When we think about cybersecurity threats we often imagine a shady hacker figure, cloaked in a black hoodie, admiring their cyber empire across a bank of screens that cover an entire wall. You may even imagine a spy figure hacking into foreign governments and passing intelligence to officers on the ground. Chances are, you’re probably not imagining yourself. But surprisingly you are one of the biggest risks to an organization.
Take a few minutes and think about what you could do to cause the most damage to the company you work for. It might look like copying sales data and going off and starting your own company or intentionally downloading malware to a work computer. Another option is stealing intellectual property and passing it to a competitor.
This isn’t theoretical, Verizon’s 2024 Data Breach report internal threat actors represent 35% of all incidents. However, it is important to note that this includes intentional and unintentional attacks. The data only tells part of the story though — many insider attacks go completely unnoticed and are notoriously underreported.
Digital Breadcrumbs — What They Are and How They Aren’t Always What They Seem
Unlike a typical attacker, insiders know the systems, business, industry, and data their organization uses inside and out. An external actor must perform reconnaissance, hunt for open ports, or test vulnerabilities, whereas an insider likely already knows this information. Outside attacks create “digital breadcrumbs” a.k.a tiny pieces of evidence that a security team can find and investigat. Insiders don’t necessarily create the same trail.
Identifying malicious intent can also be tricky. While every job aims to have specific roles and responsibilities, at some point almost every worker will be asked to prepare something or complete a task outside of the regularly defined job roles. Sudden access to financial reports might look suspicious at first glance, but then you might realize it’s the end of the quarter. A flurry of emails from a work account to a personal account might scream, “They’re sending data,” until you see they’re backing up some photos during their lunch break.
Even when there are digital breadcrumbs for investigators to find, often these are just as likely to be legitimate (or perhaps employee misuse of IT systems) rather than an extremely damaging attack.
Differentiating Motivators for Internal and External Threat Actors
One of the top motivators for external adversaries is finances. According to the 2024 Verizon Data Breach Report, it was the catalyst for over 90% of incidents caused by an outside adversary. For insiders, it is slightly less important but still high on the priorities at 88%.
For insiders, we see a marked increase in espionage motivation (46%). We typically see this play out in transferring intellectual property or customer contacts to an existing competitor or using it to start up their own company. A lot of the times this is motivated by a grudge. We saw this play out in real life with the following incidents:
- A school IT technician took revenge by hacking into the institution and deleting data after he was fired
- A former employee who was laid off for poor performance took revenge and landed himself a lengthy prison sentence
- An ex-network administrator in San Francisco refused to give up any company passwords even after he was handed a prison sentence (he eventually conceded when the mayor came to the insider’s prison cell)
Protecting Your Organization from Insider Threats
So how can you protect your business from insider threats?
Implementing robust technical controls is definitely essential, but only half of the story. Tools such as data loss prevention (DLP) solutions can notify teams of significant increases in data transfers, and simply blocking the use of portable drives can effectively minimize attack opportunities. It’s worth mentioning though that these controls can sometimes have the opposite effect. When employees perceive they are being heavily monitored it can increase their disgruntlement, and encourage them to adopt more insecure practices.
Unlike other types of cyberthreats, insider threats have a significant human element, and this is best managed through people and processes, such as:
- Establishing a comprehensive offboarding procedure that thoroughly revokes employee access, regularly audit employee permissions, and ensure that individuals only have access to the systems and files necessary for their roles.
- Providing employee assistance programs for those facing financial difficulties or mental health challenges can reduce insiders’ likelihood of feeling compelled to act.
- Implementing an employee review process that identifies performance issues early on and offers opportunities for improvement before considering termination can help prevent insider threats from emerging.
Ultimately all three of these factors are built on fostering a secure and supportive work environment. With this type of culture, businesses can reduce the risk of an employee becoming an insider and ensure that potential issues are identified and addressed before they escalate into a full attack.