Insider Threat Management

What the Biggest and Boldest Insider Threat Incidents Can Teach Us

Most organizations spend significant time and resources on education around external threats and implementing solutions to mitigate them effectively. But it’s rare to see this type of investment around learning about internal threats. This leads to a lack of knowledge and understanding around insider threats—what they look like, the risks and consequences of these threats, and how to combat them.

First, it’s important to note that not all insider threats are malicious. In fact, 62% of insider threats are the result of negligent insiders. Negligent insiders are often well-meaning people who accidentally leak confidential or sensitive data. 

Another type of insider threat is a compromised user who may unknowingly fall victim to credential compromise or malware that infects and takes control of their devices. Compromised insiders are typically responsible for 14% of insider threat incidents, which can cost an organization $871,000 per incident, on average. 

It’s worth noting that compromised users are not always unknowing victims. In fact, in a recently detected campaign, cyber criminals were emailing employees within their target organization to solicit their help in installing ransomware.

Though not all insider threats are the same, the risks and outcomes are frequently rooted in brand damage and financial loss. 

We reviewed some of the biggest and boldest insider threats over the past two years to determine where greater education about insider threat risks could have played a valuable role. After all, the more your organization understands insider threats and the consequences associated with them, the better you can defend against them. 

Here is a look at five of the insider threat incidents we identified that offer some great lessons.

Fraudulent invoices at ConocoPhillips

What happened: A ConocoPhillips employee created fraudulent invoices to trick the oil company into paying a friend’s business more than $3 million. But this was just the start; these actions were part of a larger embezzlement scheme that totaled nearly $7.3 million.

Lesson learned: A robust insider threat management (ITM) platform can help detect and prevent supply chain risks by recognizing fraudulent invoices and requests before it’s too late.

Customer record exposure at Microsoft

What happened: Microsoft stored customer information on unsecured servers, which led to the exposure of 250 million customer records over 14 years.

Lesson learned: Whether intentional or negligent, data loss can create significant problems for any organization, ranging from financial loss to reputation and brand damage. In this case, security and privacy practices were called into question for not only Microsoft but other large organizations, as well. 

Unauthorized access in Ellsworth County

What happened: former employee at the Ellsworth County Rural Water District No. 1 in Kansas remotely accessed the water district’s computer system. He intentionally tampered with the disinfecting and cleaning process, risking the safety of the drinking water for the 1,500 retail customers and 10 wholesale customers across eight Kansas counties.

Lesson learned: Monitoring remote access to any network is an essential part of a robust cybersecurity plan to ensure that only authorized users can log in. Any unauthorized user should be flagged and prevented from accessing information before they have the chance to cause damage.

U.S. military leak nuclear weapons security protocols

What happened: U.S. military personnel trying to memorize the security protocols around nuclear weapons protections unknowingly leaked a significant amount of sensitive information by using an unencrypted flashcard learning app. The information was publicly visible for eight years.

Lesson learned: Even the most well-intentioned employee can inadvertently leak sensitive information, putting the business—or, in this case, national security—at risk. Every employee should be educated and regularly reminded about cybersecurity best practices to minimize the risk of an accidental insider incident.

Database exposure leads to a class-action lawsuit for Vertafore

What happened: Negligent employees at insurance software maker Vertafore exposed a Texas Department of Motor Vehicles database after storing files on an unsecured external storage service. The incident led to a class-action lawsuit.

Lesson learned: Training employees on proper cybersecurity processes and protocols is critical for any organization. In this case, the lack of training or guidance on how to store sensitive information correctly resulted in a class-action lawsuit after sensitive personal information was exposed.

The big takeaway: a robust ITM program is a must

The importance of understanding insider threats plays a major role in an organization’s ability to detect, respond and prevent them effectively. As each of these five examples shows, it’s not always a malicious insider who can cause brand damage or financial loss for an organization. 

The reality is that even well-intentioned employees can make mistakes. 

That’s why it’s critical for organizations to have a robust ITM program that allows them to monitor how data moves so they can prevent data loss. After all, data doesn’t move by itself; people move data. And people are the greatest risk to any organization. 

For more real-world examples of insider threats and additional valuable lessons learned, read the Proofpoint e-book, The Top 10 Biggest and Boldest Insider Threat Incidents of 2020-2021.

Subscribe to the Proofpoint Blog