Insider threats are threats that originate from within an organization, like a company or government department. While most cybersecurity experts are focused on limiting external risk factors, many hacks and leaks are caused by people who already have legitimate access to sensitive data. So how does an insider threat work, and can they be prevented?
An insider is a person who is already operating within an organization: an employee in a company, for example, who has been given access to their internal networks. As such, they have privileged access to information or other resources that someone outside the company does not.
The term insider on its own does not suggest that a person is a threat, of course. Every individual within a company, charity, educational establishment, healthcare facility, or government agency is an insider.
An insider threat, in the context of cybersecurity, usually involves someone within an organization who uses their privileged access to cause harm to said organization. The most obvious example is an employee who leaks sensitive data, perhaps for their own financial gain. For instance, they could steal intellectual property or trade secrets to sell to a rival company.
We describe them as an insider threat because that kind of action can cause the company financial and reputational harm, as well as put consumers and service users at risk. In the case of the insider employee selling sensitive data to an outsider, the leaked information could be used to launch cyberattacks against the company or its customers.
Broadly speaking, an insider threat will fall into one of three categories.
According to a 2020 study by the Ponemon Institute, the majority of insider threats are the result of human error and negligence. This kind of threat occurs when individuals forget to update their cybersecurity software, use weak passwords, or visit unsafe websites using their work devices.
An employee could accidentally infect their laptop with spyware, giving a hacker access to passwords and ultimately, internal corporate networks. A government agency worker might connect to unsecure Wi-Fi on public transport, exposing their data. These people aren’t acting maliciously, but they’re still an insider threat.
A malicious insider threat is an individual who knowingly does something to threaten their organization. Perhaps they’re working alone, in the hopes of finding a buyer for stolen files later on. Alternatively, they might have been contacted by someone outside the company who has offered them money in exchange for access to sensitive data.
It’s not always about the money, though. Sometimes insiders are motivated by revenge (perhaps they’re about to be laid off) or ethics (for example, if they’re acting as a whistleblower, leaking information about their employers’ bad practices).
A compromised insider threat is a device or account that has been hijacked or in some way accessed by a malicious entity outside the organization. Many negligent insider threats later evolve into compromised insider threats.
In the case of an employee with a spyware-infected laptop, their company email could be used by a hacker to launch spear phishing attacks on their coworkers or to gain access to private internal databases. The negligent insider threat gave the hacker access to an employee account, which has now become a compromised insider threat.
Want to read more like this?
Get the latest news and tips from NordVPN.
Being able to detect insider threats before they happen is vital. There’s no silver bullet when it comes to predicting insider attacks, but plenty of small indicators can be treated as red flags. These warning signs can be divided into two groups.
Be on the alert if an individual in your organization:
It’s not always the behavior of individuals that gives away a potential threat. Keep a lookout for:
Again, it’s important to stress that none of these factors in isolation is a definitive indicator of an insider threat. Insider threat detection is not a perfect science, so if you notice some of these clues, you should follow them up with a more in-depth assessment to determine whether a risk factor is present.
Insider threats vary widely because the term can really cover any behavior by a member of an organization which could cause harm. Here are the most common types of insider threats.
Leaking data involves an individual accessing and sharing sensitive information without authorization. For example, an employee could share intellectual property with a competitor, sell user details to hackers, or share classified documents with journalists. Regardless of their motivation, the process is largely the same.
As we discussed previously, however, people don’t always leak data intentionally. An employee could send data to the wrong email address or make sensitive information (details of secret projects, for example, or customer information) public on a company website. These are examples of inadvertent insider threats, where no malicious intent exists.
Rather than causing a data breach, an insider with the right access privileges could alter the information or visuals of a company’s website, posting their own messages for the public to see. This is called “defacement” and is a popular strategy with hacktivists and politically motivated attackers. The agents of a nation state can even target the government websites of rival countries to post propaganda messages — as Russia may have done in Ukraine in early 2022.
Rather than selling intellectual property or promoting political messages, an insider might just want to cause disruption and damage to the organization’s operations. For example, a disgruntled employee might delete essential data, take webpages offline, or use malware and viruses to make company systems or devices unusable.
That’s the problem with insider threats – by their nature, they come from people who already have legitimate access to the organization’s network, internal systems, and trade secrets. By the time they reveal themselves to be a threat, they might have already caused enormous damage.
Mitigating insider threats before they cause damage to a company or organization is essential. Here are three security measures that can lower (though not eliminate) the risks.