What Is an Insider Threat?

An insider threat can happen when someone close to an organization with authorized access misuses that access to negatively impact the organization’s critical information or systems. This person does not necessarily need to be an employee – third party vendors, contractors, and partners could pose a threat as well. Insider threats can be unintentional or malicious, depending on the threat’s intent. Unintentional insider threats can be from a negligent employee falling victim to a phishing attack. A malicious threat could be from intentional data theft, corporate espionage, or data destruction.

Your biggest asset is also your biggest risk. The root cause of insider threats? People. Yet most security tools only analyze computer, network, or system data.

Threats can come from any level and from anyone with access to proprietary data 25% of all security incidents involve insiders.^[1]

Recent insider threat statistics reveal that 69% say their organizations have experienced an attempted or successful threat or corruption of data in the last 12 months.

An insider threat is any employee, vendor, executive, contractor, or other person who works directly with an organization. A malicious insider is one that misuses data for the purpose of harming the organization intentionally. Malicious insiders are harder to detect than external threats because they know that they must hide their tracks and steal or harm data without being caught. They are also harder to detect because they often have legitimate access to data for their job functions.

A malicious insider can be any employee or contractor, but usually they have high-privilege access to data. For example, a software engineer might have database access to customer information and will steal it to sell to a competitor. This activity would be difficult to detect since the software engineer has legitimate access to the database.

One-third of all organizations have faced an insider threat incident.^[2] The rest probably just don’t know it yet.

Because insider threats are more difficult to detect, they often go on for years. One example of an insider threat happened with a Canadian finance company. Users at Desjardins had to copy customer data to a shared drive so that everyone could use it. A malicious insider continued to copy this data for two years, and the corporation realized that 9.7 million customer records were disclosed publicly. It cost Desjardins $108 million to mitigate the breach.

Technical employees can also cause damage to data. A Cleveland-based organization experienced a distributed denial-of-service (DDoS) from crashed servers after one of their developers decided to deploy malicious code to the system. The malware deleted user profiles and deleted files, making it impossible for the organization to be productive.

Insider threats such as employees or users with legitimate access to data are difficult to detect. These threats have the advantage of legitimate access, so they do not need to bypass firewalls, access policies, and cybersecurity infrastructure to gain access to data and steal it.

High privilege users can be the most devastating in a malicious insider attack. These users have the freedom to steal data with very little detection. These users are not always employees. They can be vendors, contractors, partners, and other users with high-level access across all sensitive data.

Corporations spend thousands to build infrastructure to detect and block external threats. These threats are not considered insiders even if they bypass cybersecurity blocks and access internal network data. Insider threats are specific trusted users with legitimate access to the internal network. They have legitimate credentials, and administrators provide them with access policies to work with necessary data. These users do not need sophisticated malware or tools to access data, because they are trusted employees, vendors, contractors, and executives.

Any attack that originates from an untrusted, external, and unknown source is not considered an insider threat. Insider threats require sophisticated monitoring and logging tools so that any suspicious traffic behaviors can be detected. Older, traditional ways of managing users was to blindly trust them, but a zero-trust network is the latest strategy for cybersecurity along with data loss prevention (DLP) solutions, and it requires administrators and policy creators to consider all users and internal applications as potential threats.

An external threat usually has financial motives. Their goals are to steal data, extort money, and potentially sell stolen data on darknet markets. Insider threats could have similar goals, but usually it’s accidentally falling for a sophisticated phishing or social engineering attack, or in the case of a malicious threat, the goal is to harm the organization by data theft.

The characteristics of a malicious insider threat involves fraud, corporate sabotage or espionage, or abuse of data access to disclose trade secrets to a competitor. Although not every insider threat is malicious, the characteristics are difficult to identify even with sophisticated systems. Because users generally have legitimate access to files and data, good insider threat detection looks for unusual behavior and access requests and compares this behavior with benchmarked statistics.

To stop insider threats–both malicious and inadvertent–you must continuously monitor all user activity and take action when incidents arise.

The potential risks of insider threats are numerous, including installing malware, financial fraud, data corruption, or theft of valuable information. To counteract all these possible scenarios, organizations should implement an insider threat solution with 6 key capabilities:

[1] Verizon. “Data Breach Investigations Report”
[2] SANS. “Insider Threats and the Need for Fast and Directed Response”
[3] CSO Magazine. “U.S. State of Cybercrime Report”