What is an insider threat?
An insider threat is a cyber security risk introduced by an individual with access to a company’s systems and data. Insider threats can arise from anyone with authorized access to a company’s underlying network and applications, such as employees, partners, vendors, interns, suppliers, or contractors.
Not all insider threats are necessarily malicious. Some occur due to human error and some occur because an employee is just trying to work more efficiently with tech or apps they prefer.
In today’s relentless cyber threat landscape, it’s easy for companies to spend an excessive amount of time, money, and effort to protect themselves from external attacks. But with the shift to remote and hybrid work environments, the worst threats might be sitting right in front of you–operating from the inside–risking the exposure of trade secrets, HR information, customer data, and more.
Because so many individuals have legitimate access to company systems, it’s easy for malicious or even unintentional leaks to happen under your company’s radar.
In this blog, you’ll discover how to identify insider threats, how they occur, and tips for defending your organization against them.
Types of insider threats
While insider threats are tough to detect and prevent, you can start to mitigate them by understanding the different forms they take.
Here’s a closer look at five typical types of insider threats:
Malicious insiders use their privileged access to commit fraud, intellectual property (IP) theft, sabotage, or espionage. These insiders are motivated by money, personal, or other negative reasons and may operate in a team or on their own.
One specific type of malicious insider–a lone wolf–operates alone, often having proximity to a company’s sensitive systems like networks or databases. This allows them to expose HR records, passwords, and more.
Not all insider threats stem from spiteful intent or from a desire to get a leg up in the next job. Sometimes employees fail to recognize threats or unintentionally expose data simply through error, using options that are more efficient or unwittingly participating in hackers’ scams.
Some negligent workers are goofs一employees who purposely disregard a company’s security procedures but harbor no malicious intent. They may be careless and lose a work device that gets compromised, accidentally download malware or even let a family member use their machine一a much more common incident in hybrid work where employees use their computers at all hours, not just in the office.
It’s not only employee negligence you need to watch out for, but third-party contractors and interns as well. Many companies’ third-party partners, suppliers, or consultants have permission to use company platforms, and 72% of the time, these workers have elevated permissions.
Unfortunately, this means that third-party players pose the same risks as employees with the same level of access, whether they’re being malicious or not. Something as simple as emailing a client’s files to a personal computer means that an organization can no longer track how someone uses that file or who has access to it—making the risk that it falls into the wrong hands very challenging to mitigate.
Modern companies have security policies designed to safeguard their data, customers’ data, and employees. However, workers can find these protections inconvenient, leading them to create workarounds that increase the chances of a cyberattack. Even transferring company files to a personal laptop can relinquish some of an organization’s control over that data, opening the doors to theft.
For example, an employee could bypass restrictions on data sharing by saving files to a personal cloud drive–this is known as shadow IT. This workaround can destroy an organization’s visibility and control over its data and leave it open to compromise (intentional or otherwise).
Inside agents are employees or partners who work on behalf of an external group to carry out a data breach or other attack. These types of insider threats can be a pawn or a mole.
Pawns are not aware they’re acting as insider agents because they’ve fallen victim to a phishing or social engineering scheme. With the data that this inside agent provides, an external actor can then wreak havoc with the proper credentials, banking information, or classified information.
A mole is an imposter who has gained access to internal systems, posing as an employee, partner, vendor, or contractor. Sometimes moles offer insiders compensation for letting them into the network to steal trade secrets, customer data and more, or they coerce them through blackmail.
Some employees don’t leave on good terms, and even when they do, it’s natural to stockpile data during uncertain times or to take materials you’re proud of to get a leg up in your next job.
Departing employees might send a list of prospects, strategy slides, or lines of code they’ve written to personal email addresses or commit a brand of code to their personal code repository via Git. They’ll likely do this in the 90 days before submitting their notice. Hence, paying particular attention to a departing employee once you know they’re leaving is only helpful in the case of layoffs, furloughs and organizational change.
Additionally, disgruntled former employees who can still log into applications or know how to circumvent company security might steal and expose sensitive data out of revenge.
Want to learn more about how workforce volatility has affected data exposure? Download the Code42 Annual Data Exposure Report.
Technical indicators of insider threats
With so many ways for insider threats to arise, the best way to detect and ultimately deflect them is to look for consistent data movement and digital signals.
Insider threat actors can leave a trail of activities or characteristics that suggest corporate data is at a higher risk of exposure or exfiltration. While each of the below indicators may be benign on its own, a combination of them can increase the priority of data loss events—making it clearer that there’s an insider threat occurring:
- Zip file exfiltration
- Attachment sent via ProtonMail
- Corporate data movement to personal versions of approved applications
- Accessing information that isn’t relevant to their job function
- Spikes in outbound data exfiltration attempts
- Airdrop transfers
- Renaming files where the file extension doesn’t match the content
- Installing hardware, software, or malware
Keeping an eye on these signals can help security teams spot unusual activity and stop insider threats before they turn into a breach.
Some cyber security vendors might suggest monitoring employee behavior—particularly for actions showing that they’re disgruntled or dissatisfied—to detect an insider threat, but this is often unproductive.
Why monitoring behavioral indicators alone is ineffective
Looking at employee behavior approaches the problem from the wrong angle. If you check for employees doing something different or strange and then look for something terrible that happened to data, your position of inherent distrust often delivers false positives and breeds resentment among employees. When security and employees are adversaries, building a more secure culture becomes an uphill battle.
Instead, if you monitor all data, see when it moves to untrusted locations, and then respond appropriately to the event’s severity and data type that someone moved, you take employee intention out of the equation. You won’t harass employees who might be doing their job perfectly well—just later at night because of a sick kid. And, just as significantly, you’re following up on a few actual risk signals instead of every anomalous behavior.
How to protect against insider threats
While upper management and security teams can certainly watch out for digital and behavioral indicators, that shouldn’t be a company’s only protection method. Instead, they should approach their insider threat program from three perspectives: establishing normal user behavior, identifying and protecting critical assets, and mitigating risk.
Additionally, providing continual training to employees will keep security top of mind and create a culture around security.
Create a baseline of trusted activity
You need to know what trusted activities are before you can spot risky data access movement. Your optimal cyber security software will have built-in features that establish and infer a baseline of trusted data access activity to use as a comparison when tracking everyday data movement.
The activity of interest might be authentication methods, access times and VPN logs. Your cyber security system should alert security teams when anomalies appear so they can review and determine whether the irregularities are, in fact, potential insider threats.
Gain visibility of all your data and its movement
You may have heard of protecting your most critical assets, but it’s easier and more efficient to treat all data as essential and monitor its movement accordingly.
Inadvertent data exposure occurs up to 34 times per user every day, so protecting all data as if it’s critical helps minimize the risk of accidentally moving sensitive information and creating a situation for IP theft.
Ensure employees know that monitoring data movement to untrusted locations isn’t the same as surveillance. Instead of tracking keystrokes, taking pictures of screens, watching performance or other invasive activities, a company monitoring the data it owns is in the interest of employees and the company since it protects innovation and competitive edge.
Manage insider threat by addressing risk
The 2023 Data Exposure Report by Code42 found that CISOs rank insider risk as the most difficult threat to detect within their organizations. Insider risk is data exposure that jeopardizes the well-being of an organization and its employees, customers, or partners.
Instead of looking for a needle in a haystack and that one person who’s an insider threat, consider implementing a modern data protection strategy by monitoring activities that place sensitive information at risk. This approach prepares you to respond to any potential data breach, regardless of the intent behind it.
Executing data protection isn’t about surveilling employees or waiting for them to slip up. It’s about monitoring data changes and movement, looking for risk indicators and prioritizing that risk. Based on the priority, you can take action quickly to contain damage and prevent a breach.
The quickest way to discover insider risks is with the assistance of intelligent software. Unlike humans, AI-based tools can continuously monitor a company’s systems and bring risks that you may not even notice to light. The best platforms scan all systems for vulnerabilities, empowering security teams to patch them quickly.
Train employees and create a culture of security
Another component of data protection is providing continuous training to employees. Training that focuses on security best practices and the “why” behind policies can benefit a team. Reminding employees of why policies are in place can cut down on security evasion. Keeping best practices top of mind fights negligence and encourages employees to establish good behaviors that follow a company’s protocols.
By emphasizing the importance of cyber security company-wide businesses create a culture that places value on security and risk management that can ultimately lead to fewer insider threats.
Examples of insider threats
Insider threats might seem alarming in theory, but they’re even more dangerous in real-life. Here are a few examples of insider threats:
- In 2022, Yahoo sued a former research scientist who stole proprietary source code about their AdLearn product. Minutes after receiving a job offer from a competitor, the employee downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job. In the lawsuit, Yahoo claimed the stolen data would give competitors an immense advantage.
- In 2020, Stradis Healthcare let go of employee Christopher Dobbins who then, acting in revenge, penetrated the company’s network. Once he was in, he gave himself admin access and edited or deleted over 120,000 records, delaying PPE shipments for months.
- In 2020, former Google executive Anthony Scott Levandowski stole trade secrets from the company’s self-driving car department and took them to his new job at Uber. Levandowski admitted that Google may have lost up to $1,500,000 due to his theft.
These are just three examples of real insider threats that happen every year, causing severe financial and reputational damage.
Protect against insider threats with Code42 Incydr
From harming a company’s reputation with customers to stripping them of funding to exposing proprietary innovations, insider threats can have devastating consequences. Part of the reason safeguarding against insider threats is challenging is because legacy DLP software has a siloed view of data movement, missing dozens of threatening exfiltrations. Instead of guessing at which exfiltration is a threat, consider a modern approach to data protection.
Code42 Incydr is an intelligent data protection solution that identifies risky data movement–not just the exfiltrations that security has classified–helping you see and stop potential insider threats. Incydr automatically detects data leaks to untrusted cloud apps, blocks unacceptable exfiltrations, and tailors security’s response based on the offender and the offense. Employees who make security mistakes are automatically sent educational training to correct user behavior and reduce insider threat risk over time.
Take action against insider threats
Data has never been more vulnerable to employee leak and theft. Discover how Incydr helps security teams focus on tackling only the most critical insider threats.