Often times when there’s a discussion about threats it revolves around external threats. Hacking groups, ransomware teams, government agents, i.e. advanced persistent threats (APTs), and so forth. For the vast majority of organizations however, the threat isn’t from the outside, but rather from within the company itself. We call these types of threats insider threats, because, well, they come from the inside!

Defining an Insider Threat

Insider threats have been known to most organizations for a long time. Retail environments have the notion of “shrink”, i.e. product being stolen from their stock, either from shoplifters or from staff. Even in modern offices (or at least in the recent past when we worked in offices), it wasn’t uncommon for staff to take office supplies to take home for personal use. Generally organizations will turn a blind eye to these petty forms of rebellion, but what if the threat is more serious?

An insider threat is an individual who works for the organization that brings harm to that organization, either through purposeful malicious intent or by being fo0led by another party to perform some action that causes harm. This is a very important point to keep in mind - not all insider threats do so because they are angry or want to hurt the company! A carefully crafted message, a phone call from someone seeking help, or even a lost USB stick found in the parking lot can lead to a bad day if the individuals behind any of these actions is the one who wants to harm your organization.

How Pervasive Are Insider Threats?

If we revisit the Verizon Data Breach Investigations Report (DBIR), we see that 30% of the attacks involved internal actors. Again, this could be someone who holds a grudge, or it could be someone who was fooled by a phishing email.

The sad reality is that an insider threat is much more dangerous than any external threat, simply because they start with an elevated level of privilege or access compared to someone on the outside. They have access to your internal network, sensitive data records, etc. The harm they can cause is pretty substantial.

Insider Threat Examples

There are a few examples of what an insider threat may look like:

  1. An employee steals intellectual property/trade secrets and shares them with a competitor or other malicious party.
  2. An employee clicks falls for a business email compromise (BEC) scam and sends $50,000 to a foreign bank account.
  3. A disillusioned administrator installs a “time bomb” that erases the hard drives of the organizations computers two weeks after they were fired from the job.
  4. An employee accepts a bribe to install malicious software on the company network.
  5. A user copied sensitive customer data, including health record information, to an unencrypted USB drive and then had it stolen from their car.

There are some newsworthy examples as well:

  1. Facebook fires engineer who allegedly used access to stalk women
  2. SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients
  3. What Tesla’s Spygate Teaches Us About Insider Threats
  4. Coca-Cola Suffers Breach at the Hands of Former Employee
  5. San Francisco Admin Charged With Hijacking City’s Network

There are plenty of examples related to insider threats, and they are the one threat that can hit any organization, regardless of their size.

Protecting Against Insider Threats

Insider threats are one of the most dangerous type of threat you can face, but with a bit of education and security hygiene, you can help reduce the risk to your own organization. Here are some things you can do today to help reduce your own risks:

  1. Have a security training program for employees. From training on phishing emails to reminders about acceptable use for company computers, a bit of training can go a long way.
  2. For the finance team, set up a verbal confirmation for payments or transfers requested by executives. By adding this extra layer, you can help prevent CEO-scam attacks via email.
  3. Review access levels. Do those who have access to sensitive data or information need access?
  4. Technical enforcement through tools like Active Directory Group Policy to enforce restrictions like using encrypted USB storage devices, or even preventing the use of such devices on your network.

To be quite frank, there are a lot of technical solutions out there as well, ranging from data loss prevention (DLP) technologies to user behaviour analysis solutions. Figuring out the right solution for your own organization will take some investigation and research.

Insider threats are one of the risks that tend to keep me awake at night, but with a bit of careful planing and some light controls put in place, you can reduce the risk significantly without necessarily draining your security budget.

– John


At EliteSec, we would be more than happy to discuss this topic further and help you build out a security plan for your organization. Contact us today and we’ll have a candid discussion on what pragmatic solutions we can come up with for your unique needs.