Here’s what to know about insider threats — what they are, why they occur, and the damage they cause — and how to protect your organization
That’s the total average cost of insider threat-related incidents, according to the 2018 Cost of Insider Threats: Global Organizations report from the Ponemon Institute and ObserveIT. Of course, these costs range significantly depending on which type of insider threat you’re looking at — which we’ll get into more momentarily.
The main point here is that even just one insider threat is a major concern for every organization, government, and business that employs people. Which, realistically, includes every business or organization in the world that isn’t a sole proprietorship. And it’s a growing issue that many companies would prefer to keep under the rug — though, these threats sometimes become very public.
But what exactly is an insider threat and what does this term entail? We’ll evaluate what is an inside threat, consider a few insider threat definitions, and even break down a few insider threat statistics and what they mean for your organization.
As we always like to say around here…
Let’s hash it out.
What Is an Insider Threat and Why Is It Such a Concern for Everyone?
KnowBe4 reports that “76% of organizations say the biggest and most persistent security threat comes from ‘the enemy from within.’” But what constitutes such a threat?
Our insider threat definition is that it’s a threat that originates from within your own organization. Essentially, it’s someone who poses a security risk to your organization through their access. This is a broad category because it can include current and former employees, executives, contractors, interns, or anyone else who has authorized access to critical systems or information. Other companies and organizations vary a bit with the specifics of the description, but this is the overall general concept at its core.
[…] one or more individuals with the access or inside knowledge of a company, organization, or enterprise, that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.”— The President’s National Infrastructure Advisory Council’s Final Report and Recommendations on the Insider Threat to Critical Infrastructures April 2008
It’s important to note that the PNIAC’s insider threat definition views insider threats in a broader sense in terms of it being related to terrorism, workplace violence, and/or cyber security. For cyber security specifically, it’s about “The risks presented to an organization either by a malicious insider or by an insider who mishandles technology.”
You’re likely able to think of a good number of people within your own organization who qualify as potential cyber security insider threats because of their access to critical information systems — regardless of whether or not they’d actually do something malicious. But how do you further break down the insider threat category, though?
Types of Insider Threats
There are three main types of insider threats, according to the Ponemon Institute/ObserveIT insider threats report I mentioned earlier:
- A careless or negligent employee or contractor (64%),
- A criminal or malicious insider (23%), or
- A credential thief who uses an employee or contractor’s login information (13%).
Verizon’s 2019 Insider Threat Report takes the categories and breaks them down further:
- Careless worker. They identify this as someone who misuses assets through resource appropriation, mishandling data, installing unauthorized applications (shadow IT), breaking acceptable use policies, etc.
- Inside Agent.This is someone who steals information to benefit one or more third parties through the exfiltration of company data.
- Disgruntled Employee. This categorization is for someone who disrupts operations or destroys property or data to harm their organization.
- Malicious Insider.This is someone who uses their access privilege to steal and use information for personal gain.
- Feckless Third Party. This is an irresponsible third party, such as a business partner or a contractor, who compromises an organization’s security through malicious or negligent access or assets or information.
The Ponemon Institute identified the most common type of insider threat as a negligent employee or contractor. This category of insider threat represents 2,081 of the 3,269 incidents reported in the study! However, they’re not the most costly incidents incidents— that undesirable “honor” falls on credential theft insider threats, which were both the least reported and the most expensive.
Motives for Criminal Insider Threats
While I can’t speak for the people who commit these types of insider cybercrimes — you know, because I’m someone who prefers to help rather than hinder others — I can at least share some of the known reasons why someone may choose to become a criminal insider threat. It could be because they simply want revenge — to get even for a perceived (or real) slight by a current or former employer. Or, they may want money and either choose to hold information hostage (ransomware attack) or want to sell it on the dark web, to a third party or to a competing business.
Other motivations for criminal insiders also can range from acts of corporate or nation state espionage to simple curiosity that gets out of hand. Or, maybe, it’s pride and they want to show off.
Regardless of the rationale, the important takeaway is that insider threats are major concerns for all businesses and organizations — ones that need to be taken seriously.
Insider Threat Examples
Let’s consider the following insider threat example. Say I work in a position where I need access to customers’ personal information to perform my daily work-related tasks. I work this position for a couple of years and then decide to take a new position within the same organization — a different role within another department. In my new job, I no longer require direct access to those customer records. However, my access privileges aren’t revoked and I continue to have access to that sensitive data for the rest of the time that I’m employed by that organization. Therefore, I pose as a potential information security and cyber security threat to my organization.
While I have absolutely no interest in accessing or using that information, the same may not be said about someone else who may retain the same amount of access. What if they get passed over for a promotion or become disgruntled for another reason? They could choose to do the unthinkable and abuse their access to commit a crime. Or what if someone phishes me and gets a hold of my company login credentials? Now they have access to every system that I have privileges for, including the customer data that I shouldn’t still have access to in my role.
While this particular example is hypothetical (actually, it’s based on my own real-life experience at a previous employer — minus me falling for a phishing scam and my credentials becoming compromised — but let’s leave it at that), there are plenty of real-life insider threat examples and situations we can point to. Here are a handful of examples:
- Anthem’s Third-Party Vendor Leaves Insurance Vendor Vulnerable. The U.S.’s second-largest health insurance company suffered a data breach due to the weak security measures of a third-party insurance coordination service vendor called LaunchPoint Ventures. CNBC reports that one of the vendor’s employees was involved in a case of identity theft and also emailed a filed containing protected health information (PHI) to his personal email address. The document contained the personal information of 18,580 customers — everything from Medicare ID numbers to their names and dates of birth.
- Long-Time Government Contractor Employee Also Nation-State Threat Actor. A structural engineer who worked for Rockwell and later Boeing stole “hundreds of boxes worth of documents pertaining to military and spacecraft from 1979 to 2006.”
- Facebook Employee Uses Access to Stalk Users. A Facebook security engineer was fired after it was discovered that he used his access privileges to stalk women online.
- Target’s Third-Party Vendor Leads to Credit Card Data Breach. Everyone in the industry remembers the cluster that was the highly publicized 2013 Target credit card data breach. This threat resulted from a third-part HVAC vendor who misused critical system credentials by accessing them through insecure channels. This gave hackers a window to gain access into Target’s payment systems, which allowed them to install malware and access a customer database in an attack that affected 41 million customer payment accounts and 60 million Target customers.
- Former Employee Releases Coca-Cola Employee Data. The company suffered a data breach in September 2017 when a former employee of one of its subsidiaries stole a hard drive containing the personal information of 8,000 employees.
- Hacker Colludes with Foreign Bank Employees. Verizon’s 2019 Data Breach report states that “a very skilled hacker admitted to the Secret Service that he ended up paying a collusive employee (insider threat) when all of his hacking attempts to access a foreign bank’s network were unsuccessful.”
- Edward Snowden and Intelligence Secrets. Unless you’ve been living under a rock for the past several years, it’s likely that you’ve at least heard of Edward Snowden and his leaking of documents showcasing the NSA and GCHQ’s involvement in mass surveillance of U.S. and U.K. citizens (and others). Regardless of how you feel about him or his actions — whether you view him as a hero or a villain — it’s safe to say that the NSA and CIA view him as a type of inside threat because it brought their spying activities to light.
- Former Third-Party Vendor Employee Hacks Capital One (and Others). A former Amazon Web Service (AWS) employee was arrested and charged with “obtaining 140,000 Social Security numbers, one million Canadian Social Insurance Numbers, and 80,000 bank account numbers, along with the personal information of more than 100 million customers and applicants of Capital One.” She also is suspected to cyber intrusions that resulted in the theft of data from potentially more than 30 victim companies.
While these examples are now history, they still serve as valuable reminders of what can happen when sensitive info is left available to those who are either malicious or careless in their actions.
The Running Costs of Insider Threats
The costs relating to cybercrime — both those relating to insider threats and external ones — are on the rise. It’s no surprise that insider threats often can take months to contain and may go undiscovered for years — and that’s if they’re even discovered at all! The Ponemon Institute/ObserveIT study states that it took organizations it surveyed an average of “more than two months” to contain an insider incident. Only 16% were able to contain such an incident in fewer than 30 days.
The study also breaks down the annualized costs that result from different types of insider threats. For example, here are some unsettling insider threat statistics:
- Employee negligence costs companies an average of $3.81 million.
- Criminal insiders cost an average of nearly $3 million ($2.99 million).
- Credential theft results in costs of nearly an additional $2 million ($1.96 million).
Some of the biggest differentiators concerning the cost of breaches that result from insider threats is the targeted organizations’ sizes and industries. The larger the company, the greater the resulting cost of data breaches and other calamities.
The Verizon insider threats report lists healthcare and the public sector as the highest-targeted industries. According to the Ponemon Institute, these are the three most costly industries concerning insider threats:
- Financial Services — $12.05 million
- Energy & Utilities — $10.23 million
- Industrial & Manufacturing — $8.86 million
Suffice to say, the point here is that passwords alone aren’t enough to stop an insider threat from doing very real damage to a business’s operations and reputation. There’s more you need to do to secure your systems and to keep your business and customers safe from insider threats.
How to Mitigate Insider Threats
As someone who’s no doubt dedicated to stopping insider threats from affecting your organization, what can you do? The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations and businesses to develop and maintain comprehensive insider threat programs. This process includes:
- Establishing and maintaining an insider threat program.
- Recognizing and reporting suspicious activities, behaviors, or circumstances indicative of insider threats.
- Identifying and protecting your organization’s critical assets through asset management and access management.
- Collecting and assessing information to respond to threats.
Other useful steps include:
- Continually updating and maintaining a user access privilege list.
- Outlining a risk management framework.
- Establishing incident response, business continuity, and disaster recovery plans.
- Implementing a cyber security awareness training program.
As always, share your thoughts in the comments…