According to the Voice of the CISO report, Insider threats are a top concern for CISOs globally. And it's easy to understand why: the shift to remote work, accelerated digital transformation, and the Great Resignation has increased the risk of data loss (also referred to as unprecedented employee turnover or the Great Shuffle) for organizations trying to protect their most strategic data. You only need to read daily headlines to see the impact and prevalence of insider threats—for instance, the LastPass data breach, which affected 25 million users.
No organization is immune to insider threats due to a shared characteristic: people. After all, data doesn't lose itself; people take or mishandle data. As a result, tackling insider threats and increasing awareness requires a people-centric approach that goes beyond content to understand context. But what does that really mean and how can organizations manage insider threats effectively while minimizing disruption for their organization? Let's dig deeper and start by defining insider threats.
Insider Threat vs. Insider Risk
The definition of an insider is a current or former employee, contractor, or business partner who has or had authorized access to the organization's network, systems, or data. In other words, an insider is in a position of trust; when an insider uses that position for their personal gain or benefit, whether knowingly or mistakenly, they become a threat to the organization.
The terms' insider risk' and 'insider threat' are sometimes used interchangeably, but they are not the same. Insider threats are a subset of insider risk: all insiders pose risk to an organization, given their access to an organization's data and systems. However, not all insiders will become an insider threat. This is an important distinction that requires a strategic and tactical approach to manage effectively.
Types of Insider Threats
There are three primary types of insider threats:
- Careless users are well-intentioned but make bad decisions, such as accidentally sharing customer data externally or transferring sensitive strategy documents to a USB. Careless users account for 56% of insider incidents, according to the 2022 Ponemon Cost of Insider Threat Report.
- Malicious users are motivated by personal gain and intend to harm the organization. Examples include exfiltrating trade secrets or taking intellectual property when leaving the company. Although malicious users account for about a quarter of all insider incidents, incidents involving malicious users can be widely publicized given the potential for financial and brand impact.
- Compromised users have their credentials stolen by threat actors looking for access to an organization's data and systems. These users typically have privileged access to information, which makes them the target of external threat actors. Compromised users account for 18% of insider incidents.
Understanding the type of insider threat and the context is critical to determining the best response.
What Running a Red Light Teaches Us About Context
The best way to understand the context's role is to consider the analogy of a driver running a red light.
Imagine that you are a police officer who just arrived at a large intersection. As you approach, you see a driver go through a red light. At first glance, this may seem straightforward: the driver has clearly violated the rules of the road and should be issued a ticket. However, should all red light infractions be treated the same way?
Now consider if you had more context. What if you learned that this driver had been sitting at the intersection for 10 minutes and decided that the light was broken, so proceeded to go. In that case, given more context and information, you may not issue a ticket. This driver is analogous to the careless user: their intentions are good, but they may have acted carelessly.
What if the driver ran the red light to follow and confront another driver? Maybe they were driving on a recently suspended license, and right before the red light, there was a heated exchange back and forth. In this case, the driver may be trying to cause harm to the other driver, and you need to respond as quickly as possible to minimize the damage of this malicious driver.
Next, what if the driver was driving a stolen car after robbing a bank? The more you investigate and gather evidence, it may become apparent that the driver is not who you think they are, and you need to involve other law enforcement agencies. This would require a completely different response than the careless or malicious driver.
As you can see from this example, context plays a crucial role in understanding the broader situation and determining the best response. In the absence of other information, you would have to respond the same to each driver. However, visibility changes everything. With visibility, you can see the entire situation, determine the risk, assess the impact, and determine the best response.
Proofpoint believes that managing insider threats efficiently and effectively requires context. Responding to a malicious user the same way as a careless user could have dire, unintended consequences. That's why our approach provides visibility and contextualized insights. With this information, you can understand the who, what, when, and where to respond appropriately.
During Insider Threat Awareness Month, learn more about best practices in managing insider threats by joining an upcoming webinar. Listen to Forrester share their insights and advice and attend a fireside chat with Pfizer on approaches to mitigate risk from insider threats. Dive deeper into understanding insider threats and how to raise awareness with the Insider Threat Starter Pack.
Lastly, hear more about how to protect your organization from risky users in our latest Protecting People podcast episode.