Insider Threat

What is an insider threat?

An insider threat is a security risk that originates from within an organisation. It typically involves current or former employees, and outsourced business associates who have access to sensitive information or privileged accounts. Insider threat involves malicious employees intending to harm the organisation through theft or sabotage while in some cases these acts may be unintentional.

An insider threat survey report issued in 2022 revealed that insider attacks have become more frequent and the number of incidents has risen 44% since 2020. The costs per incident have also increased by more than a third. Negligence (56%) and crimes (26%) are the root causes of most insider incidents. Insider threats have evolved into one of the most expensive and challenging risks that organisations are facing today.

Who can cause insider threat?

Negligent employees
The employees who possess the organisation’s business information (e.g. user accounts and business sensitive information) or mobile devices which stored organisation’s information, may expose an organisation’s sensitive information if handled inappropriately. In other cases, some employees may choose to ignore the security policies and thus resulting in posing security threats to the organisation (such as installing unauthorised software on user’s computer or mobile device without proper and approval process).

Former employees
Former employees of an organisation may harm the organisation if their access rights to the IT system / data assets are not handled timely and properly. Discontented former employees may make use of these login credentials to access the organisation’s IT systems to perform malicious actions, such as stealing sensitive intellectual property, disrupting business services or damaging organisation’s reputation.

Cyber criminals
Current employees can be malicious insiders if they intentionally take advantage of the access rights granted to them to perform malicious actions, such as stealing organisation’s sensitive information for financial benefit, stealing intellectual property on behalf of external parties for purpose of obtaining a competitive edge exploiting vulnerabilities of the IT systems, etc.

Third party partners
Third party partners usually refer to contractors or vendors who are not formal employees of an organisation, but who have been granted some level of access to the organisation’s systems, facilities, etc. The partners can pose insider threats if they mishandle the sensitive information of an organisation and thus posing security threat to the organisation.

Insider threats may cause a number of risks to the organisation including raiding privileged accounts, stealing confidential business information and sensitive intellectual property, disrupting business services, damaging organisation reputation and etc. An insider attack that is done may cause disastrous consequences, ranging from penalties for non-compliance with sector-specific regulatory requirements to loss of customer trust and company good will. To avoid falling victim to insider attacks, it is important to understand how to identify and mitigate the attacks through raising security awareness of employees, establishment of proper security policies and deployment of intrusion detection and prevention solutions.

What are the types of insider threat?

Insider threats may be classified into three types: “malicious / criminal”, “negligent / careless” and “credential theft / imposter”. The table below lists different types of insider and their related threats:

Type of Insiders	Threats	Common Actions
Malicious insider / Credential theft (Privileged IT users / administrators / malicious third party partner)	Data loss / leakage Service interruption Abuse of accounts Exploit of systems’ vulnerabilities	Committing fraud Stealing confidential or commercially valuable information Stealing intellectual property Exploiting vulnerabilities of organisation’s IT systems or networks
Negligent / Careless (General employees / privileged business users)	Phishing attacks Malware attacks Data loss / leakage	Clicking links in phishing messages Losing devices which stored organisation’s data
Credential Theft / Imposter (Contractors / Service providers / temporary workers)	Data loss / leakage Abuse of accounts Exploit of systems’ vulnerabilities	Committing fraud Stealing confidential or commercially valuable information Stealing intellectual property Exploiting vulnerabilities of organisation’s systems or networks

Why is insider threat dangerous?

Since insiders are authorised to access the IT systems and data of the organisation and they are familiar with organisational policies, processes and procedures, it may be difficult to tell whether the operations are legitimate, unintentional or malicious. The security system will be less likely to detect the seemingly legitimate actions of the insiders, which may enable the insiders to stay in the IT systems for a longer time and cause greater damage to them.

What are the common indicators and warning signs of insider threat?

It is important to monitor the IT systems and premises of organisations for signs of suspicious activities. The indication of insider threats manifest in many ways and below are some examples:

Discontented employee behaviour, such as frequent quarrels with colleagues, reluctance to discharge duties, discontent with the organisation, etc.

Violating or neglecting security controls by employee, such as turning off automatic policies, declining maintenance / security patches deployment, connecting unauthorised devices to the organisation’s network, repeated attempts of installing or using unauthorised software, etc.

Frequently staying in the office during non-office hours.

Unnecessarily accessing, downloading or transferring large amount of data irrespective of the relevance of the employee’s role.

What can you do to defend against insider threat?

It requires full visibility of the systems and premises of the organisation to detect and prevent insider threats. It is very challenging to identify all employees and third party partners who have access to premises, IT systems and data of the organisation. The followings are some of the mitigation measures to minimise the risks:

Perform enterprise-wide risk assessment
The organisation should perform an enterprise-wide risk assessment to identify the potential threats and analyse the risks, including but not limited to insider attacks. The scope of the assessment should also be extended to remote work or remote access environment if the organisation does provide such provision. Organisation should prioritise the resources to protect those assets from potential insider attacks to minimise the impact.

Develop security policies, controls and procedures
The organisation should develop and implement security policies, controls and procedures to govern the interactions between employees and organisation’s facilities, including IT systems and organisational premises, to mitigate any potential insider threats. The security policies and controls should be clearly documented and circulated within the organisation. They should be checked and reviewed by relevant parties to ensure that they are effectively implemented. Policies should include sensitive and personal data identification / classification, stringent access controls such as , least privilege access level granted, , third-party access control procedures, etc. Should there be any suspicious activities, system / IT administrators should look into the issues seriously and escalate the issues to the management according to the defined procedures.

Provide security awareness training
The organisation should provide training on legal compliance and information security awareness to foster a security culture among its employees. Examples include arranging training to employees and administrators on the procedure of required actions by them when an insider attack happens.

Enhance security of the network and IT systems
The organisation should strengthen network perimeter and IT systems to protect it from potential security breach. Example security actions include monitor and control remote access from all endpoints (including mobile devices), whitelist only the necessary network hosts and ports, set up a demilitarised zone (DMZ) in the area between internal and external network, apply security patches timely, disable unnecessary services and ports, enable policy, etc.

Deploy effective security tools
The organisation should deploy effective security tools, such as data loss prevention (DLP) and identity and access management (IAM) tools, to protect against insider threats and actively manage security posture over time. These solutions should enable the organisation to monitor data access, file activity, endpoint and mobile devices security, etc. Organisation can also consider to deploy user behaviour analytics (UBA) tool to detect, classify and alert anomalous behaviour, such as utilising access logging and automated user behaviour monitoring.

Develop backup and recovery policies and procedures
Data backup and recovery policies should be in place to effect an efficient and effective recovery in response to security incidents including the damages caused by insider attack. The organisation should also perform regular drill on the backup and recovery procedures to verify the procedures.

Develop comprehensive human resources management procedures for employees and service agreements with third party partners
The organisation should separately develop a comprehensive human resources management procedures and service agreements to terminate the service contract with the employees and third party partners when potential / observable insider attack activities are identified.

Disclaimer: Users are also recommended to observe the disclaimer of this website and read the user agreements and privacy policies of the security software and tools before download and use them.