8 Insider Threat Indicators to Watch out For
There are many kinds of cyber threats that companies have to watch out for. However, one of the biggest such threats—and the one that many organizations fail to account for—is the insider threat.
What are insider threats? Why are they so dangerous? Most importantly, what can you do about them? To help you increase your organization’s cyber awareness, here’s some information about insider threats:
What is an Insider Threat?
An insider threat is any security threat that comes from within the organization or system being targeted by the attack. These threats are launched by current or former employees, consultants, vendors, or others who have intimate knowledge of (or direct access to) the organization’s systems.
The motives behind an insider cyberattack may vary from one case to the next. Potential motives that may drive internal attackers include:
- Revenge. Some insider attacks are carried out as a type of revenge by a disgruntled employee. Here, the usual goal of the attack is to cause as much damage as possible. Not all disgruntled employees will do this—and some who do may be reacting to imagined slights rather than intended ones.
- Profit. A common motivation for insider attacks is personal profit. Here, the attacker is abusing their access and knowledge to gain extra money—typically by diverting funds or by taking and selling sensitive information for a profit.
- Espionage. Some insider attacks are conducted by agents from outside organizations (such as other countries or other companies). The goals of these agents may include disrupting operations, stealing intellectual property (IP), or gathering intelligence. These agents infiltrate your organization specifically to carry out insider attacks.
- Accidental. Not all insider threats come from malicious intent. There are occasions where an employee or vendor may cause a security breach unintentionally. Accidental insider attacks often involve mishaps like people sending emails to the wrong recipients, falling for phishing scams, or sharing their account credentials with others. In many cases, the employee may never realize the impact of their actions.
Regardless of motivation, insider threats are a major risk for any organization. There are numerous insider threat examples—both intentional and accidental—that could be used to highlight the dangers and impacts of these attacks.
In addition to these motives, the USA’s National Cybersecurity and Communications Integration Center cites several “risk characteristics” that can contribute to the decision to attack:
- General Deterrence Theory. The insider may attack if benefits outweigh expected costs/deterrents.
- Social Bond Theory. An insider may attack if their bonds of attachment, commitment, or involvement with the organization or their peers are weak.
- Social Learning Theory. An insider may become motivated to attack if they associate with delinquent peers (thus learning that delinquent behaviors are acceptable).
- Theory of Planned Behavior. The insider’s intentions (attitude, projected norms, and behavior control) towards crime can predict behavior.
- Situational Crime Prevention. The insider attacks because both motive and opportunity exist for the crime to occur.
Different internal threat actors may exhibit one or more of the above characteristics prior to carrying out an attack. Understanding these characteristics can be crucial for creating policies, procedures, and work environments that discourage malicious insider threats.
Insider Threat Statistics
To fully appreciate just how much of a threat insider attacks pose, it’s important to have some solid information. Here are a few insider threat statistics to consider:
- 34% of Data Breaches Are Caused by Insider Threats. According to data from the 2019 Verizon Data Breach report, 34% of data breaches involved “internal actors.”
- 21% of Breaches Are Caused by Errors. The Verizon report shows that 21% of all breaches had “errors” listed as the causal event.
- 43%. This is the percentage of breaches that affect small businesses (from all breach sources) according to the Verizon report.
- More Than Half of Attacks Are Motivated by Financial Gain. Though this statistic varies from one year to the next, the Verizon report shows that financial gain is the primary motivation in more than half of all cyberattacks. This includes malicious insider threats.
- $3.9 million. This is the average cost of a data breach according to data from an IBM/Ponemon Institute joint study. The IBM study also states that “The U.S. is the most expensive country” for data breaches.
- $370,000. Also according to the IBM/Ponemon study, this is how much extra a data breach will cost if it involves a third-party vendor.
The key takeaways from these statistics are that insider cyberattacks are all too common, and that they may have a significant impact on your organization. So, strong cyber awareness of insider attack risks is key for any robust cybersecurity strategy.
Insider Threat Indicators
One part of avoiding cyberattacks from inside sources is being able to identify key insider threat indicators. Knowing these key indicators is crucial for spotting potential threats and nullifying them before they can cause harm.
Part of this is knowing the different characteristics of a potential malicious actor that were outlined in the National Cybersecurity and Communications Integration document cited earlier. However, there are some specific behaviors that can be used for insider threat certification:
- Abnormal Access Requests. A malicious insider may start to try to access systems and data that they normally wouldn’t. For example, a customer service rep might start trying to access financial data, or an accountant might start prying into design document files. Users trying to access information not related to their job function is often an early warning sign of an impending attack (or one in progress).
- Self-Escalation of User Privileges. An impending insider threat actor may try to find ways to increase their access to sensitive systems and data prior to an attack. With increased access, the malicious insider can cause more damage, steal information more easily, or better cover their tracks.
- Using Unauthorized Storage Media. When trying to steal data, some insiders with direct access to your systems may transfer the files to a physical media rather than sending it to a remote server—especially when taking files from an isolated system. Bringing unauthorized storage media, such as USB drives or CD/DVD burners, could be an indicator of a premeditated attack.
- Sending Emails to Recipients Outside the Organization. If an employee is regularly sending emails from their company email to recipients outside the organization (who aren’t clients, vendors, or others with whom your company does business), that could be an indication of an insider threat. This is especially true if the emails contain sensitive information or file attachments. However, this could also be an indication of a hijacked user account.
- Accessing Information and Systems During Off Hours/Vacations. Another warning sign that someone may be planning an attack from the inside is if they are attempting to access sensitive information at periods of time where they should be off work—such as during after-hours or when the employee is on vacation. Of course, this could also be an indicator of a hijacked employee account—especially if the accessing IP address is from overseas.
- Sudden Changes in Behavior Towards Coworkers. Employees who are plotting (or have recently carried out) an insider attack may demonstrate sudden changes in behavior towards their coworkers. They may be more short-tempered and dismissive, or even suddenly elated and friendly. However, behavioral changes can be attributed to many other factors, so they shouldn’t be relied on as a primary form of insider threat certification.
- Unexplained Financial Gains. If an employee displays sudden financial affluence without real explanation, they may have committed an attack already. However, it can be hard to get wind of this directly from an employee, as they may not do something as drastic as upgrading their car from a beat-up Pinto to a Tesla Model X. However, an employee who previously complained about their financial woes (college debt, loan repayment, etc.) that is suddenly in the clear could either be very lucky with the Lotto, or be the culprit behind an insider cyberattack.
- Suddenly Quitting. Some insiders who carry out an attack may decide to do so right after deciding to quit. In some cases, they may feel that they don’t have much to lose, since they’re already leaving. An employee declaring that they’re quitting out of the blue may be planning a simple career upgrade—or an insider attack.
Note that all of the above insider threat indicators are for intentional threats—meaning the person in question intends to cause harm or steal money/information. It can be much harder to detect unintentional threats because, by definition, there is no malice to pick up on. Accidental threats happen because of a lack of diligence or simple, easy-to-make mistakes.
Whether you’re on the lookout for intentional or unintentional threats, it’s important to perform regular assessments to identify threat risks.
Performing an Insider Threat Assessment
An insider threat assessment is similar to any other cybersecurity risk assessment process—except it focuses on internal security threats. The basic framework for the assessment is:
- Define What You Need to Protect. Determine which databases, files, applications, and hardware in your organization are critical to maintaining operations. Additionally, try to identify which pieces of data would be valuable to those with a financial motivation—whether for immediate profit or resale to other organizations. This will help you create strategies to better protect that information.
- Create Impact Estimates. How much would any given asset being destroyed or stolen affect your organization? Create estimates of the impact so you can prioritize protection measures properly.
- Assess Your Current Security Measures. How well do your existing cybersecurity measures guard against insider threats? Assess your existing security measures to determine how well they protect the assets you identified in steps 1 and 2. Also, do your systems have defense-in-depth to block insiders from being able to compromise multiple systems quickly?
- Define Your Risk Tolerance. No defense is 100% proof against attacks—especially not against insider threats. So, it’s important to define your tolerance for risk. Notate how much impact your organization can withstand, and ensure that you have enough protections in place to keep an insider attack below that threshold.
Building an Insider Threat Program
Some organizations may want to establish a program to specifically deal with insider threats—both to limit the risk of these threats occurring and to minimize their impacts. Some key components of an insider threat program include:
- Policies of Least Privilege. One of the best ways to reduce the risk associated with insider threats is to limit the access any employee has to your organization’s systems, apps, and data. Applying a policy of least privilege, wherein people only have access to the resources they need for their primary job function, can significantly lower your risk of an insider attack by removing means and opportunity from a potential attacker.
- Security Information and Event Management (SIEM). Being able to track individual employee’s use behaviors can be critical for identifying patterns that indicate an impending insider attack. SIEM tools help to collate this data and, with co-managed monitoring and AI tools, identify problematic behaviors. They’re also highly useful for identifying culprits after the fact by recording forensic data.
- Employee Exit Processes. When an employee is leaving the organization—especially if they’re being fired or are quitting without notice—there should be policies in place to quickly revoke any system or database access that they may have. This helps to remove temptation and eliminate the chance for a disgruntled ex-employee to enact revenge.
- Defense in Depth. With insider attacks, it’s especially important to ensure that there are layers of security between assets on your network that keep attackers from jumping between assets. Defense in depth with per-asset firewalls and other security tools can help increase the chances of detecting an insider attack quickly and preventing the attacker from being able to compromise other assets on the network.
- Security Education, Training, and Awareness (SETA) Programs. One of the best tools for preventing accidental insider attacks is ensuring strong cybersecurity awareness throughout the organization. SETA programs help teach employees to recognize cyber threats that might lead to compromised user accounts (like phishing attacks). Such programs can also help to showcase the potential consequences of being caught—which helps to discourage insider attacks.
Need help building a framework for dealing with insider threats? Reach out to the Compuquip team today to get started!