The Cyber Threat landscape is alive as ever, and a constant reminder that all organizations should have a robust cybersecurity strategy at hand. Some organizations that play with highly sensitive data could be at a disadvantage when it comes to identifying, detecting, and responding to attacks. Especially if their security program has gaps or lacks foundational measures. According to a 2020 study, most organizations are only able to detect insider threats after the “act” occurs; like the exposure of information or exfiltration of data.
The types of insider threats have certainly changed over time, with many organizations focused purely on the malicious insider. Historically,, organizations and the industry for that matter, characterized insider threats as:
- Malicious Insider: intentional insider stealing intellectual property or up to no good
- Negligent Insider: the unintentional or accidental user
- Third Parties / Attackers: third parties, like contractors who have legitimate access, or attackers that become insiders via compromising credentials
Did you know that the first known case of insider threat in business originates in 1792 when a man by the name of William Duer was named the Assistant Secretary of the US Treasury? As part of his job, he had access to trading information, which led to the first insider trading incident in the United States. In Duer’s circumstance, he was a trusted employee with access to sensitive information that he deemed could bring him great financial wealth by using it in nefarious ways.
Before the 1990s, insider threat was shaped by physical theft and misuse, especially in classified and government systems and offices. There was a lot of talk about espionage and theft of classified data throughout the 1980s by government employees and contractors, which led to one of the most significant espionage projects run by the government. Project Slammer was created to better understand the behavior behind espionage carried out by American spies.
Project Slammer found that individuals saw their circumventing security safeguards and security procedures as a “victimless” crime and a necessary part of their espionage activity. In cases of negligent insiders, we could ascertain that some individuals choose to circumvent security controls or policy during their activity because they see those controls as a hindrance to getting their job done.
With the introduction of the public internet, the ability to perpetrate insider threat actions has only become easier and more significant due to the innate functionality of technology. The Internet has increased the outside attacker’s ability to gain credentials, phishing users with malicious intent, or other web-based attacks. Using the Internet, websites, and the collaboration necessary between services and websites to conduct business has brought to light more negligent insider actions. For example, when a user might misconfigure an API, which causes a security incident because the misconfiguration in programming caused data leakage to the wrong parties.
The Complexity of Insider RIsk
As organizations face more incidents related to insider threats, the types of insider threat have been further examined, reviewed, and identified. The sheer size of the problem has grown exponentially and as an industry and independent organization, we need to do our part to address this growing problem. In a recent Ponemon report, insider threats have continued to rise over the last 2 years by 44% and the costs of a single incident are astronomical.
The likelihood of risky behavior has increased with the complexity and scale of malicious attacks targeting individuals over the Internet, along with the ever-changing environments we work in. IT complexity, OT/manufacturing, cloud infrastructures, SaaS, Internet of Things (IoT), and so on, have made the reality of insider threat an evolving risk to organizations.
Over time, organizations have further broken down the specific types of insider threats that could be existent, depending on the organization, type of industry, and other risk factors. Some examples include:
- Bad Leavers / Departing Employees – The largest reason organizations lose intellectual property is intentional or unintentional employee departures.
- Security Evaders – Normally categorized under negligent insider; utilize workarounds and other measures to evade security policy and controls.
- Inside Conspirators – This type is less common. Still, it could include employees that are pressured to act on behalf of an external organization (criminal, competitor, etc.) through the use of blackmail or other threatening behavior.
- Third-Party – Just because someone is not on your payroll doesn’t mean they aren’t a threat. Many organizations utilize third-party services for some if not all of their organization’s needs and their employees often have access too.
The need for a well-balanced insider threat program is important, without relying solely on technology. The program should be a balance of technology, along with people and processes that address this growing issue for organizations.
Your users are still the first line of defense. Studies and industry reports consistently show that unintentional insiders cause the most incidents. In some reported cases and studies, 2 out of 3 insider threat incidents originate from the unintentional insider. It is important to identify and understand your riskiest users and take proactive actions in reducing insider risk and stopping your next Incident.