You’ve heard tales of insider threats and how they can leak valuable trade secrets, HR information, customer data and more — intentionally or not. But what’s the best way to vanquish them? You don’t always get banshees & grims as warnings, sometimes you have to look closer for insider threat indicators.
1. Eerie data movement
Excessive spikes in data downloads, sending large amounts of data outside the company, and using Airdrop to transfer files can all be signs of an insider threat. You may have tried labeling specific company data as sensitive or critical to catch these suspicious data movements. However, even with the most robust data labeling policies and tools, intellectual property can slip through the cracks – especially if that risky data movement is kept under wraps by insiders. It’s more effective to treat all data as potentially sensitive and monitor file movements to untrusted devices and locations.
2. Use of unsanctioned software and hardware
Negligent and malicious insiders may use dark magic like unapproved tools to streamline work or simplify data exfiltration. For instance, a project manager could sign up for an unauthorized application and use it to track the progress of an internal project. Villainous actors might install the ProtonMail extension to encrypt files they send to their personal email. Regardless of intention, shadow IT may indicate an insider threat because unsanctioned software and hardware produce a gap in data security that could allow your most protected data to *poof*, disappear.
3. Increased requests for escalated privileges or permissions
It’s not unusual for employees, vendors, or contractors to need permission to view sensitive information. It becomes a concern when an increasing number of people want access to it. The more complex the web of access, the more potential risks to sensitive data. For example, a malicious insider may want to harvest data they previously didn’t have access to so they could sell it on the dark web. In another situation, a negligent insider who accessed it from an unsecured network may accidentally leak the information and cause a data breach. The more people with access to sensitive information, the more inherent insider threats you have on your hands.
4. Access to information that’s not core to their job function
Another potential signal of an insider threat is when someone views data not pertinent to their role. For instance, it would be suspicious if a marketing employee attempted to access their colleagues’ social security numbers since they don’t need this information to do their job. While that example is explicit, other situations may not be so obvious. If an employee is working on a highly cross-functional project, accessing specific data that isn’t core to their job function may seem okay, even if they still don’t truly need it. These situations, paired with other indicators, can help security teams uncover insider threats.
5. Renamed files where the file extension doesn’t match the content
Malicious insiders, like magicians, may try to mask their data exfiltration by working spells to rename files. For example, a magician who renames a PowerPoint file of a product roadmap to “2022 support tickets” is trying to hide its actual contents. Transforming zip files to a JPEG extension is another example of concerning activity. A data security tool that can find these mismatched files and extensions can help you detect potentially suspicious activity.
6. Dearly departing employees
Whether an employee exits a company voluntarily or involuntarily, both scenarios can trigger insider threat activity. Employees may forward strategic plans or templates with them to the afterlife using personal devices or storage systems to get a leg up on the other side. Others with more hostile intent may steal data and give it to competitors. Departing employees are another reason why observing file movement from high-risk users, instead of relying on data classification, can help detect data leaks.