Definition

insider threat

Contributor(s): Brien Posey

Insider threat is a generic term for a threat to an organization's security or data that comes from within. Such threats are usually attributed to employees or former employees, but may also arise from third parties, including contractors, temporary workers or customers.

Types of insider threats

Insider threats can take many forms, but threats can be categorized as either malicious or accidental.

Accidental threats refer to situations in which damage or data loss occurs as a result of an insider who has no malicious intent. For example, an employee might accidentally delete an important file, fall victim to a phishing attempt or inadvertently share more data with a business partner than is consistent with company policy or legal requirements.

Malicious threats refer to deliberate attempts by an insider to access and potentially harm an organization's data, systems or IT infrastructure. These types of insider threats are often attributed to disgruntled employees or ex-employees who believe that the organization wronged them in some way, and therefore feel justified in seeking revenge. Insiders may also become threats when they are subverted by malicious outsiders, either through financial incentives or through extortion.

Although not as common, a malicious insider can also be a hacker -- also called a black hat or cracker -- an employee of a rival company or a member of an activist organization that opposes the organization. In these situations, the would-be attacker infiltrates the company, either by seeking employment or by posing as an employee, vendor, delivery courier or other trusted third-party. Once the threat actor gains physical access to the facility, he or she looks for ways to carry out an attack.

How do insider threats work?

The malicious activity associated with an insider threat usually occurs in four steps or phases.

What threat hunting means

Learn about threat hunting in this video definition.

First, the insider gains entry to the targeted system or network. Then, once inside, the attacker investigates the nature of the system or network in order to learn where the vulnerable points are and where the most damage can be caused with the least effort. Next, the attacker sets up a workstation from which the attack can be conducted. Finally, the actual exfiltration or destruction of data takes place.

Awareness and training

The damage caused by an insider threat can take many forms, including the introduction of malware, including viruses, worms or Trojan horses; the theft of information or corporate secrets; financial fraud; data corruption or deletion; alteration or other damage to data; and identity theft against individuals in the enterprise.

Many organizations have begun developing insider threat programs, implementing steps to curb insider threats through compliance with established security best practices, employee training and security monitoring.

Detection and prevention of insider threats

Detection of, and protection against an insider threat calls for measures such as the use of spyware scanning programs, antivirus programs, firewalls, and a rigorous data backup and archiving routine. These methods alone, however, are not enough.

Prevention of insider threats begins with employee education. Employees must be made to understand the potential consequences of risky behavior, such as password sharing and sharing of other sensitive information.

Implementation of appropriate procedures when employees terminate their employment is also critically important to prevent former employees from being able to gain access to the system. For non-IT employees, this means immediately deleting or disabling user accounts. For IT employees, disabling a user account may not be enough; any administrative passwords throughout the IT infrastructure that a former employee had access to must also be changed.

Behavioral monitoring is an important tool for detecting and mitigating insider threats. A former employee with malicious intent may attempt to access target systems remotely, outside of normal business hours or both. As such, it is important to audit and review failed remote login attempts, especially those that occur at odd times.

This was last updated in September 2017

Continue Reading About insider threat

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you do to minimize the risks of insider threats?
Cancel
Look at Carnegie Mellon's software engineering institute/CERT's work on insider threat to gain a far deeper view into this topic.
Cancel
Consider a broader definition of Insider Threat. Others include the "unwitting insider" who possesses trusted access to important resources but whose negligence or ignorance exposes the organization to additional risk. Also, consider threats to physical security such as sharing passcodes or blocking open doors, theft of valuable data and resources that require no hacking, and employees who threaten or demonstrate violent actions that threaten data, property, or the health and lives of employees or customers. The common thread to all aspects of a broader definition is that an individual is granted trusted access that allows them to post a threat that an outsider could not.
Cancel
Good points, @teajar10; note that the definition has been updated to address negligent/unwitting insider threats.

Thanks!
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close