Insider threat is a category of risk posed by humans who have access to an organization's physical or digital assets. Such threats are usually attributed to employees or former employees, but may also arise from third parties, including contractors, temporary workers or customers. Insider threats can be the result of malicious intent or negligent actions.
Types of insider threats
Insider threats can take many forms, but threats can be categorized as either deliberate or accidental.
Accidental threats refer to situations in which damage or data loss occurs as a result of an insider who has no malicious intent. For example, an employee might accidentally delete an important file, fall victim to a phishing attempt or inadvertently share more data with a business partner than is consistent with company policy or legal requirements.
Deliberate threats refer to malicious attempts by an insider to access and potentially harm an organization's data, systems or IT infrastructure. These types of insider threats are often attributed to disgruntled employees or ex-employees who believe that the organization wronged them in some way, and therefore feel justified in seeking revenge. Insiders may also become threats when they are subverted by malicious outsiders, either through financial incentives or through extortion.
Although not as common, a malicious insider can also be a hacker -- also called a black hat or cracker -- an employee of a rival company or a member of an activist organization that opposes the organization. In these situations, the would-be attacker infiltrates the company, either by seeking employment or by posing as an employee, vendor, delivery courier or other trusted third-party. Once the threat actor gains physical access to the facility, he or she looks for ways to carry out an attack.
How do insider threats work?
The malicious activity associated with an insider threat usually occurs in four steps or phases.
Learn about threat hunting in this video definition.
First, the insider gains entry to the targeted system or network. Then, once inside, the attacker investigates the nature of the system or network in order to learn where the vulnerable points are and where the most damage can be caused with the least effort. Next, the attacker sets up a workstation from which the attack can be conducted. Finally, the actual exfiltration or destruction of data takes place.
Awareness and training
The damage caused by an insider threat can take many forms, including the introduction of malware, including viruses, worms or Trojan horses; the theft of information or corporate secrets; financial fraud; data corruption or deletion; alteration or other damage to data; and identity theft against individuals in the enterprise.
Many organizations have begun developing insider threat programs, implementing steps to curb insider threats through compliance with established security best practices, employee training and security monitoring.
Detection and prevention of insider threats
Detection of, and protection against an insider threat calls for measures such as the use of spyware scanning programs, antivirus programs, firewalls, and a rigorous data backup and archiving routine. These methods alone, however, are not enough.
Prevention of insider threats begins with employee education. Employees must be made to understand the potential consequences of risky behavior, such as password sharing and sharing of other sensitive information.
Implementation of appropriate procedures when employees terminate their employment is also critically important to prevent former employees from being able to gain access to the system. For non-IT employees, this means immediately deleting or disabling user accounts. For IT employees, disabling a user account may not be enough; any administrative passwords throughout the IT infrastructure that a former employee had access to must also be changed.
Behavioral monitoring is an important tool for detecting and mitigating insider threats. A former employee with malicious intent may attempt to access target systems remotely, outside of normal business hours or both. As such, it is important to audit and review failed remote login attempts, especially those that occur at odd times.