The first thing we need to consider in a modern data-focused insider threat program is right there in the name: the insider. Insiders can be employees, contractors or third-party vendors who have authorized access to internal data or computing systems. A good security plan will already restrict access to data on an as-needed basis. For instance, those in Engineering probably shouldn't have access to Human Resource data.
But it's not so much who the insiders are, but what they're doing. Not all insider threats are malicious. Most of it is accidental. Technology has made it easy for employees to share files via personal email and the cloud legitimately. One wrong click, though, and an organization could be on the hook for millions of dollars in lost revenue, fines for non-compliance, a loss of intellectual property, and damage to the brand.
Malicious insiders have all the classic motivations, ranging from financial gain to wanting to harm an organization in a specific way. Hackers are sometimes forgotten as an insider threat, but once they gain access to a system inside, they qualify as an insider threat.
But more recently, workforce turnover has accounted for more than half of all insider threat incidents. According to the US Bureau of Labor statistics, job turnover in the US is at an all-time high, and that turnover creates risk. The simple act of changing jobs can tempt employees to take company data. Roughly 2/3 of employees admit to taking data when they leave. Some are merely trying to make their next job easier. Others believe the files belong to them because, after all, it's their work. More nefarious employees might use sensitive data as leverage when negotiating a new job offer.
Insider threat isn't limited to data leaving your organization. What about the data coming into your organization? If a new employee successfully exfiltrated data from their previous job, a competitor, for example, and brought that data into yours? Yeah, pretty sure your legal team is very interested in avoiding the impending lawsuit.
Whether they're employees, contractors, or third-party vendors, it's not the people that are a threat, it's their actions, malicious or accidental. Most insider threats are accidental. For those that are not, in addition to the classic motivations, employees are changing jobs at a record pace. And more often than not, when they leave, they take data with them.
Of course, the insider isn't the only thing we need to consider. Check out our other videos to learn more about the whys and what's before we tackle the how's of building a modern insider threat program.