What is a Cyber Security Insider Threat? Definition and Examples

Insider security threats are a major problem that all organisations face. According to the 2021 Verizon Data Breach Investigations Report, insiders are responsible for 22% of all security incidents.

Meanwhile, a Ponemon Institute report found that the average global cost of an insider incident increased by almost a third between 2018 and 2020 – making them almost twice as costly as the average data breach.

In this blog, we explain what insider threats are, how they occur and what you can do to prevent them.

What are insider threats in cyber security?

An insider threat is someone within your organisation who jeopardises the confidentiality, integrity or availability of sensitive information.

They might do this by inadvertently leaking sensitive information, falling for a scam, damaging physical assets, misplacing company devices or deliberately sabotaging systems.

Anyone with access to sensitive information or assets is a potential insider threat. This includes employees, contractors and partners. Former employees can be insider threats if they still have access to sensitive information after they leave the organisation.

Types of insider threats

There are, broadly speaking, two types of insider threat: malicious actors and negligent employees. In this section, we explain the difference between them and the reasons they are a threat.

Malicious insiders

A malicious insider is someone who deliberately steals sensitive data or sabotages an organisation. They typically do this for financial gain, using the stolen information to commit fraud or to sell to a third party, such as a competitor or criminal hacking group.

Another motivation for malicious insiders is revenge. This is most commonly the case for recently departed employees who hold a grudge against their former employer.

If the person still has access to sensitive systems – whether that’s because their company login credentials remain active or they have a key to the building – they are liable to cause disruption.

Existing employees can also be motivated by revenge. This often happens when they have been passed up for a promotion or otherwise feel unvalued. They can use their access to the organisation’s systems to cause disruption or steal sensitive information.

Negligent insiders

Negligent insider threats occur when employees make mistakes, such as losing a company device or falling for a phishing scam.

These types of incidents fall into two sub-categories. First, there are employees who exhibit good judgement but commit a data breach due to mitigating circumstances. For example, they might have made the mistake because they were overworked or distracted.

By contrast, some negligent insiders repeatedly flout the rules and are unresponsive to staff awareness training. They often justify their actions by claiming that the organisation’s policies and processes are unnecessarily bureaucratic or too inconvenient.

They may even use the fact that they haven’t yet caused a data breach as proof of their position. If this is the case, it’s more likely good fortune than judgement, and a data breach will almost certainly occur at some point.

These types of employees are often senior executives, which can make it difficult for organisations to address the issue. More worryingly, such employees are often those most likely to be targeted by sophisticated scams, such as BEC (business email compromise) schemes.

How common are insider threats?

Insider threats are an ever-present cyber security risk. According to Cybersecurity Insiders’ 2021 Insider Threat Report, almost all organisations (98%) said they felt vulnerable to insider attacks.

As common as these incidents are, they are difficult to analyse. In many cases, the exact source of the data breach is unknown, and the damage is hard to quantify. Cybersecurity Insiders found that only 51% of organisations were able to detect insider threats or could only do so after the information had been breached.

Meanwhile, 82% of respondents said they found it difficult to determine the actual damage of an attack, and 89% didn’t believe that their ability to monitor, detect and respond to insider threats was effective.

Examples of insider threats

1. Theft of trade secrets

The US multinational company General Electric learned in July 2022 that an employee had stolen more than 8,000 sensitive files in a breach that spanned more than eight years. 

An engineer at the firm, Jean Patrice Delia, had persuaded an IT administrator to grant him access to sensitive information, which he siphoned off with the intention of starting a rival company. 

The FBI investigated the incident and learned that Delia emailed commercially sensitive information to a co-conspirator. He eventually pleaded guilty to the charges and was sentenced to up to 87 months in prison. 

2. Phishing

Phishing is perhaps the biggest cyber security risk that organisations face, with organisations of all sizes and in all sectors being at risk. 

The NHS learned that to its cost this year, after more than 130 email accounts were compromised in a prolonged phishing campaign. 

The Cloud security firm Inky found that scammers sent 1,157 phishing emails originating from NHS mail between October 2021 and March 2022. 

The emails contained a link that directed to a bogus Microsoft 365 login page, asking them to provide their login details. 

Inky reported that at least 139 NHS emails were compromised in the attack, but the true scope of the campaign was likely much larger, because the organisation only analysed phishing attacks made against its own customers. 

3. Sabotage

A system administrator who lost his job at a paper mill served 34 months in prison after tampering with the control systems of his former employer and causing $1.1 million (about £900,000) in damages

Brian Johnson, who had been made redundant by the paper manufacturer Georgia-Pacific after 15 years’ service, was able to use login credentials that remained valid. He accessed servers via a VPN in his home, installing his own software and altering the industrial control systems. 

In a two-week-long attack on the firm’s factory in Port Hudson, Louisiana, Johnson created a series of delays that cost his former employer huge sums in missed deadlines. 

4. Financially motivated

In June 2022, a Taco Bell employee was caught stealing customers’ credit card details and using the numbers to buy items for herself. 

Police were called after a victim reported that someone had tried to use their credit card at a nearby Pizza Hut. 

The investigation soon led to 36-year-old Laquawanda Hawkins, who worked in Taco Bell’s drive-thru. CCTV footage revealed that she had taken photographs of customers bank cards and used the information to make a series of purchases locally and online. 

5. Internal error

Pegasus Airline accidentally left 23 million files containing personal data exposed online after an employee improperly configured a database. The incident was reported in June 2022 after the Turkish airline discovered the error. 

Organisations often use third-party services to store sensitive information, because it saves them money and resources. With a Cloud service provider, the data is stored on a central server that can be accessed online. 

Because the information is stored online, organisations must adopt appropriate controls to ensure that only authorised people can access the information. 

In this case, an employee misconfigured the security settings, exposing valuable information such as fight charts, navigation materials and information data of flight crew. 

The database also contained up to 400 files with plaintext passwords and secret keys, as well as the source code for the software. 

How to detect insider threats

Whether you’re trying to spot malicious or negligent behaviour, the best way to detect insider threats is to keep an eye out for employees acting abnormally.

For example, if an employee appears to be dissatisfied at work, they might act less professionally in person and in correspondences. Likewise, the quality of their work might decline and they may show other signs of insubordination, such as turning up to work late or leaving early.

Suspicious behaviour can also include working at unusual times. If an employee logs in to their systems in the middle of the night, it suggests they are doing something that they don’t want their employer to know about.

Similarly, if there is a large volume of traffic, it might indicate that the employee is copying sensitive information to a personal hard drive, which they can use for fraudulent purposes.

Most telling, however, is if the employee accesses resources that they wouldn’t ordinarily need for their job. This suggests that they are using information for illegitimate purposes, whether that’s to commit fraud or to share with a third party.

Other signs of insider threat include:

  • Using unauthorised storage devices (such as USB drives and the Cloud);
  • Network crawling and searching for sensitive data;
  • Data hoarding;
  • Copying files from sensitive folders;
  • Emailing sensitive data to non-work affiliated accounts;
  • Attempting to bypass security mechanisms;
  • Violating the organisation’s security policies; and
  • Speaking to colleagues about resigning or looking for other jobs.

How to protect against insider threats

Insider threats can occur in any number of ways, which means there’s no single solution you can use to mitigate the risk. You must instead take a holistic approach, with an overarching security mechanism to address your vulnerabilities.

You should start with technical controls to protect critical assets. This should include network monitoring so you can see when users are active, as well as the documents that they view.

Alongside this, you should implement access controls to ensure that employees can only view information that’s relevant to their job. This will take time to configure, as the requirements for each job role will differ.

However, you can cut down on the work by identifying information that’s suitable for everyone in the organisation to view as well as highly classified information that only senior personnel can access.

From there, access to information can be controlled based on its purpose and who in the organisation uses it.

In addition to technical controls, you should adopt cyber security policies that outline employees’ requirements when handling sensitive information.

Likewise, you should take steps to promote the organisation’s security culture. This will give staff a greater understanding of insider threats and mitigate the risk of accidental data breaches.

Demonstrating a company-wide commitment to information security will also dissuade malicious action, as potential wrongdoers learn about the measures the organisation has in place to detect and identify the source of data breaches.

The best place to start when developing a security culture is staff awareness training. An effective course will promote the importance of cyber security and demonstrate the technical and organisational measures that are in place to mitigate the risk.

You can give employees all the information they need with our Complete Staff Awareness E-learning Suite.

This online course offers a quick, affordable and comprehensive solution to your training needs.

It contains all eight of our e-learning courses, covering essential topics such as the GDPR, ISO 27001 and phishing. All you need to do is purchase a licence for the number of staff taking the courses.

The suite is available on a one-year, easily renewable licence, and the courses can be taken as many times as you like.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.