Insider threats: Examples and prevention

An insider is a person who is already operating within an organization: an employee in a company, for example, who has been given access to their internal networks. As such, they have privileged access to information or other resources that someone outside the company does not.

The term insider on its own does not suggest that a person is a threat, of course. Every individual within a company, charity, educational establishment, healthcare facility, or government agency is an insider.

An insider threat usually involves someone within an organization who uses their authorized access to cause harm to that organization. This could be an employee who leaks sensitive data for their own financial gain by selling intellectual property or trade secrets to a rival company.

We describe them as an insider threat because that kind of action can cause the company financial and reputational harm, as well as put consumers and service users at risk. In the case of the insider employee selling sensitive data to an outsider, the leaked information could be used to launch cyberattacks against the company or its customers.

Broadly speaking, an insider threat will fall into one of three categories.

1. Negligent insider threats

According to a 2020 study by the Ponemon Institute, the majority of insider threats are the result of human error and negligence. This kind of threat occurs when individuals forget to update their cybersecurity software, use weak passwords, or visit unsafe websites using their work devices.

An employee could accidentally infect their laptop with spyware, giving a hacker access to passwords and ultimately, internal corporate networks. A government agency worker might connect to unsecure Wi-Fi on public transport, exposing their data. These people aren’t acting maliciously, but they’re still an insider threat.

2. Malicious insider threats

A malicious insider threat is an individual who knowingly does something to threaten their organization. Perhaps they’re working alone, in the hopes of finding a buyer for stolen files later on. Alternatively, they might have been contacted by someone outside the company who has offered them money in exchange for access to sensitive data.

It’s not always about the money, though. Sometimes insiders are motivated by revenge (perhaps they’re about to be laid off) or ethics (for example, if they’re acting as a whistleblower, leaking information about their employers’ bad practices).

3. Compromised insider threats

A compromised insider threat is a device or account that has been hijacked or in some way accessed by a malicious entity outside the organization. Many negligent insider threats later evolve into compromised insider threats.

In the case of an employee with a spyware-infected laptop, their company email could be used by a hacker to launch spear phishing attacks on their coworkers or to gain access to private internal databases. The negligent insider threat gave the hacker access to an employee account, which has now become a compromised insider threat.

Being able to detect insider threats before they happen is vital. There’s no silver bullet when it comes to predicting insider attacks, but plenty of small indicators can be treated as red flags. These warning signs can be divided into two groups.

Behavioral

Be on the alert if an individual in your organization:

• repeatedly asks for access to systems or databases that don’t relate to their job function.
• regularly expresses resentment towards the organization, their superiors, and their peers.
• fails to maintain good cybersecurity practices.
• uses their work device for personal internet activity, or vice versa.
• mentions that their device or operating system is acting strangely.
• contacts other team members from a company account asking for unprecedented access or information.

Digital

It’s not always the behavior of individuals that gives away a potential threat. Keep a lookout for:

• large file downloads, especially on devices that aren’t linked to the organization.
• unexpected access requests for internal systems and networks.
• activity outside of normal working hours.
• devices and accounts operating from unusual locations or those with unfamiliar IPs.
• unexplained periods of time when cybersecurity tools like firewalls or VPNs are switched off.
• multiple failed password attempts, either from a recognized user or an unknown entity.

Again, it’s important to stress that none of these factors in isolation is a definitive indicator of an insider threat. Insider threat detection is not a perfect science, so if you notice some of these clues, you should follow them up with a more in-depth assessment to determine whether a risk factor is present.

Insider threats vary widely because the term can really cover any behavior by a member of an organization which could cause harm. Here are the most common types of insider threats.

Leaking data

Leaking data involves an individual accessing and sharing sensitive information without authorization. For example, an employee could share intellectual property with a competitor, sell user details to hackers, or share classified documents with journalists. Regardless of their motivation, the process is largely the same.

As we discussed previously, however, people don’t always leak data intentionally. An employee could send data to the wrong email address or make sensitive information (details of secret projects, for example, or customer information) public on a company website. These are examples of inadvertent insider threats, where no malicious intent exists.

Webpage defacement

Rather than causing a data breach, an insider with the right access privileges could alter the information or visuals of a company’s website, posting their own messages for the public to see. This is called “defacement” and is a popular strategy with hacktivists and politically motivated attackers. The agents of a nation state can even target the government websites of rival countries to post propaganda messages — as Russia may have done in Ukraine in early 2022.

Disruption

Rather than selling intellectual property or promoting political messages, an insider might just want to cause disruption and damage to the organization’s operations. For example, a disgruntled employee might delete essential data, take webpages offline, or use malware and viruses to make company systems or devices unusable.

That’s the problem with insider threats – by their nature, they come from people who already have legitimate access to the organization’s network, internal systems, and trade secrets. By the time they reveal themselves to be a threat, they might have already caused enormous damage.

Mitigating insider threats before they cause damage to a company or organization is essential. Here are three security measures that can lower (though not eliminate) the risks.

• Use a centralized monitoring solution. To improve your insider threat detection, you need to follow the best cyber threat monitoring practices — such as making sure that all employee devices are installed with software to track activity. A centralized monitoring solution doesn’t have to be invasive either; rather than viewing user activity directly, you can ban certain risky behaviors or prompt them to update software. Some AI-driven programs can learn about normal user behavior over time and then warn you if someone deviates from that.
• Raise awareness of threats and best practices. In most cases, an insider threat is more likely to be caused by human error than a malicious insider. Make sure that individuals within your organization are aware of the dangers posed by phishing attacks, malware, and other cyber threats. The more aware people are of what behavior is risky, the less likely they are to engage in it.
• Use a VPN. A VPN, or virtual private network, adds a layer of encryption to a person’s internet activity, even when they’re using unsecure public Wi-Fi. Rolling out VPNs across all of an organization’s devices will lower the risks posed by negligence and compromised devices. With services like NordLayer, you can enhance your security and make it safer for employees to access company resources.