Insider Threat: Examples, Countermeasures & Cybersecurity Tips

As the name suggests, an insider threat is a security risk that originates inside an organization. More specifically, the term insider threat refers to persons who cause harm to the organization they work for, although not necessarily on purpose. Typical examples of insider threats are employees or ex-employees as well as contractors or business partners.

What makes insider threats so devious is not just the fact that, as colleagues and members of staff, the people responsible have easy access to sensitive data, but that they are able to hide in plain sight by abusing the trust placed in them by their employees. In fact, many organizations ignore the risk of insider attacks entirely.

Most companies center their cybersecurity strategy on external attacks, such as targeted hacks or malicious programs like ransomware. They fail to acknowledge the risks and vulnerabilities that exist within, often until it is too late.

According to Verizon’s Data Breach Investigations Report of 2019, 36% of data breaches were caused by insiders. Internal offenders are responsible for 34% of incidents in the public sector and no less than 54% of incidents in the health care sector. The latter figure is particularly alarming and illustrates an issue that is often picked up on by the media:

An incident that occurred in The Hague perfectly reflects the problem: in this case, hospital staff gained access to a prominent patient‘s personal and confidential data, which led to the hospital to being fined € 460,000 for violating the GDPR.

Individuals who may turn into insider threats usually have access to confidential business information. The data is then obstructed due to reckless or negligent behavior. There are three types of internal perpetrators:

A person with malicious intent who deliberately exploits their level of access to steal information. Malicious insiders often have a financial motivation, though they could also be trying to settle a score. This could be an ex-employee with a grudge against their former boss, or someone looking to sell internal data to competitors. Insiders have an advantage over external attackers (e.g. hackers) because they are familiar with safety procedures and internal policies. This knowledge gives them insight into possible weaknesses they can exploit.

Moles are scammers who gain access to your network or protected systems by posing as a trusted insider such as a contractor or business partner. Their intent is to abuse this level of access to steal and sell data or use it for other malicious purposes, such as threatening to leak confidential information in order to blackmail a business.

In theory, moles could go so far as to join your company by interviewing for job openings in order to gain physical access to your premises. However, the level of risk and effort associated with this form of corporate espionage makes it quite rare.

It is far more common for moles to exploit the existing business relationships of a company, since most organizations work with a variety of freelancers and contractors. Using stolen credentials or social engineering, moles aim to gain access to this extended network and the company data that legitimate business partners work with.

The most common type of insider threat is the person you least expect: an innocent employee, possibly even your most loyal worker, who jeopardizes cybersecurity by accident. This unintentional threat to security can come in many forms: clicking on a link or opening the attachment of a phishing email, entering their password into a fake website designed to imitate a real one, installing unauthorized software on their PC (a.k.a. shadow IT) etc.

However it happens: This brief moment of carelessness can be enough to infect your entire network with malware or ransomware, putting company data at risk and potentially damaging IT resources and hardware.

Data breaches that are caused by insiders are notoriously hard to detect. Insiders not only have access to sensitive data, they also know your security program well enough to be able to cover their tracks. That’s why it can take months until these events are discovered. Likewise, predicting whether someone in your organization intends to cause harm can be tricky: obsessing over employee activity or accusing them of hidden agenda can lead to fear and paranoia in the workplace, which cause enormous damage to company culture.

Given these obstacles, the most effective safety measure recommended by cybersecurity experts in order to protect yourself from the loss of critical data is to practice an abundance of caution at all times. You may know this concept as Zero Trust Security, an approach to network protection that can be summarized by the phrase “never trust, always verify“. In other words, under the Zero Trust approach, even devices within the company network require authentication in order to access IT resources. This offers an additional layer of protection compared to traditional perimeter security (i.e. firewalls and malware blockers), which has external threats as the center of its attention.

However, the Zero Trust philosophy is not just about verifying access, but also about limiting access. Your company network contains a huge amount of data, spread out across different folders, systems and applications. But each employee only really uses a small subset of these resources for their work. Allowing employees to access resources that are beyond their intended role is a needless risk that only increases the likelihood and potential scope of employee data theft. That’s why a key step towards implementing Zero Trust security is the so-called Principle of Least Privilege, which means everyone should have the minimum level of access required to do their job.

Now that we’ve established what insider threats are and which precautions you can take to help prevent them, let’s examine at a few common scenarios that can put your company at risk. These are general examples designed to showcase typical risks and what to look out for. Keep in mind that every organization is unique and optimal IT security is always based on your specific circumstances.

Scenario: In times of COVID, many companies are either implementing a remote work program for the first time, or rapidly scaling up their existing remote/home office setup. The problem: The risk of being caught stealing data is much lower when you are using remote access rather than being physically present at the office.

Tip: Tighten security controls for certain functions and system access. Review your system configurations and assess which settings can improve your management, reporting, and security. Solid file and file server privileges are just as important as maintaining protocol on operating systems and applications.

Attacks are likely to occur outside of business hours. It is therefore advisable to consider limiting the hours during which remote system access is permitted (i.e. no access after hours and on weekends).

Scenario: Many organizations “stockpile” access privileges to essential systems and data and even pass them on to contractors, freelancers, clients, vendors and/or service providers. Although this might be convenient in the moment, it puts your sensitive data at serious risk.

Tip: Use identity & access management software to enforce appropriate access based on the need-to-know and least-privilege-principle. A dedicated IAM solution makes permission management quick and painless by automating the background processes involved in tracking and updating user privileges. This ensures that all accounts and permissions are kept up to date, no one has access to data they do not need and access rights are fully documented for audits and incident reviews.

Furthermore, you should regularly review third-party accounts to ensure that permissions are withdrawn once they have served their purpose. An access management platform such as tenfold allows you to automate these so-called user access reviews.

Scenario: An employee shares confidential information via email or an IM app, causing the information to fall into the wrong hands.

Tip: One of the most effective measures to intercept confidential information leaving the network is to set up a network analyzer that filters keywords, attachments, etc. Client-based or server-based content filters are able to intercept and block outgoing confidential information.

Another threat that comes through emails and messaging apps are phishing scams and other social engineering schemes. Ensure that your staff are sufficiently educated on the subject of IT security and invest in the appropriate trainings. This will help to further reduce the risk of your workers becoming insider threats due to ignorance or negligence.

Scenario: While file sharing software such as Dropbox or Google Drive are very practical, they unfortunately also open the floodgates to data abuse. The tools themselves are not the issue here, but the way they are being used. One wrong configuration and your confidential data could easily fall into the wrong hands.

Tip: Steer clear of unsafe file-sharing services and instead opt for secure tools like Teams, OneDrive or SharePoint, which give you more control over shared data. Unfortunately, even these services can expose data to more accounts than originally intended!

In addition to controlling who in the organization has access to files and folders located on shared resources (e.g. by setting share and/or NTFS permissions), you should also enable access-based enumeration. This prevents users from seeing folders they cannot access. Even seeing the folder name (“NY-Office-Restructuring”, for instance) could clue them in to confidential information.

Remember: Internal perpetrators can only compromise data they have access to. Consequently, the best way to mitigate the risks posed by insiders is to restrict access to company data as much as possible using an identity & access management solution.

Make sure you are in control over who has access to what information in your organization. Apply the principle of least privilege to reduce privileges to a minimum – and don’t forget to review them regularly.

Organizations past a certain size are well advised to find ways that automate processes involved in the management of access rights. For this purpose, tenfold has standardized such processes and uses a so-called profile system, which must be defined only once upon implementation. The software then assigns default rights to users automatically, based on user attributes such as department or job title. It does this for all connected systems (e.g. Active Directory®, SAP ERP®, etc.).

tenfold further compares existing privileges with the profiles you have set up and takes away any unnecessary privileges. If you would like to learn more about tenfold or witness the software in action, you can download our product info or request a free trial.