March 20, 2024
XX Minute Read

Understanding Insider Threats: Definitions, Types, and Categories

In today's digital landscape, insider threats pose a significant and often underestimated risk to organizations. These threats come not only from malicious employees but also from those who unintentionally cause harm. These threats come not from distant hackers and cybercriminals but from those within an organization's walls – trusted employees, contractors, or business partners. The implications of such threats are profound, as they can potentially compromise the foundation of an organization's security infrastructure. Therefore, understanding the different types and categories of insider threats is crucial for effective cybersecurity strategies.

What is an Insider Threat? - A Detailed Definition

At its core, an insider threat in cybersecurity refers to internal threats posed by individuals with access to sensitive information and systems. This can include employees, former employees, contractors, or business partners. What makes insider threats particularly daunting is their inherent level of authorized access, which can be leveraged to inflict damage, intentionally or unintentionally. The risk from insider threats can manifest in various forms, ranging from data breaches to intellectual property theft.

{{ promo }}

Types of Insider Threats: An Overview

Insider threats come in many forms with different underlying causes and motivations. The common denominator is a trusted insider, often an employee, taking or exposing an organization’s sensitive information. Insider threat examples include direct theft of company data brought to a competitor, the public exposure of private data, or simply any data taken out of the organization where it is no longer under enterprise control. At a high level, there are several types of insider threats. The five most common insider threats include:

  • Malicious Insider Threats. Malicious insiders are the people who abuse company data and assets on purpose with deliberate malicious intent. These insiders could be disgruntled employees who are motivated to sell company data for financial gain or leak sensitive data in order to cause damage to the organization. Departing employees may take data to a new company for their professional gain. Additionally, malicious insiders are increasingly recruited, bribed, or extorted by outside actors such as nation-states or ransomware groups.
  • Opportunistic Insider Threats. Opportunistic insiders are very common and can be thought of as malicious insiders without premeditated intent. An opportunistic insider may collect sensitive information over time without initially intending to misuse the data. At a later time, the user may decide to misuse that data, such as after moving to a new company or after being fired. Both opportunistic and malicious insiders intentionally misuse data. However, the opportunistic insider is an important distinction because the user abuses data that the organization has already lost control of.
  • Negligent Insider Threats. Negligent insiders expose data or assets by consciously breaking security policy. The intention may not be to cause harm but rather simply to perform a task in a way the user perceives as faster or easier. For example, a user who intentionally sends an important file to their personal webmail in order to work remotely without going through the company VPN and remote authentication process is negligent. Once again, the damage of such behavior can be the same regardless of the user’s motivation.
  • Accidental Insider Threats. Many users will expose data purely by accident. Modern applications make it very easy to share data, and a busy, distracted user can easily make mistakes that can take data out of the company’s control. For example, a user may accidentally upload an important file to a personal Dropbox account with public permissions instead of privately in a corporate account. Or a user may inadvertently share a file with the wrong person in the company’s Google Drive when they type in the recipient’s name and, in a rush, send it without noticing the browser autocompleted the recipient to someone else with the same first name.
  • Compromised Insider Threats. The compromised end user can blur the lines between an insider threat and a more traditional external threat. A compromised user occurs when a threat actor or malware is able to take control of a user’s machine and/or credentials to steal data and other critical assets. In many cases, this is still considered an external threat. However, many of the underlying behaviors in which the attacker attempts to aggregate and exfiltrate sensitive data can mimic that of an insider threat. As a result, insider threat security tools can be highly valuable in preventing the loss of data and even in the ability to detect external threats.

Real-World Examples of Insider Threats

Examining real-world cases provides valuable insights into the nature and impact of insider threats. It also highlights the importance of proactive measures in mitigating these risks.

Apple’s autonomous vehicle division experienced multiple exfiltration attempts within a two-year time frame

In just three years, Apple's autonomous vehicle project faced several significant insider threat incidents, each distinct yet underlining the same crucial concern: the vulnerability of sensitive corporate data to insider exfiltration. These incidents, involving Xiaolang Zhang, Jizhong Chen, and Weibao Wang, though similar in their association with Apple's secretive automotive division, each reveal different aspects of how insider threats can manifest in high-stakes technology sectors.

Xiaolang Zhang's case, which came to light in 2018, is particularly illustrative of the classic insider threat scenario. Zhang, who worked on circuit boards to analyze sensor data, utilized his authorized access to download a substantial volume of confidential data, including technical manuals and reports, during a period of leave. His intent to join a Chinese electric vehicle startup immediately raised suspicions, leading to his eventual arrest on trade secret theft charges. This incident underscores the risks posed by employees transitioning to competitors and the necessity of monitoring data access patterns, especially during significant career transitions.

In contrast, the 2019 arrest of Jizhong Chen paints a slightly different picture. Chen was apprehended after co-workers observed him taking unauthorized photographs in sensitive work areas when he discovered he had a large cache of Apple’s intellectual property on his computer.

Lastly, the case involving Weibao Wang, though less publicized, adds another layer to the insider threat narrative at Apple. While specific details are scarce, Wang's implication in potential intellectual property theft points to a broader pattern within Apple's autonomous vehicle project. It highlights the need for consistent vigilance with regard to protecting IP.

Yahoo loses 570,000 pages of source code to an employee departing to a competitor

Yahoo alleges that former employee Qian Sang exfiltrated intellectual property to a personal device after getting a job offer from a direct competitor to Yahoo’s advertising business unit, The Trade Desk.

Sang was one of the most senior leaders of Yahoo’s AdLearn research team. Specifically, he was the head of their budget spend pacing control system, which is the core engine behind constantly adjusting bid pricing and frequency in the demand-side platform (DSP). He received a job offer from The Trade Desk for a Staff Data Scientist position, which included a raise on his base salary, a six-figure signing bonus, and a stock plan totaling almost $1m vesting over several years.

Upon receiving Sang’s physical devices, Yahoo ran a forensic analysis, which revealed the full measure of his downloaded content, which allegedly included:

  • 570,000 pages of source code (including budget spend pacing control algorithms and source code of AdLearn, aka Yahoo’s engine for the company’s DSP (a digital marketplace for real-time ad buying).
  • Files titled “Bidding Research.”
  • Strategy documents (including competitive analysis of The Trade Desk)

In addition, it was found that Sang had communicated previously via WeChat with someone unidentifiable about using a Western Digital cloud system for file backup functionality.

An Uber hacker access multiple critical systems due to leaked credentials

In September of 2022, a hacker acquired employee credentials through social engineering and bypassed Uber's multifactor authentication in order to access the company VPN. On the network, the hacker discovered admin credentials within Powershell scripts used by administrators, some of which accessed critical company systems, like the company’s privileged access manager, which contained credentials to other core systems.

Understanding the most common insider threat: Unintentional insider threats

While malicious actors often capture headlines, the most pervasive form of insider threat is actually the negligent insider, who typically has legitimate access to the data they’re inadvertently leaking. These individuals unintentionally cause harm due to carelessness, lack of awareness, or failure to follow established security protocols. Unlike malicious insiders, who are motivated by personal gain, negligent insiders’ actions are not driven by harmful intent; the consequences can be just as severe. Incidents involving negligent insiders typically arise from everyday activities, such as misdirected emails, improper handling of sensitive data, weak password practices, or falling prey to phishing emails and other scams. The ubiquity of these scenarios makes mitigation particularly challenging, as they are deeply intertwined with the human elements of the workplace.

The impact of negligence-driven insider threats is often underestimated. Still, it can lead to significant data breaches, loss of intellectual property, and substantial financial and reputational damage to the organization. Even in cases where unintentional insider threats don’t immediately result in a data breach, they weaken your overall security posture, as illustrated in the Uber incident where a hacker was able to find sensitive credentials once on the company’s network. 

The challenge of unintentional insider threat lies in the fact that these risks are rooted in human error and oversight, making them less predictable and harder to detect using traditional security measures. Therefore, security teams wanting to address this challenge require a multifaceted approach. It involves fostering a solid security culture, regular and engaging cybersecurity training tailored to different roles, and implementing user-friendly security tools that minimize the risk of errors. Additionally, continuous monitoring and alerting systems that can detect unusual patterns of behavior or access can serve as effective safeguards against such threats. Organizations can significantly mitigate the risks of negligent insiders by focusing on education, culture, and smart security practices.

Research report
Insider Risk Report Q1 2024: The Cubicle Culprits
Download now
Web page
Read our Cyberhaven for insider risk management overview
Learn more