Insider threats come in many forms with different underlying causes and motivations. The common denominator is a trusted insider, often an employee, taking or exposing an organization’s sensitive information. Insider threats examples include direct theft of company data that is taken to a competitor, the public exposure of private data, or simply any data that is taken out of the organization where it is no longer under enterprise control. At a high level, there are several types insider threats including:
- Malicious Threats. Malicious insiders are the people who abuse company data and assets on purpose. These insiders could be motivated to sell company data for personal financial gain or may leak sensitive data in order to cause damage to the organization. Departing employees may take data to a new company for their own professional gain. Additionally, malicious insiders are increasingly recruited, bribed, or extorted by outside actors such as nation states or ransomware groups.
- Opportunistic Threats. Opportunistic insiders are very common and can be thought of as malicious insiders without premeditated intent. An opportunistic insider may collect sensitive information over time without initially intending to misuse the data. At a later time, the user may decide to misuse that data, such as after moving to a new company or after being fired. Both opportunistic and malicious insiders intentionally misuse data. However, the opportunistic insider is an important distinction because the user abuses data that the organization has already lost control of.
- Negligent Threats. Negligent insiders expose data or assets by consciously breaking company policy. The intention may not be to cause harm, but rather simply to perform a task in a way the user perceives as faster or easier. For example, a user that intentionally sends an important file to their personal webmail in order to work remotely without going through the company VPN and remote authentication process is negligent. Once again, the damage of such behavior can be the same regardless of the user’s motivation.
- Accidental Threats. Many users will expose data purely by accident. Modern applications make it very easy to share data, and a busy, distracted user can easily make mistakes that can take data out of the company’s control. For example, a user may accidentally upload an important file to a personal Dropbox account instead of the corporate account. Or a user may inadvertently share a file with the wrong person in the company’s Google Drive when they type in the recipient’s name and in a rush send it without noticing the browser autocompleted the recipient to someone else with the same first name.
- Compromised Threats. The compromised end user can blur the lines between an insider threat and a more traditional external threat. A compromised user occurs when an attacker or malware is able to take control over a user’s machine and/or credentials in order to steal data. In many cases, this is still considered an external threat. However, many of the underlying behaviors in which the attacker attempts to aggregate and exfiltrate sensitive data can mimic that of an insider threat. As a result, insider threat security tools can be highly valuable in preventing the loss of data and even in the ability to detect external threats.