The Anatomy of an Insider Threat

Written by

Insider threats are on the rise. The World Economic Forum named malicious insider activity one of the top three concerns for cyber leaders. This supports what many cybersecurity and information governance experts have long expressed – that internal threats are just as critical as external ones. Unfortunately, organizations are often less prepared to mitigate insider threats than they are for the more prominent, publicized external variety.  

What is an Insider Threat?

Insider threats occur from within the enterprise, either through unintentional mistakes or due to malicious insiders looking to steal or leak corporate data for a personal agenda. 

Inadvertent threats can occur when, for example, employees make a mistake such as missending an email, misconfiguring a system, or otherwise failing to keep up with a company’s security requirements. Insider threat incidents rose 44% between 2020 and 2022 and reportedly cost more than US$15 million per incident.  

In contrast, malicious insiders deliberately create threats. For example, our teams encountered a recent case at a fund management organization where an employee was caught stealing intellectual property. In this case, the employee wasn’t sending data to a personal account or device but rather sharing and leveraging the organization’s proprietary trading strategies to secure a position at a competing firm. 

The organization had comprehensive security controls in place; as such, the malicious activity was detected when the employee triggered an internal warning system by printing a sensitive document. A lengthy investigation followed to uncover the full extent of the employee’s activities and the scale of exposed IP. This was particularly challenging because investigators were not looking for a specific file or document. Ultimately, the investigation successfully recovered the information from the employee’s systems, personal devices and the competitor’s systems. 

How to Spot an Insider Threat

The frequency of malicious internal attacks is increasing – 67% of organizations reported between 21 and 40 incidents per year in 2022, a 60% increase in frequency reported the previous year. Fortunately, there are behavioral and contextual warning signs that security, governance and legal teams can watch for. These include: 

  • A noticeable change in the employee. Insider threats may exhibit lower morale or begin working longer or unusual hours, including over the weekend. They may be possessive over certain matters or files. They may start disagreeing more often or indicate they are looking for another job.
  • Attempting to access and download large amounts of data. Even if authorized, and especially if the attempts are unauthorized, retrieving and moving data to a personal thumb drive, device, email or personal cloud storage should be viewed as a red flag.
  • The organization is going through a major change. This might include a merger, restructuring, divestments or other major business events. Whether an employee is leaving voluntarily or fears they may be let go, threats are more likely leading up to and after significant changes.

Mitigating Insider Threats

So, how can an organization best address this reality? Organizations should begin with robust information governance, privacy and security programs supported by executive leadership and the board. Programs must be grounded in a risk-based approach and built into the foundation of systems and workflows. Companies should train employees to understand the potential risk in their actions, as well as implement monitoring and response capabilities so data breach and incident response procedures are established and maintained regularly. 

Additional questions organizations should ask to determine their resilience against insider threats include:

  • Has the board discussed insider threat risk and identified who owns it? Every employee and department is responsible for mitigating different risk areas, but clear owners must be assigned to manage and monitor programs. 
  • Are HR and other key departments involved? Stakeholders from across critical functions, including legal, compliance, HR, IT, security, etc., should collaborate to invest in insider threat risk management and establish processes regarding monitoring for warning signs.  
  • Is the organization prepared to manage an incident? For example, has the organization developed an incident response plan which sets out roles, responsibilities and processes? Internal and external resources must be in place so that when an incident does occur, investigation and remediation can proceed as quickly and efficiently as possible.
  • Has the organization practiced for incidents? For example, has the organization conducted an incident response simulation using the incident response plan, which walks through a real-world situation and identifies any gaps in response.

It’s impossible for prevention mechanisms to perform at 100% – that’s why it is critical to put systems in place that identify threats and that can be activated immediately once a breach, data loss or IP theft incident has occurred. Everyone within the organization has a role to play and, therefore, must be equipped with the training, tools and resources needed to help keep company information safe. People are an organization’s greatest insider threat risk, but with proper guidance and investment, they can also become an integral defense mechanism.

What’s hot on Infosecurity Magazine?