What is an Insider Threat?

Updated: Aug 13

In 2020 about 60% of data breaches were caused by an insider with an average annual cost of $11.5 million. An insider threat is any threat to an organization that comes from people within the company itself. Insider threats can be malicious, meaning someone that wants to do the company harm or non-malicious, someone that unintentionally causes harm to the company. Insider threats pose a significant risk because they are already inside the company and aren’t subject to the same security controls that an attacker from outside the company would need to go through. They also have access to company data, the internal network and have insider knowledge on the company that could be used to cause harm. About 60% of data breaches are caused by insider threats.

Common Types of Insider Threats

Malicious Insiders (Infiltrators): These are threat actors who have managed to obtain legitimate credentials within the organization. This can be through compromising a legitimate account or even getting a job within the company.

Employees: While employees may not intentionally cause the company any harm, their lack of awareness can cause security issues for the company through things like phishing, weak passwords, allowing people to tailgate them, etc. This is an example of a non-malicious insider that accidentally causes damage.

Disgruntled Employees: These are employees that have an issue with the company, maybe they were fired, denied a promotion, or a raise that has led to them having animosity towards the company. Often, they will sabotage the company in some way as a form of revenge.

APTs: Advanced persistent threats, are threat actors that sit on a company’s network for a long time exfiltrating information, planting malware, or performing some other type of malicious activity. They can sit on a network undetected for weeks or months at a time. On average it takes about 197 days for a company to detect a data breach and 67 days to contain a data breach.

Source @ Sophos News

Third Parties: This can be anything from an independent contractor to a third-party service provider. These entities tend to have access to company information or the company network so any compromise of the third party can lead to issues for the company that is using their services.

How to defend against insider threats

Security Awareness Training: The first thing you should invest in is security awareness training, this limits the possibility that one of your employees would accidentally fall prey to a phishing email, social engineering trick or perform any other type of activity that may be harmful to the business.

Onboarding and Offboarding procedures: By having proper onboarding procedures for employees and third-party vendors you can make sure that you audit any business relationship you have to ensure that they meet the required security standards of your business. Also, you can establish what needs to be done if a data breach does occur, such as notifying you in a timeline manner. This way if a third-party vendor does suffer a data breach, they will know exactly what they should do to prevent it from affecting your company. The offboarding aspect will reduce the likelihood of a disgruntled employee or business partner being able to sabotage your business by promptly removing their access following termination.

Threat Hunting: This is your main defense against any type of APT, threat hunting is proactively looking at your environment for any signs of threat actors on the network. It’s really the only way to find someone that is sitting on your network outside of them making a mistake that reveals themselves.

Model of Least Privilege: The least privilege model simply means that employees should only be given the access that they need to do their job and nothing more. This way whether they are malicious or not they are limited in the amount of actions that they can perform that may harm the company. This helps to mitigate the damage in the event of an insider threat.

Zero Trust Principles: Adopting a zero trust model simply means requiring all users to authenticate no matter where they are on the network. This way even insiders can be prevented from accessing resources because the system doesn't give them any access by default. In this model trust is seen as a vulnerability and therefore it strives to remove it where ever possible.

How to get more free content

If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.