There was once a time when the risk of an “insider threat” incident was relatively unknown, or simply not considered likely, within an organization. That time has quickly come and gone.
With the rise in publicly-disclosed systems breaches and data leaks, along with the steady stream of studies and reports covering topics like the high average cost of insider threats, and the increasing reliance on vast volumes of data for business, understanding the insider has become a high-level concern.
In 2007, a KPMG study found that just 4% of all reported cyberattacks were caused by malicious insiders, and by 2017 that number rose to a whopping 89%. That’s a pretty substantial increase, highlighting the fact that the risk of Insider threats is very real, and a very big deal.
Despite the wealth of data talking about insider threat incident outcomes, organizations want to know: what motivates the people behind insider threats, and what can be done to obtain visibility and mitigate the risk of incidents, all while preserving the privacy of the individual?
We get asked this a lot. The answer involves finding a holistic balance between people, process and technology. (And yes, they are in priority order!)
Factors Motivating Insider Threats
People are driven by special, sometimes secret, motivating factors. The same goes for potential insider threats in your organization. If you can understand that motivation or intent, you’re well on your way to mitigating the risk of an incident!
There are two main types of insider threat: malicious, and unintentional. Perhaps surprisingly, unintentional insider threats are the more common of the two.
Both types are either direct employees or contractors or vendors with special access. While we can’t claim to know them all, here are some of the more common motivations associated with each:
Malicious Insider Threat
- Emotions-based: If an insider is bored, depressed, frustrated or angry based on a situation involving an organization or workplace, there is a high likelihood that they may act out maliciously.Some examples include: when an employee undergoes a performance review, and it doesn’t go well; when an employee is fired, etc.
- Financially-based: This shouldn’t come as a big surprise, but money is a huge motivator for a lot of people. If an employee is suffering from financial hardship, or is looking to improve their situation, there is an opportunity to exploit their insider position for monetary gain.Some examples include: when an employee doesn’t feel they are paid fairly; when an employee owes money to another party, etc.
- Politically-based: While not as likely, there have been several published incidents of state-sponsored insider threat attacks, and corporate espionage. The primary drivers for these individuals may be national pride, political in nature, and even a mix of the other two types of malicious insider threat: emotional backlash and financial benefit.
Unintentional Insider Threat
- Lack of knowledge or understanding: If an insider isn’t necessarily tech savvy or used to considering security implications of their actions, they may be a risk for becoming an unintentional threat. This is especially the case if your cybersecurity policies are robust and overly technical in nature.Some examples include: sharing sensitive data and information on less secure channels (like cloud storage apps); accessing critical systems on insecure public Wi-Fi; requiring users to tag regularly used content with metadata, etc.
- Convenience: In the modern age, convenience unfortunately overpowers almost all else. If your cybersecurity policies, tools, etc. make it difficult for insiders to do their work in a quick and efficient manner, they will likely look to circumvent the in-place systems.Some examples include: pushing files to cloud storage apps when removable storage is banned; forwarding work emails to personal accounts to work remotely, etc.
- Misplaced technology: Work on-the-go is increasingly more common each and every year. As such, offices have become more mobile (as devices have gotten smaller). Besides the increased threat of prying eyes trying to get into these protected devices, there is an opportunity for insiders to accidentally misplace their equipment, making them a huge risk.Some examples include: leaving a laptop on a table at the local coffee shop; copying files to removable storage devices and then misplacing them, etc.
By knowing what types of insider security threats are within your organization, along with their potential motivations, it becomes easier to identify if and when your organization has become a victim of an insider data breach or incident.
In other words, visibility is essential to mitigating risk! And this is just one step into fully understanding who within your organization may be a factor.
You’ll also want to know:
- What can they access?
- What actions are they taking?
- Are they breaching policy?
- If so, how, and how frequently?
- Why are they breaching policy?
Once you uncover risky or policy-breaching user activities, you’ll want to be able to rapidly investigate incidents, determine whether any data has been lost, and put changes into action to prevent the situation from occurring again in the future.