What is an Insider Threat? Insider Threat Definition, Examples, and Solutions

  • By Maddie Rosenthal
  • 15 May 2020

While cybersecurity policies, procedures, and solutions are often focused on cybercriminals outside of the organization, more and more often, it’s people inside the organization who are responsible for data breaches.

In fact, there’s been a 47% increase in incidents over the last two years; this includes accidental data loss and deliberate data exfiltration by negligent or disgruntled employees or contractors. This is a big problem, especially considering the global average cost of an insider threat is a whopping $11.45 million. 

So, what is an insider threat and how can organizations protect themselves from their own people?

  • What is an Insider Threat?

    Insider threats are people - whether employees, former employees, contractors, business partners, or vendors - with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information.

Importantly, there are two distinct types of insider threats, and understanding different motives and methods of exfiltration is key for detection and prevention.

Types of Insider Threats

The Malicious Insider

Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor using valuable information (like Intellectual Property, Personally Identifiable Information (PII), or financial information) for personal gain. What’s in it for the insider? It depends.

Financial Incentives

Data is valuable currency. Case in point: data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web. Whether it’s a list of customer email addresses or trade secrets, bad-intentioned employees with privileged access to systems and networks can cause serious damage to an organization’s bottom line and reputation.

Competitive Edge

It’s not uncommon for employees to download, save, send, or otherwise exfiltrate work-related documents before leaving a job or after being dismissed. While this isn’t always malicious (they could simply be adding a project to their portfolio), it certainly can be. For example, an exiting employee could take customer lists or trading algorithms to a new employer. 

The prevalence of these incidents varies greatly by industry. Unsurprisingly, highly competitive industries like Finance Services, Government, and Entertainment have the highest percentage of occurrences

The Negligent (or Unaware) Insider 

Negligent or unaware insiders are just your “average” employees doing their jobs. Unfortunately, to err is human, which means people can – and do – make mistakes. While there are a number of ways employees can mishandle data, the common thread here is that data leaks are unintentional. 

Sending a misdirected email

Data emailed to the incorrect recipient is the second most reported cause of data breaches. And, while it’s unintentional, the implications can be far-reaching, especially for those organizations that are bound to compliance standards or data privacy regulations. Think about it: emails contain structured and unstructured data in either the body copy, as attachments, or both. In certain industries – like healthcare and financial services – the likelihood of email communications containing sensitive information is even greater. 

Falling victim to a phishing or spear phishing attack

Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences. 

If you want more information, read this article: Phishing vs. Spear Phishing: Differences and Defense Strategies.

Losing your work device(s)  

Whether it’s a mobile phone, laptop, or tablet, losing a work device could lead to a data breach, especially if the device is left unlocked. 

How can I protect against Insider Threats?

While organizations are certainly aware of the risks around insider threats, preventing breaches caused by malicious or careless employees is a challenge. Why? Because to detect and prevent threats, IT, security, and compliance teams have to maintain full visibility over data – both digital and physical – including who has access to it.

This is no easy task. You must consider all the different perimeters (networks, endpoints, and email), take stock of the massive amount of data that your organization handles, and identify all of the employees, contractors, and other third-parties who have access to that data. 

From there, it comes down to training, monitoring (both digital and physical), and the implementation of security policies, procedures, and tools. 

Training

Education is one of the first steps in prevention, which means malicious and accidental insider threat awareness should be incorporated into periodic security training for all employees. While training won’t prevent those with nefarious intent from exfiltrating data, it will help build a positive security culture in which employees outside of IT and security teams will know how to identify an insider threat. 

Beyond that, making employees aware of the dire consequences of mistakes on email will help encourage safe and secure data handling.

Monitoring

Today, most sensitive data is stored on networks, devices, and the cloud, which means controlled access is absolutely essential. But, if an individual has legitimate access to a system or network, how can IT or security teams know if and when they’re exfiltrating data? Monitoring. 

Telltale signs of an insider threat include:

  1. Large data or file transfers
  2. Multiple failed logins (or other unusual login activity)
  3. Incorrect software access requests
  4. Machine’s take over
  5. Abuse by Service Accounts  

Of course, insider threats can still steal physical data like sensitive documents. This is one reason why controlled access to buildings and even certain offices is just as important as network security. 

Security Policies, Procedures, and Tools

Many organizations look to Data Loss Prevention (DLP) strategies to help mitigate risk around insider threats. 

Solutions include:

  1. Firewalls
  2. Endpoint scanning
  3. Rule-based systems
  4. Anti-phishing software
  5. Machine learning technology 

Unsure what exactly DLP is? Read this article: A Complete Overview of DLP.

What is the best Insider Threat Solution?

While there are a number of ways in which malicious or careless employees can exfiltrate (or otherwise lose) data, email is no doubt the number one threat vector. 

Billions of email messages are sent every day to and from organizations and many of these emails contain highly sensitive information including personal details, medical records, intellectual property, and financial projections. That means that in order to have a chance at detecting and preventing insider threats, organizations must look at securing email communications.

But, traditional DLP solutions for email fall short and today, machine learning technology is the only way to prevent data loss and data exfiltration. 

In fact, Tessian was recently recognized as a Cool Vendor in Gartner’s Cool Vendors in Cloud Office Security report. Why? Because, through a combination of machine intelligence, deep content inspection of email, and stateful mapping of human relationships, Tessian’s Human Layer Security Platform prevents misdirected emails and intentional (and malicious) attempts at data exfiltration. 

How does Tessian detect and prevent Insider Threats?

Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats.

Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and misdirected emails

Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. 

Tessian Enforcer detects and prevents data exfiltration attempts by:

  1. Analyzing historical email data to understand normal content, context, and communication patterns
  2. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  3. Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  4. Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training

Tessian Guardian detects and prevents misdirected emails by:

  1. Analyzing historical email data to understand normal content, context, and communication patterns
  2. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  3. Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like it’s being sent to the wrong person. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  4. Alerting users when a misdirected email is detected with clear, concise, contextual warnings that allow employees to correct the recipients before the email is sent
Maddie Rosenthal