3 types of insider threat and what to do about them

Insider threats account for up to 50% of cyber attacks. Learn the three main types, how to spot the warning signs, and what steps your organisation can take to reduce the risk.

Many companies take careful measures to protect their critical assets from external risks, but they often remain vulnerable to insider threats.

The latest Verizon Data Breach Investigations Report (DBIR) 2020 shows that 70% of cyber attacks were perpetrated by outsiders, such as organised criminal groups. This has remained fairly consistent over the last three years.

However, this means that more than a quarter of all cyber attacks involved insiders.

Insider threats are particularly difficult to guard against as it can be hard to spot someone using their legitimate access to systems and data for illegitimate purposes.

The healthcare sector seems to be most vulnerable to insider threats at the moment. It is the only sector where the threat from insiders is greater than the threat from external sources.

Shockingly, 48% of all breaches or incidents in the healthcare sector were a result of insider threats – most were human error, but there were examples where abuse of access privileges or curiosity played a part.

Statistically, insider threats represent between 25% and 50% of cyber attacks, so it is important to understand the nature of these types of threats.

1. Non-responders

Let’s start with non-responders.

These are the people who will typically ignore training, allow tailgaters into the building or fail to report clicking on phishing links.

Usually, a phishing campaign aims to mine sensitive data to access systems, information or finances. It only takes one person to click on a link or download a document for the malicious act to start.

Let’s imagine a phishing email lands on your mail server and gets through your company’s filters.

On average, the first click happens within 16 minutes, but it takes 28 minutes for the first report to arrive at the reporting desk.

A lot can happen in 12 minutes.

2. Inadvertent insiders

Moving on to the inadvertent insider.

These people don’t necessarily intend to do the wrong thing, they may just email the wrong person or decide to save sensitive information on an unsecure device because they are in a rush.

This type of threat is rarely malicious but may be a one-off event that leads to a significant data breach.

Companies need to remind their employees of the dangers of oversharing or inappropriate handling of data. However, this type of reminder alone is not sufficient.

It is important to monitor the movement of sensitive or critically important company data and to put processes in place that help prevent accidental oversharing.

Because of the explosion of cloud storage and the use of mobile devices, it can be difficult to know where company information or sensitive data ends up.

Ask yourself this: Can employees plug in unauthorised USB devices? Do you know which employees have sensitive company data stored on their mobile devices? What measures can be taken to protect this data? Are policies and processes so complicated that people are trying to bypass them?

76% of breaches are financially motivated.

3. Persistent malicious insiders

These are likely to be people looking for an additional income. They are consistently, intentionally and maliciously causing harm to the organisation.

Persistent malicious acts usually occur over time or multiple networks, but some important indicators show an elevated risk to your company.

Look out for:

1. Unexpected privilege escalation, which will enable access to a network or an application.
2. Excessive printing of documents using a default name is an unusual behaviour that may indicate data theft.
3. Communication or traffic to a known command and control domain or IP address. There are very few legitimate reasons for an employee to access these locations.
4. Rapid data encryption. Rapid scanning followed by file encryption or deletion can indicate an attack.

The 4 stages of behaviour

Continuing to look at insider threats from a behaviour perspective, there are clear patterns of employee behaviour to be alert to.

There are typically four stages of behaviour leading up to a malicious insider attack.

1. Catalyst: This is the stage where adverse events in an employee’s life may lead them to undertake harmful or illegal acts.
2. Expression: Employees may begin to express their reaction to the catalyst at work. Behaviours to watch for at this stage can include excessive time off, unusual working hours, heightened emotions and/or bouts of aggression.
3. Preparation: Once a decision has been made, the employee will start gathering data such as login credentials or customer information, all in readiness for the next stage. This behaviour usually leaves a digital footprint. Carnegie Mellon University researchers found, of their source group, that 70% of individuals leaving employment stole at least some intellectual property from their employer. The type of IP ranged from contact details or copies of documents to customer lists and product designs.
4. Execution: If there is limited monitoring of an authorised employee’s digital activity, then this stage could go unnoticed until the effects of the attack are evident, for example, operational systems failing or a ransomware attack.

Minimising the risks

People make mistakes.

Aside from continuing to educate them and get them making the right choices (moving them away from being non-responders), we need to monitor, monitor, monitor.

Monitor employees’ digital activity, monitor access controls, and monitor for unusual or unexpected employee behaviour.

Identify how they are becoming inadvertent insiders and help them make the right choices.

Have secure access control procedures in place for joiners, movers and leavers – leavers are a high-risk group of employees, so increase vigilance of their activities.

The insider threat risk is high, however, there are small but significant steps that can be taken to minimise it.