Insider threats arise when an organization’s trusted users abuse or misuse their access to sensitive information and assets. These threats can be caused by intentional malicious actions, user negligence, or simple mistakes. But in all cases, these threats can pose serious risks to an organization’s most important data. In order to keep these key assets safe, it is important to understand exactly what insider threats are, how they work, and the keys to preventing them.
What is an insider?
An insider is anyone who has access to an organization’s sensitive information or systems. This can include:
Typically the most common class of insider, employees naturally need access to sensitive data and systems in order to do their jobs. Additionally, employees may have access to assets that they do not need or may have unauthorized data shared with them by other users.
- Former employees
In some cases former employees can retain access to an organization’s data and systems even after they have left the company. Additionally, former employees may have access to data or information that they took with them prior to leaving.
Executives are employees, but deserve extra attention as they will typically have access to highly sensitive information due to their job role. This can include corporate secrets and intellectual property that would be highly damaging if lost
- Board members
Like executives, board members will have access to highly privileged information including insight into organizational strategy and performance.
- Contractors and Services
Organizations routinely work with a wide range of external contractors and service providers who require access to the company’s systems. These privileges can be highly dynamic particularly in the case of a service provider which may have several users service the account over time. As with employees, access and privileges for these users are often accidentally left in place even after the user’s contract is complete.
Many organizations work with a variety of partners who need or share access to systems and data. Not only must partners be treated as trusted insiders, they have also been the source of many data breaches in recent years.
- Facility staff
Organizations must also be aware of anyone who has privileged access to their environments. This can include non-employees who may have badged access to a building to provide services such as custodial, HVAC, or other facility services.
What is an insider threat?
There are many forms of insider threats, but in all cases a trusted user or asset exposes or steals an organization’s sensitive information. This could be the direct theft of company data that is taken to a competitor, the public exposure of private data, or simply any data that is taken out of the organization where it is no longer under enterprise control. These threats can stem from the intentional actions of a malicious insider as well as unintentional data loss due to negligent users or simple end user errors. Regardless of the motivation, once an insider discloses or takes protected information outside the organization, it is considered an insider threat.
Learn more about the differences between insider risks and insider threats.
Examples of Insider Threats
Uber and the Long Tail of Insider Risks
The recent revelation of the Uber Files has been one of the biggest stories of the summer, and the ultimate fallout of the data leak will likely be felt for years as the company faces potential legal, financial, and brand impacts.
Apple Engineer Stole 24GB of Files via AirDrop
Apple employee downloaded highly confidential design schematics for unreleased products, just as he was set to join a direct competitor, XPeng.
Yahoo Employee Stole Source Code & IP
According to a recent lawsuit, Yahoo’s alleged insider downloaded valuable source code, just as he was set to join a direct competitor.
What are the unique challenges of insider threats?
Insider threats can turn an organization’s security model on its head. While most traditional threat prevention focuses on keeping bad guys out or detecting indicators of threats, malicious insiders are already inside and typically can use valid access to get to the data that they need. This leads to several challenges:
- Bypasses traditional threat prevention
Unlike traditional external threats, insider threats typically don’t require exploits, malware, or vulnerabilities in order to access to sensitive data. This removes many of the traditional opportunities to detect and prevent an attack. While many external threats must go through a complex multi-step attack chain in order to steal data, insider threats often begin at the very late of phase of attempting exfiltration. This means that defenders often have far fewer opportunities to stop the threat and many of the traditional threat prevention tools will not apply.
- Malicious insiders often have a first-mover advantage
Organizations are at high risk from insider threats when an employee is planning to leave the company. In most cases, users will know their plans before they officially inform the company. While many organizations will step up monitoring or restrict access of users who have given notice, a malicious insider can take malicious actions before this phase. For example, a user may slowly acquire data or create accounts that they can use to access data after they leave.
- Theft of data via indirect access and sharing
Data often has a long life even after it is intially accessed. Users collaborate on projects, share data and files from user to user, copy/paste data from one file to another, and transform and share data in countless other ways. An insider threat may not be as simple as a user downloading large amounts of data from an application, then immediately trying to upload that data to the internet. However, organizations often struggle to follow the complex flows of data as it moves between users and applications.
- Blends in with normal user behavior
Organizations often look for malicious insiders based on abnormal or anomalous behaviors such as accessing data at unusual times or access large amounts of data. However, users can easily aggregate data over time often in the course of their valid work activities. In the case of accidental insiders, their behavior is often almost identical to their normal work behavior.
- Many options to for insider threats to hide
Insider threats have many ways to hide the data they are stealing from security tools. For example, many data loss tools rely on inspecting the content of data leaving the company. Insiders can hide this content by encrypting the data or burying it within compressed archives. Once again, this can even be done without malicious intent as many applications use encryption and certificate pinning as a way of protecting user data. While this can benefit the user, it can also allow data exfiltration to fly under the radar.
What types of data are at risk from insider threats?
Virtually any sensitive form of enterprise data can be impacted by insider threats. Any data that would cause harm to the company if exposed publicly or accessed by a competitor.should be considered in scope and protected from insider threats
- Regulated data – All data types covered by industry regulations must also be protected from insider threats. This includes data such as payment card data covered by PCI-DSS as well as a wide range of user or employee personally identifiable information (PII) or personal health information (PHI).
- Customer data – Customer data can come in a variety of forms that is regularly accessed or worked on by trusted insiders. For example, professional services firms may need to handle highly sensitive financial or legal documents related to their customers. Customer data can be housed in SaaS vendor applications or in files shared between users.
- Intellectual property – Intellectual property is a prime target both for state-based and corporate espionage as well as employees transitioning to a competitive company. This can include many forms of information including product source code, design files, product formulas, manufacturing processes, product roadmaps, and more.
- Corporate and trade secrets – Organizations naturally have a wide range of sensitive information that needs to remain private in addition to intellectual property. This can include things like internal company financial data, business terms between partners, suppliers, and customers, corporate strategy, merger and acquisition plans, internal executive communications, and more. All of these forms of information could cause serious damage if publicly exposed either intentionally or due to an accident.
12 Must-Have Requirements for Modern Insider Risk Management
What industries are at risk from insider threats?
Insider threats can potentially affect any organization with information that needs to remain private. Needless to say this applies to the majority of enterprises. However, some organizations and industries are at higher risk than others.
- Professional Services
Legal, financial, and other professional services firms are entrusted with highly sensitive customer data that must remain protected. Any exposure of this information can have serious financial and reputational impacts to the firm. These forms of data are also often dynamic, with many team members contributing to and collaborating on a file or an account. In fact, the IBM X-Force Threat Intelligence Index 2022 found that professional services organizations had over 2.5 times the rate of insider threats compared to the industry average.
- Technology Firms
High-tech firms typically succeed based on their unique innovations. These companies are at pronounced risk of damage if engineers and key employees take proprietary information with them when they move to a competitive company. Once again, this data can come in many forms, which can make the data harder to control.
- Bio-Tech Firms
Much like technology firms, bio-tech firms succeed or fail based on the unique products that they develop. In the case of biotech companies this often translates to product formulas and processes tied to new pharmaceutical products. These products require very high investments in time, money, and talent, and it is critical for organizations to protect this substantial investment.
- Media and Entertainment
Media companies regularly deal with assets such as movies, music, and shows that are highly confidential before they are publicly released. However, fans and leak sites will do anything they can to get materials before the official release date, both creating a market for malicious insiders as well as external users who are ready to pounce on any employee mistakes.
- Any industry or organization with high turnover
Organizations are at pronounced risk of insider threats whenever an employee leaves a company. In recent years, most industries have experienced higher than normal rates of turnover both due to macroeconomic events such as the Great Resignation and a highly competitive employment market. These cases make it even more important for organizations to be able to clearly and continuously know and control what sensitive information is in a user’s possession.
Insider Threat Statistics
- 9.4%Nearly one in ten employees exfiltrate data over a six-month period
- 44.6%of incidents involve customer data
- 13.8%of incidents involve source code
- 26.5%Personal cloud storage is used to exfiltrate 26.5% of data
- 7.7%The most prolific 1% of “super stealers” account for 7.7% of incidents
- 83.1%Employees are 83.1% more likely to take data just before they quit
How to Detect and Mitigate Insider Threats
Protecting resources from insider threats requires a sustained and coordinated effort from the enterprise. Depending on the organization, this may require the participation of multiple groups, including the security team, HR team, and various business units. However, while an insider security program does require focus, it does not have to be complicated. Key steps include:
- Build Your Insider Threat Policies
- Find Your Insider Risk
- Know the Indicators of Insider Threats
- Prevent Insider Threats
- Train Your Users
Click here to learn more about each of these steps.
2022 Insider Risk Report: The Great Data Heist
- What is UEBA? User and entity behavior analytics (UEBA) is a capability of cybersecurity tools that use mathematical models to find unusual behavior that could indicate a threat.
- Types of Insider Threats Insider threats come in many forms with different underlying causes and motivations. The common denominator is a trusted insider, often an employee, taking or exposing an organization’s sensitive information.
- Insider Threats vs Insider Risks All insider threats started as an insider risk, but not all insider risks turn into an insider threat.
- Top Insider Threat Software Products There are several top insider threat software products that organizations can use to defend against insider risks and prevent threats.
- How to Detect and Prevent Insider Threats Protecting resources from insider threats requires a sustained and coordinated effort from the enterprise.
- Creating an Insider Threat Program Building an insider threat program can be one of the most valuable steps an organization can take in order to safeguard its data and intellectual property.