(Updated on 02/17/2021)
According to the recent Verizon Insider Threat Report, “Regular users have access to sensitive and monetizable data and are behind most internal data breaches.” Insider threats can be defined as anyone who misuses their authorized access to sensitive data or systems to negatively impact the organization.
While the headlines often sensationalize accounts of espionage or intricate schemes, the most common types of insider threat may surprise you. Since insiders fly under the radar of many traditional security defenses, their small actions can often be difficult to detect for many organizations -- until it’s too late.
The good news is, if you know enough about the types of insider threats, you can make a solid plan for how to stop them. Here are three common focus areas to keep in mind:
1. Accidental Leaks
According to insider threat statistics, two in three insider threat incidents are caused by employee or contractor mistakes. Often these accidents can happen out of carelessness, or if there are no effective guardrails put into place by the organization.
From phishing attacks to emails sent to the wrong person, employees make mistakes that risk confidential data loss and reputational damage for the organization. Often, the best defense for accidental leaks is cybersecurity awareness. Providing users with the knowledge they need to avoid common mistakes could prove invaluable to an organization.
Even with the best training in place, it’s also critical to have clear and understandable cybersecurity policies and procedures that protect the organization from common, yet risky, user activities. For example, if employees are regularly using a variety of file-sharing sites, offering a sanctioned alternative can help support that workflow while keeping the organization safe. Striking the balance between ironclad policies and employee productivity is often one of the biggest challenges for security teams.
Unlike its more careless cousin the accidental leak, misuse indicates that someone attempted to circumvent a policy or procedure put into place by the organization. Sometimes, people unintentionally go around security controls when they’re too restrictive or difficult to follow. Other times, these actions may be more intentional.
For example, an employee may start using unsanctioned software to work with a third-party contractor who’s requesting access to locked-down data. Or an employee may be using corporate systems in off-hours for their own monetary gain. Both of these scenarios are examples of misuse, and could be considered illegal depending on the policies put into place by the organization.
Having the right policies can help prevent misuse, but it’s difficult to enforce a policy without knowing more about user and data activity across the organization. Having an insider threat management solution like Proofpoint ITM can help security teams find out who’s doing what, when and why, which can speed the investigation process in the event of system misuse.
3. Data Theft
Users steal an organization’s data for many different reasons. Some of the most common motives for malicious insider threats are financial, emotional, or political. For example, an employee may be in financial distress, and decide that selling sensitive corporate data may ease some of the pressure. Or, an employee who was recently terminated may decide to retaliate against the organization.
There are many ways users steal company data, from personal emails, to hard copies, to cloud applications. In fact, hard copies are one of the most common causes of data breach in the healthcare sector, responsible for 65% of all incidents. Any single user action doesn’t necessarily indicate data theft. Just as with other types of insider threats, visibility is key to mitigating risk. It’s important to know the facts around:
- What data the user can access
- What actions they’re taking
- Whether these actions violate policy
- If so, how frequently they are taking place
- And why a policy breach may be occurring in the first place.
Once security teams have the context they need from talking to managers or HR and consulting insider threat management tools, they can quickly investigate the incident and determine whether further action is required.