Table of Contents
An insider threat can happen when someone close to an organization with authorized access misuses that access to negatively impact the organization’s critical information or systems. This person does not necessarily need to be an employee – third party vendors, contractors, and partners could pose a threat as well. Insider threats can be unintentional or malicious, depending on the threat’s intent. Unintentional insider threats can be from a negligent employee falling victim to a phishing attack. A malicious threat could be from intentional data theft, corporate espionage, or data destruction.
Your biggest asset is also your biggest risk. The root cause of insider threats? People. Yet most security tools only analyze computer, network, or system data.
Threats can come from any level and from anyone with access to proprietary data 25% of all security incidents involve insiders.
Recent insider threat statistics reveal that 69% say their organizations have experienced an attempted or successful threat or corruption of data in the last 12 months.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
- A person given a badge or access device.
- A person whom the organization supplied a computer or network access.
- A person who develops products and services.
- A person who is knowledgeable about the organization’s fundamentals.
- A person with access to protected information.
What Is a Malicious Insider?
An insider threat is any employee, vendor, executive, contractor, or other person who works directly with an organization. A malicious insider is one that misuses data for the purpose of harming the organization intentionally. Malicious insiders are harder to detect than external threats because they know that they must hide their tracks and steal or harm data without being caught. They are also harder to detect because they often have legitimate access to data for their job functions.
A malicious insider can be any employee or contractor, but usually they have high-privilege access to data. For example, a software engineer might have database access to customer information and will steal it to sell to a competitor. This activity would be difficult to detect since the software engineer has legitimate access to the database.
- Frequent violations of data protection and compliance rules.
- Constant conflict with other employees.
- Performance reports are continually low.
- Uninterested in projects or other job-related assignments.
- Misuse of travel and expenses.
- Interesting in other projects that don’t involve them.
- Uses sick leave frequently.
- Backdoors for open access to data either from a remote location or internally.
- Installing hardware or software to remotely access their system.
- Changing passwords for unauthorized accounts.
- Unauthorized disabling of antivirus tools and firewall settings.
- Malware installation.
- Installing unauthorized software.
- Access attempts to other user devices or servers containing sensitive data.
- High-privileged users such as network administrators, executives, partners, and other users with permissions across sensitive data.
- Developers with access to data using a development or staging environment.
- Resigned or terminated employees with enabled profiles and credentials.
- Acquisition managers and employees.
- Vendors with internal access.
- Contractors with internal access.
- Partners with internal access.
Insider Threat Statistics
One-third of all organizations have faced an insider threat incident. The rest probably just don’t know it yet.
of incidents where private or sensitive information was unintentionally exposed
of incidents where employee records were compromised or stolen
of incidents where customer records were compromised or stolen
of incidents where confidential records (trade secrets or intellectual property) were compromised or stolen
Decrease your risk immediately with advanced insider threat detection and prevention.
- Financial Services
- Technical Services
Insider Threat Examples
Because insider threats are more difficult to detect, they often go on for years. One example of an insider threat happened with a Canadian finance company. Users at Desjardins had to copy customer data to a shared drive so that everyone could use it. A malicious insider continued to copy this data for two years, and the corporation realized that 9.7 million customer records were disclosed publicly. It cost Desjardins $108 million to mitigate the breach.
Technical employees can also cause damage to data. A Cleveland-based organization experienced a distributed denial-of-service (DDoS) from crashed servers after one of their developers decided to deploy malicious code to the system. The malware deleted user profiles and deleted files, making it impossible for the organization to be productive.
What Advantages Do Insider Threats Have Over Others?
Insider threats such as employees or users with legitimate access to data are difficult to detect. These threats have the advantage of legitimate access, so they do not need to bypass firewalls, access policies, and cybersecurity infrastructure to gain access to data and steal it.
High privilege users can be the most devastating in a malicious insider attack. These users have the freedom to steal data with very little detection. These users are not always employees. They can be vendors, contractors, partners, and other users with high-level access across all sensitive data.
What Is Not Considered an Insider Threat?
Corporations spend thousands to build infrastructure to detect and block external threats. These threats are not considered insiders even if they bypass cybersecurity blocks and access internal network data. Insider threats are specific trusted users with legitimate access to the internal network. They have legitimate credentials, and administrators provide them with access policies to work with necessary data. These users do not need sophisticated malware or tools to access data, because they are trusted employees, vendors, contractors, and executives.
Any attack that originates from an untrusted, external, and unknown source is not considered an insider threat. Insider threats require sophisticated monitoring and logging tools so that any suspicious traffic behaviors can be detected. Older, traditional ways of managing users was to blindly trust them, but a zero-trust network is the latest strategy for cybersecurity along with data loss prevention (DLP) solutions, and it requires administrators and policy creators to consider all users and internal applications as potential threats.
What Are Characteristics of an Insider Threat?
An external threat usually has financial motives. Their goals are to steal data, extort money, and potentially sell stolen data on darknet markets. Insider threats could have similar goals, but usually it’s accidentally falling for a sophisticated phishing or social engineering attack, or in the case of a malicious threat, the goal is to harm the organization by data theft.
The characteristics of a malicious insider threat involves fraud, corporate sabotage or espionage, or abuse of data access to disclose trade secrets to a competitor. Although not every insider threat is malicious, the characteristics are difficult to identify even with sophisticated systems. Because users generally have legitimate access to files and data, good insider threat detection looks for unusual behavior and access requests and compares this behavior with benchmarked statistics.
- Tesla: A malicious insider, according to an Elon Musk memo, performed “quite extensive and damaging sabotage” to the Tesla system when the employee altered code to the Tesla Manufacturing Operating System and exported highly sensitive Tesla data to a third party.
- Facebook: In 2018, Facebook found that a security engineer was using internal tools and data to harass women.
- Coca Cola: An investigator found that a Coca Cola employee copied data of about 8000 employees to a personal external hard drive. After Coca Cola became aware of the data breach, the organization notified employees and offered free credit monitoring for a year.
- SunTrust Bank: A former SunTrust employee stole 1.5 million names, addresses, phone numbers and account balances for bank customers. Other sensitive data was not accessed, but it posed a risk to the bank and its customers.
- Sabotage: The insider threat goal is to damage a system or destroy data.
- Fraud: When theft or changes to data are meant for deception, the attacker’s goal is fraudulent and likely for the purpose of causing corporate disruption.
- Theft of intellectual property: Any proprietary information is valuable to an organization, and an attacker aiming to steal it could create long-term monetary damage.
- Espionage: Any sensitive trade secrets, files, and data are vulnerable to espionage if an attacker steals them to sell to competitors.
- Human error
- Bad judgment
- Unintentional aiding and abetting
- Stolen credentials
- Large quantities of data either saved or accessed by a specific user.
- Emails containing sensitive data sent to a third party.
- Remote access to the network and data at non-business hours or irregular work hours.
- Multiple attempts to access blocked websites.
- Attempted access to USB ports and devices.
- Frequent access requests to data unrelated to the employee’s job function.
- Taking corporate machines home without permission.
- Apply policies and security access based on employee roles and their need for data to perform a job function.
- Monitor access requests both successful and unsuccessful.
- Use cybersecurity and monitoring solutions that allow for alerts and notifications when users display suspicious activity.
- Install infrastructure that specifically monitors user behavior for insider threats and malicious data access.
How to Stop Insider Threats
To stop insider threats–both malicious and inadvertent–you must continuously monitor all user activity and take action when incidents arise.
The potential risks of insider threats are numerous, including installing malware, financial fraud, data corruption, or theft of valuable information. To counteract all these possible scenarios, organizations should implement an insider threat solution with 6 key capabilities:
Detect Insider Threats
Uncover risky user activity by identifying anomalous behavior.
Investigate suspicious user activity in minutes—not days.
Reduce risk with real-time user notifications and blocking.
Protect User Privacy
Anonymize user data to protect employee and contractor privacy and meet regulations.
Meet key compliance requirements regarding insider threats in a streamlined manner.
Integrate insider threat management and detection with SIEMs and other security tools for greater insight.
Are you ready to decrease your risk with advanced insider threat detection and prevention? Let us walk you through our Proofpoint Insider Threat Management and answer any questions you have about Insider Threats.
Insider Threats FAQs
How Many Potential Insider Threat Indicators Are There?
Any user with internal access to your data could be an insider threat. Vendors, contractors, and employees are all potential insider threats. Suspicious events from specific insider threat indicators include:
- Recruitment: Employees and contractors can be convinced by outside attackers to send sensitive data to a third party.
- Voluntary: Disgruntled and dissatisfied employees can voluntarily send or sell data to a third party without any coercion.
- Unknowing: Due to phishing or social engineering, an individual may disclose sensitive information to a third party.
What Advantages Do Insider Threats Have Over Others?
Because insiders have at least basic access to data, they have an advantage over an external threat that must bypass numerous firewalls and intrusion detection monitoring. The level of authorized access depends on the user’s permissions, so a high-privilege user has access to more sensitive information without the need to bypass security rules.
What Is Not Considered a Potential Insider Threat?
External threats are definitely a concern for corporations, but insider threats require a unique strategy that focuses on users with access, rather than users bypassing authorization. Attacks that originate from outsiders with no relationship or basic access to data are not considered insider threats. Note that insiders can help external threats gain access to data either purposely or unintentionally.
Subscribe to the Proofpoint Blog