What is an insider threat?
90% of security budgets today are dedicated to technology and resources to deal with external threats, but 60% of data breaches originate from employees. Most organizations focus on potential cyber threats originating from outside of their networks. However, this isn’t the only potential source of risk to a company. Insider threats are users with legitimate access to an organization’s network and other resources that pose a risk to the company’s cybersecurity. These can include employees, contractors, vendors, and anyone else that has a network logon or can access a company’s files.
How are insider threats and Insider Risks different?
Insider threats and Insider Risks are two different ways of looking at the same problem. Insider threats are a type of Insider Risks. Both of them deal with the potential that a trusted insider causes damage to the organization through a data breach or similar incident, but they focus on different aspects of this.
Insider threat is a user-focused view of the problem. The difference between “internal” and “external” threats is based on where the threat actor is located. In an insider threat, the focus is on the user and how their actions resulted in a breach or other harm to the organization. Insider threat management attempts to identify potential threat actors and mitigate the risk that they pose.
Insider Risk, on the other hand, is a data-focused perspective. Instead of attempting to manage the human side of risk, Insider Risk Management looks at the data that could be breached and implements monitoring and protections that make it difficult for any threat actor to successfully perform a data breach.
What are examples of insider threats?
Insider threats are any users that pose a risk to an organization and its data. Most organizations focus insider threat management efforts on users who are actively working to harm the organization. Examples of malicious insider threats include:
- Non-Voluntary Departures: Employees that have been terminated or fear leaving a company due to re-orgs or mergers and acquisitions (M&As) may take sensitive data with them to their next position.
- Regular Departures: Even employees that have left voluntarily can be an insider threat. The most common scenario and highest risk of insider threat is when an employee leaves to join a competitor. Not always malicious in nature, most users simply take the data without thinking about who owns it or the harmful, unintended consequences.
- Privileged Users: Employees with the highest levels of access and privileges regarding sensitive data or systems pose the most risk to an organization if they choose to abuse this access.
However, malicious intent is not necessary for an insider threat. In fact, 60% of data breaches performed by insiders are unintentional. These unintentional breaches are caused by employee negligence. Examples of negligent activities that place data at risk include:
- Unauthorized Cloud Storage: The cloud is convenient for storing and sharing data, but many personal cloud drives are improperly secured. This may allow an attacker to access company data on publicly-accessible cloud storage.
- Unencrypted Removable Media: Removable media like USB drives and external hard drives used to transport data while traveling may be a source of data leakage if lost or stolen.
With insider threats, motivation is immaterial. The issue is that trusted parties have the ability to cause a data breach or similar incident through their actions (whether malicious or negligent).
Why are insider threats so dangerous?
Insider threats are dangerous because they involve an internal actor that is taking actions that can cause damage to the company. These actions could be inspired by malice, laziness, or other negligence. With the legitimate access that this person has, they have the potential to cause significant harm before the threat is detected and remediated.
However, most of this danger comes from the Insider Risk, not the insider threat. Insider Risk – when data is insufficiently protected – creates the danger of unintentional compromise via employee negligence. In contrast, effective data monitoring renders even malicious insiders impotent or dramatically decreases the damage that they can do.
Mitigating the impact of insider threats requires effectively managing Insider Risk.
How can we prevent insider threats?
Insider threat prevention is a complicated issue. One of the main enablers of an insider threat is the legitimate access that they have to an organization’s systems and data. Take that access away, and the threat is effectively neutralized.
However, taking that access away isn’t really an option for most organizations. The access that insider threats abuse is the same access that they need to do their jobs. This makes insider threat “prevention” difficult because blocking all potentially risky activities leaves employees unable to do their jobs.
A better approach to insider threat management is Insider Risk mitigation. For an insider threat to cause damage to an organization, it needs to be able to access and exfiltrate the data without detection. While an organization may wish to allow insiders access to data – in order to do their jobs – they often have a window between the initial access and the breach to respond.
With visibility into Insider Risk, an organization can respond appropriately to potential breaches without negatively impacting employee productivity.