What are Insider Threats?
The Department of Homeland Security (DHS) defines an insider threat as the “…threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.”1 Insider threats are not only threats to national security, but they are threats to your organization as well. Whether acting out of maliciousness or negligence, current employees, former employees, contractors, and partners all have the potential to misuse access to assets and networks to disclose, modify, or delete sensitive information. Information that could be vulnerable to compromise includes organizational security protocol details, customer data, employee data, credentials, and financial data. Three types of insider threats include:
Malicious insider. A malicious insider maliciously and intentionally abuses their legitimate credentials to steal information, often for financial or personal incentives. Malicious insiders are a particularly significant threat as they are familiar with organizational security policies and procedures, and they are also aware of vulnerabilities. Malicious insiders may be “second streamers”, who use acquired information to generate additional income, or disgruntled employees, who commit sabotage or steal intellectual property, either for financial gain or for revenge.
Negligent insider. A careless insider is an insider threat who unknowingly exposes the system to outside threats. Examples of careless insider threats are leaving devices unlocked and exposed or falling victim to a phishing scam. Some negligent insiders are employees, particularly senior executives, who are unresponsive to security awareness training, leaving them persistently vulnerable to compromise.
Mole. A mole is an outside imposter who gains insider access to a privileged network.
To protect against insider threats, DHS suggests addressing the following six areas:
- Collect and analyze (monitoring)
- Detect (provide incentives and data)
- Deter (prevention)
- Protect (maintain operation and economics)
- Predict (anticipate threats and attacks)
- React (reduce opportunity, capability, and motivation and morale for the insider)
Specific suggestions to protect against insider threats include:
Protect critical assets. Critical assets can include systems, technology, facilities, people, intellectual property, customer data, proprietary software, schematics, and internal manufacturing processes. In order to protect critical assets, it is important to identify and prioritize all of them.
Increase visibility. Deploy solutions that use multiple data points to keep track of employee actions.
Enforce policies. Security policies and procedures should be clearly documented, and regular trainings should be provided to ensure that all employees know what their rights and responsibilities are.
Conduct risk assessments. Regularly assess the security risks for your organization to understand the potential impacts of an insider attack.
Organizational culture. Create a culture at your organization that emphasizes cybersecurity hygiene and employee satisfaction. Happy employees with strong cybersecurity hygiene behaviors will help to decrease your risk of insider threats from both malicious and negligent insiders.
1 DHS, 2021, “Insider Threat”