Insider Threat Management

How to Prevent Insider Threat Incidents: A SunTrust Case Study

Share with your network!

Insider threats are on the rise, with criminal or malicious insiders serving as one of the top causes of incidents at organisations worldwide. According to a recent report from The Ponemon Institute, a malicious insider threat can cost an organisation $2.8 million per year, or an average of $604,092 per incident. As if those numbers weren’t enough of an eye-opener, just this week, regional banking giant SunTrust experienced a major potential malicious insider breach, resulting in the loss of personal data from 1.5 million customers.

Unfortunately, insider threat incidents like the one experienced at SunTrust are becoming far too common. Security teams can take steps to avoid this outcome by taking a proactive, people-centric approach to insider threat management.


This week, Atlanta-based financial institution SunTrust disclosed to 1.5 million clients that it became aware of a potential theft of some of its contact lists from a former employee. The data exposed includes names, phone numbers and addresses, and certain account balances. The company claims that the contact lists did not include personally identifying information, such as social security numbers, driver’s licenses, account numbers, passwords, or PINs.

To show its customers it takes data privacy seriously, SunTrust has offered identity monitoring through Experian IDNotify, and is working with authorities to perform a thorough investigation. In the disclosure, CEO and Chairman Bill Rogers promised users that the company has “heightened our monitoring of accounts and increased other security measures.”

According to The Ponemon Report, the financial services industry incurs the highest annualised cost of insider threats, at $12.03 million. It’s critical for organisations to implement the proper preventative measures to detect insider threats, and develop response plans to contain them quickly.


Insiders with privileged access are often the most trusted employees, and can be some of the most technical users in an organisation.

Here are some recommendations on how to gain greater visibility and prevent the exfiltration of sensitive data -- whether intentionally or accidentally:


  1. Gain visibility into risky or malicious behaviour
    There are myriad ways that data leaves an organisation, but security teams should keep a close eye out for risky or suspicious behaviour. 

    For example, if users are sending documents to printers at odd hours or logging into unauthorised file sharing sites, they could be exhibiting behavioural patterns of malicious insider threats. Or, users could be breaking policy innocently without knowing or understanding the potential repercussions.
  2. Maintain tight offboarding practices
    Whether former employees are unknowing or potentially disgruntled, organisations can prevent them from exfiltrating data by maintaining tight policies on offboarding. 

    For example, be sure to discontinue access to key systems or cloud services immediately after employees leave an organisation. 
  3. Keep an eye on technical users
    Often, malicious insiders can be sophisticated technical users, like the infamous state-sponsored insider threat case of Greg Chung at Boeing. They may be exhibiting behaviours such as tapping into sensitive admin tools or configurations, deleting users or information from directories, hiding information by tampering with log files or passwords, or attempting to gain higher access privileges. User activity monitoring is the best way to catch these indicators before it’s too late.

To learn more about the causes and costs of insider threats in the financial services industry and beyond, check out The Ponemon Institute’s 2018 Cost of Insider Threats report. Download The Report