access privileges being used to gain unauthorized access to sensitive data, networks, and systems.
An insider is “any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.”
-Cybersecurity & Infrastructure Security Agency (CISA)
An insider threat with malicious intent is most often for financial gain, seeking to perpetrate a data breach, fraud, or ransomware attack. However, some malicious insider threats are aimed at disrupting operations for terrorism or revenge.
An accidental or unintentional insider threat can be triggered in many ways, such as by clicking a phishing link or succumbing to a social engineering ploy. Innocent users can also become an inside threat by accidentally accessing sensitive data without authorization or emailing it outside of the organization.
Types of insider threats
An insider threat is typically categorized as malicious or accidental. A malicious insider is a person (e.g., employee, third party) who uses their access privileges to steal from or do harm to an organization. This type of insider threat is also referred to as an intentional insider threat, as employees steal corporate data to sell to hackers, third-party organizations, or rival companies. An accidental insider threat can be created in many ways, including lax organizational security policies, lack of employee training, and careless team members.
Within these two categories are nuanced subcategories worth noting, including the following.
Departing employees
When an employee leaves an organization voluntarily or involuntarily, they often become an insider threat. Sometimes this is accidental as an employee mistakenly takes internal information when gathering their personal effects and files. Other times, it is malicious, with departing employees stealing information for personal gain (e.g., trade secrets, customer lists) or exposing sensitive data for revenge.
Inside agents
Similar to embedded spies, inside agents target organizations and attain positions as employees or third parties to gain access to sensitive data and information. Inside agents often work on behalf of an external group.
Former employees
Former employees can retain access to systems in organizations with lax offboarding processes. Some former employees become an insider threat, using their access to cause damage or steal data, or share their access with a malicious individual or group.
Moles
Moles are actually external threat actors who manipulate an authorized employee or third party to gain access to systems and data. Social engineering tactics are commonly used by moles.
Security evaders
A type of hybrid insider threat, security evaders put organizations at risk by willfully, sometimes maliciously, ignoring, circumventing, or overriding security safeguards.
Third party non-employees
While not employees, third party non-employees can be insider threats. A non-employee is a partner, contractor, vendor, affiliate, contingent worker, volunteer, student, or service provider with access to an organization’s systems, data, and applications.
Third-party risk can be as dangerous, or in some cases more dangerous, than other insider threats, because many third parties do not have the same level of security controls as the organizations that engage them.
Unintentional insiders
An unintentional insider threat, also called a negligent insider threat, is often considered more dangerous than a malicious insider threat, because the person is often unaware that they have been compromised. This can occur in a number of ways, including when a user:
- leaves an unencrypted work device unattended
- uses non-secure communication channels
- falls for a phishing scam
- succumbs to social engineering tactics
While serious, an insider threat is easier to combat than other cyber threats as risk can be significantly reduced by following security best practices.
Detecting an insider threat
Although they are generally stealthy, there are several cyber-related warning signs that could indicate an insider threat. Understanding how an insider threat can occur and being able to identify behavior patterns and activities that can signify a threat are the best ways to proactively protect sensitive data, networks, and systems.
How insider threats occur
An insider threat occurs when legitimate credentials are used to gain “authorized” access to an organization’s systems, data, or networks. Whether it is accidental or malicious, an insider threat occurrence involves the misuse of user credentials to an organization’s detriment.
Insider threat behavior patterns
An insider threat can often be detected by paying attention to behavioral warning signs. In many cases, changes in a user’s behavior or unusual behaviors can be an indication of a threat. Although any single example below may not be indicative of a threat, a person should be considered a potential insider threat when multiple factors are applicable.
- Accessing information that is not related to their job
- Attempts to bypass security protocols
- Sudden increase in purchases of high-end items (e.g., vacations, jewelry, car, house)
- Conflict with coworkers
- Copying data to personal devices
- Creating unauthorized accounts
- Disgruntled behavior displayed toward coworkers
- Downloading unusually large amounts of data
- Expressing interest in sensitive projects not related to their job
- Frequent use of sick leave
- Frequent violations of data protection and compliance rules
- Frequent visits to the office outside of normal working hours
- Increased stress level
- Job dissatisfaction
- Lack of interest in job-related projects and assignments
- Logging into the network at odd hours
- Low ratings on performance reports
- Misuse of travel and expenses
- Sudden changes in lifestyle
- Discussions of new job opportunities or thoughts of resigning
- Violations of corporate policies
Insider threat indicators
Other insider threat indicators include evidence of a user attempting to, or tool being used to:
- Access or download large amounts of data
- Change passwords for unauthorized accounts
- Circumvent access controls
- Connect outside technology or personal devices to organizational systems
- Hoard data or copy files from sensitive folders
- Dismantle, turn off, or neglect security controls (e.g., encryption, antivirus tools, firewall settings)
- Email sensitive data outside the organization
- Gain access to data or applications that are not associated with the individual’s role or responsibilities
- Install hardware or software to access organizational systems remotely
- Install unauthorized software or malware
- Move corporate data to personal versions of approved applications
- Crawl networks and conduct other searches for sensitive data
- Override blocks on attempts to exfiltrate data
- Escalate access privileges
- Rename files so the file extension does not match the content
- Search and scan for security vulnerabilities
- Send attachments using an unsanctioned encrypted email service
- Transmit data outside the organization
- Use unauthorized storage devices (e.g., USB drives, external hard drives)
Insider threat examples
A compromised employee
Hackers compromised multiple high-profile Twitter accounts using a phone-based spear phishing campaign and gained access to account support tools that helped them break into more than 100 Twitter accounts.
A departing employee
In this insider threat example, an employee stole proprietary product information after receiving a job offer from a competitor. The employee downloaded more than half a million pages of his employee’s intellectual property (IP) to his personal devices, knowing that the information would be helpful at the new job.
An employee error
An innocent municipal employee deleted more than 20TB (terabytes) of data. Among the destroyed files were more than 10TB of videos, photos, and case notes.
A former employee
A former employee became an insider threat when, disillusioned with his employer, he used a secret account he had created during his tenure to access the company’s shipping system and deleted critical shipping data, delaying vital product deliveries.
A security-evading employee
An employee emailed a confidential spreadsheet to his wife to get her help in resolving formatting issues. The spreadsheet contained tens of thousands of employees’ personal information in hidden columns. Bypassing security protocols and sending the spreadsheet to an unsecured device and non-employee, resulted in the employee identification numbers, places of birth, and social security numbers being compromised.
A terminated employee
This example of an insider threat occurred when an employee who had been terminated stole confidential sales enablement data, evading data loss protection (DLP) and downloading high-value documents to a USB drive and sharing them.
A third party non-employee
Cyber attackers exploited the credentials of third-party employees to hack an application used by thousands of companies. The attackers stole millions of records with individuals’ personally identifiable information (PII), resulting in a fine of almost $20 million.
Protecting the enterprise from insider threats
Although there is no way to eliminate the risk of an insider threat occurring, there are steps that can be taken to mitigate it. To combat insider threats:
- Remember that they are a human problem
- Keep security solutions and processes up to date
- Be aware of where sensitive data and resources are and who has access to them
- Be mindful of what access you provide to your third-party non-employees
- Monitor user and network activity continuously
- Take action immediately when a security incident is identified
- Maintain granular visibility into all systems’ activities
- Set systems to trigger alerts when anomalous activity is detected
- Investigate the root cause of security incidents
- Establish baselines for normal user behavior
- Segment networks to contain incidents
- Enforce the principle of least privilege
- Use virtual private networks (VPNs) to encrypt data and enable users to keep their browsing activity anonymous
- Develop and enforce robust security policies and programs
Which organizations are at risk of insider threats?
Organizations of all types are at risk for insider threats due to the wide-ranging motivations for the perpetrator in the case of malicious insiders and the fact that any user at any organization can become an accidental insider. However, those most susceptible to data breach attacks are those that gather and store sensitive information.
Types of information commonly targeted by insider threats include:
- Federal tax information (FTI)
- Government-sensitive data
- Intellectual property (IP)
- Payment card information (PCI)
- Personally identifiable information (PII)
- Protected health information (PHI)
- Student data and student education records, which are protected by the Family Educational Rights and Privacy Act (FERPA)
Insider threat FAQ
How can insider threats be prevented?
While prevention from insider threats is not guaranteed, insider threat reduction can be enabled by continuously monitoring user physical and digital activity and behavior, network activity, and system logs as well as through ongoing security training.
What risks are associated with insider threats?
The list of risks from an insider threat is long; commonly cited risks include data corruption, data theft, financial fraud, and ransomware attacks.
Where do insider threats originate?
An insider threat arises from a user who has legitimate access to an organization’s resources, including:
- A malicious employee who uses their access to steal sensitive information
- A negligent third party who compromises security by not implementing and following security best practices
- An employee or third-party non-employee who
- has been provided a computer and/or network access
- has been provided with a badge or access device
- has privileged access to sensitive information and resources
- has some knowledge about an organization’s operations
- unintentionally or willfully fails to follow cybersecurity rules
- An employee who has been terminated or resigned, but retains and uses active credentials or enabled profiles
- Anyone with knowledge about the organization’s fundamentals, including pricing, future plans, product development, as well as organizational strengths and weaknesses
What are three categories of insider threats?
- Compromised—A cybercriminal uses credentials stolen from a legitimate employee and poses as an authorized user to steal sensitive information, often without the user’s knowledge.
- Negligent—A legitimate employee accidentally misuses or exposes sensitive information, often as a result of social engineering, lost or stolen devices, or sending emails or files without authorization.
- Malicious—An authorized user (e.g., current or former employees, third parties, or partners) deliberately misuses privileged access to steal sensitive information for nefarious purposes, such as fraud, sabotage, ransom, or blackmail.
What are two types of insider threat individuals?
Insider threat individuals include pawns and turncloaks. Pawns are employees who are tricked into facilitating a cyberattack (e.g., fall for a social engineering ploy to disclose their credentials, enticed into downloading malware).
Usually, turncloaks are employees who intentionally exploit their employer for financial gain or harm to the organization. In some cases, the turncloak profile is not malicious, as in the case of a whistleblower.
Combating the stealthy insider threat
Organizations spend vast amounts of resources combating external threats. While these pose serious concerns, the stealthy insider threat must not be overlooked. Often hiding in plain sight, an insider threat can be as damaging, or more so, than an external threat.
The good news is that an insider threat is, in most cases, easier to detect and stop than external threats. With proper monitoring and training, the insider threat challenge can be addressed. In most cases, many of the tools used to combat external threats can be used to stop an insider threat before it results in an incident.