Data Loss Prevention

How to Recognize Malicious Insider Threat Motivations

According to the Forrester Best Practices: Mitigating Insider Threat Report “All data theft is an inside job – and it will cost your business”. 

Insider threats are complex and come in all shapes and sizes – that’s why traditional cybersecurity tools aren’t set up to stop insiders, which have sneaked under the radar. And as the world rapidly moved to a work-from-anywhere environment, the number of new unsanctioned endpoints dramatically increased, making it even easier to hide. It’s little surprise, then, that the frequency of insider threats has increased by 47% from 2018 to 2020. 

There seem to be regular updates in the news about the latest organization to suffer a data leak as a result of accidental misuse of data. 

But malicious insider threats are different. Unlike accidental misuse by well-meaning insiders, malicious insiders make a conscious choice to act. As we’ve seen in multiple news stories, the motivations may vary, but the underlying reasons seem to revolve around financial fraud, brand damage and/or revenge.

So how can you recognize malicious insider threat motivations and keep your organization and data safe? It starts by understanding the motivations of those malicious insiders.

Primary Motivations for Malicious Insiders

According to Forrester’s “Best Practices: Mitigating Insider Threat” report, there are eight primary motivations for malicious insiders to take action. These include: 

  • Financial distress: an employee is looking for a quick financial gain.
  • Disgruntled employee: an angry employee is seeking revenge for some reason.
  • Entitlement: an employee may feel entitled to having access to sensitive information.
  • Announcement or fear of layoff: an employee may feel entitled to sensitive information after a layoff announcement, or they want to hurt the organization. 
  • Revenge: an employee may feel mistreated and want to get even. 
  • Work conflict: disagreements with other employees. 
  • Ideology: political or religious beliefs can be a powerful motivator. 
  • Outside influence: criminal organizations or state-sponsored espionage agencies may recruit insiders. 

Gaining awareness of the external factors that can inspire malicious insiders to engage in nefarious activity can give you a better understanding of who your high-risk insiders could be and what could motivate them to act maliciously. 

This knowledge also illustrates the importance of building a cross-functional security team that extends beyond traditional cybersecurity to address employee-facing situations. In Forrester’s report, they suggest making technology part of your broader Insider Threat Management (ITM) program. Having an expanded team — including HR, legal, and management — in place can help you spot external factors and intervene in a delicate situation before it becomes a full-blown insider incident.

Early Indicators of Insider Threats

Once you’re aware of common motivations for malicious insiders, it’s important to recognize the behaviors that imply the malicious insiders are ready to take action (if they haven’t already). 

Forrester outlined eight examples of behavior that could indicate malicious insiders are at work. These include: 

  • Leaving the company
  • Poor performance appraisals
  • Voicing disagreements with policies
  • Disagreement with coworkers
  • Financial distress
  • Unexplained financial gain
  • Odd working hours 
  • Unusual overseas travel

Some of these behaviors may seem obvious, like leaving the company, financial distress or unexplained gain, or working odd hours, but others require a bit more thought or analysis. 

This is why having an ITM program — and technology that can spot suspicious user behavior early — plays such a vital role in ensuring a malicious insider can be stopped before damage can be done. 

Partnering with a company like Proofpoint to implement an ITM program driven by people-centric security solutions can elevate your awareness to detect and prevent potential malicious activity before it gets out of control. By not only monitoring data movement but also understanding the context around that data usage, you gain greater insight into user behavior and greater control over your data, enabling you to keep the organization safe from the ramifications of a malicious insider threat before it becomes a cost to your business.

To learn more, download the Forrester “Best Practices: Mitigating Insider Threat” report now.

Subscribe to the Proofpoint Blog