Insider Threats 101: How To Detect and Minimize Risks from Within

by Javvad Malik

This article is the first in a two-part series. Read the second part here.

According to a 2015 Grand Theft Data report from Intel, internal actors were responsible for 43 percent of data loss; half of this was intentional, while the other half was accidental. Insider threats are not new, but ever since Edward Snowden publicly showcased the immense amount of damage that a maliciously-motivated insider can cause, they have become a much more serious concern for many companies.

The corporate world has historically been consumed with guarding against cybercriminals, hackers and other malicious attackers from the outside world. And though organizations of all sizes are starting to take the time to understand the nature of insider threats and prioritize efforts to prevent, detect and respond to them, there is still a lot of educating left to do about the serious risks insiders can pose and as well as the best ways to defend against them.

What Is An Insider Threat?
Many professionals mistakenly limit their view of “insiders” to a company’s permanent or temporary employees, but the term’s definition is actually much broader. An insider is any individual with legitimate access to information within the corporate perimeter – physical or virtual. In addition to employees, this inner circle can include third-party contractors, third-party support companies, partners and outsourced service providers.

A threat can be defined as something or someone that exploits a vulnerability in a specific target. In the case of insiders, this can be reframed as someone abusing the trust of a company with which they are closely associated. Put another way, an insider threat is someone who misuses the legitimate access granted to them in ways that could potentially harm their organization, and their actions are usually driven by a self-serving purpose.

So far, these definitions are simple enough, but here’s where the lines begin to blur. While some insiders can and do maliciously set out to harm their company, many do so unknowingly through user error and honest mistakes. For this reason, it’s important to break down insider threats into three broad categories:

  • Non-malicious insiders – Users who perform actions, which have no ill intent, but can nevertheless cause harm to an organization. User error (e.g., entering confidential data into the wrong system or unsuspectingly clicking a phishing link) and accidents (e.g., losing a laptop) fall into this bucket. This category also includes users who are using non-approved IT tools to do their job. For example, an employee may use a cloud-based file-sharing app to increase his or her productivity, but which inadvertently exposes company data.
  • Malicious insiders – Individuals who are aware of the negative implications their actions will have on the target organization, yet still pursue that course of action. This category could include users who take information when leaving an organization for personal use in future jobs, to angry insiders seeking to damage company assets or steal data, to, at the highest level, maliciously-motivated employees engaged in corporate espionage.
  • Compromised insiders – Often overlooked, this group of insiders have had their credentials exposed, compromised or captured as part of a targeted attack. Although the actor behind the account is not actually an insider, the use of legitimate credentials makes them appear to be.

Javvad Malik is a security advocate at AlienVault.

Leave a Reply

WWPI – Covering the best in IT since 1980