What to Do if You Suspect Insider Threat

Insider threat is the risk that employees, contractors, or vendors with legitimate access to company computing resources and data will somehow misuse that access to cause harm to the company.

Insider threat can often stem from honest mistakes made by an employee. But sometimes it is clearly conducted with malicious intent to harm the company.

Insider threat includes abuses of privilege, mishandling data, and misconfigurations or other errors, such as programming bugs. Corporate espionage can also fall under this umbrella.

As one of the most devastating types of security breaches, it’s important that every security professional knows how to identify and appropriately respond to insider threat.

How Common Is Insider Threat?

According to data from the Ponemon Institute, insider threat has been increasing rather significantly year over year. 71% of the companies surveyed have experienced more than 21 distinct insider threat incidents in a single year.

In 2018, the number of companies who had experienced insider threat was around 50%.

It’s very clear that companies small and large are highly likely to experience at least some type of insider threat. And even unintentional incidents can be very costly, with insider threat incidents costing an average of $15.4 million in 2022.

Since 2018, that figure has increased 76%. It includes anything from downtime or outages, all the way up to a full-fledged data breach and loss of critical intellectual property.

What Kind of Activity Constitutes Insider Threat?

Based on the same data from the Ponemon Institute, about 90% of insider threat incidents fall into one of these three categories: negligence, malicious/criminal intent, and credential theft.

Negligent and Complacent Insiders

Negligence alone accounts for 56% of incidents. Negligence most often results from a lack of training or awareness, or employee carelessness.

Mistyping an email address, clicking a malicious link, opening a bad attachment, or failing to properly dispose of sensitive documents or devices that may contain company data are all examples of how negligent insider threat happens.

For instance, if a company replaces a printer, they may have sensitive data remaining on the hard drive inside that old printer. Someone must make sure that the printer is wiped before disposal in order to prevent negligent insider threat.

Complacent insiders are a specific type of negligent insider threat. These are people who know better, but choose not to follow basic security protocols or policies.

Complacent insiders use weak passwords, fail to patch systems, reuse credentials or make other mistakes where they’ve been trained to know and do better. Yet, for their own convenience or simplicity, they put the company at risk.

Malicious Insiders

Malicious insiders are those who intentionally violate company policy or security practices with an intent to do harm.

HIPAA violations are a common example of malicious insider threat. In the medical industry, it’s highly illegal to access privileged health information. People get fired all the time for accessing the health records of a celebrity, an ex, or another individual just because they’re curious.

Other examples include situations like employees being hired into a company with an intent to steal data or intellectual property. Corporate espionage is a textbook example of malicious insider threat.

Disgruntled employees may also act as malicious insiders. They feel that they were somehow mistreated by the company, and in retaliation they’ll break a system. I’ve seen many instances where angry SysAdmins will damage something on the way out the door — or leave hidden scripts on a timer set to go off after they are gone.

Credential Theft Insider

Insider threat that stems from credential theft occurs when a threat actor gains access to a network through phishing or other social engineering of an unsuspecting or untrained company employee. Once they acquire credentials, the threat actor can then pose as an insider and take or damage whatever they want from the company’s network.

What Are Some of the Warning Signs of Insider Threat?

Insider threat is typically detected through monitoring changes in employee behavior.

An employee changing their behavior could include suddenly deciding to work odd hours. If they’re coming in very early or staying very late, it’s likely because they’re doing things that they don’t want other people to see.

Now that’s distinct from the workaholic — if they’ve always been known to work long or odd hours, then that’s not a behavioral change. But if somebody who’s normally 9-to-5 suddenly starts coming in at 7 am, you have to ask why.

This is also an opportunity to provide support if the behavior change is actually motivated by a personal situation, like loss of after-school childcare. An employee who feels supported by the company will also be less motivated to harm the company.

Other changes could be more subtle. An employee who has become angry or is always disparaging the company could present an insider threat.

Changes in an employee’s behavior can also appear in technical metrics. If they’ve recently had a higher number of data transfers or increased Internet usage, that could be a sign that you have an insider threat problem.

For SysAdmins, behavioral change could include creating new system accounts or modifying permissions or access controls.

Minimizing the Risk Posed by Insider Threat

Minimizing insider threat risk starts with policy. Create and enforce consistent policies, with an emphasis on training your people to be aware of these risks and their consequences.

Employees who know there are consequences for violating an insider threat policy are much less likely to make poor security choices. Make your employees aware that they could be fired or even prosecuted over insider threat, depending on the severity and intent behind the incident.

Negligent and complacent insider threat can significantly be reduced through awareness training and through demonstrating a company culture of security. If executives show that security is a priority, employees will follow, significantly reducing your insider threat risk.

Effectively minimizing malicious insider threat begins with the interview process and background checks. If you want to keep out people who are trying to hire into your company with malicious intent, you need to have a robust interview process, plus background checks designed specifically to uncover this kind of behavior.

Malicious insider detection also consists of monitoring and prevention tools that help detect the harmful actions and alert security personnel. As keystrokes are happening, these tools are busy detecting and correlating data to help security respond in near real time.

Some insider threat tools block actions, such as preventing someone from plugging in a USB drive, printing documents, or uploading data outside of the company network. Other tools exist to monitor user behavior and alert to changes.

For example, these tools will catch it if an employee’s account logs in from a different country. This is a significant change in behavior that could indicate that either the account is compromised, or the employee is trying to steal data without facing legal consequences by leveraging a safe harbor country to avoid US extradition.

Data encryption is a great way to thwart an insider threat. Encryption can help keep prying eyes and unauthorized individuals from accessing sensitive data.

Strong identity and access management policies, with tools that enforce least privilege, will also serve you well.  Users can’t steal or destroy what they can’t access. That’s true even for highly privileged users like SysAdmins.

How to Respond to Insider Threat

When prevention methods are ineffective, it’s first and foremost important that you verify the incident is in fact an insider threat. You’re going to deal with an employee mistake very differently than you would deal with somebody who’s purposefully trying to exfiltrate data.

You don’t want to have a company culture where employees are afraid to admit mistakes. If it was an honest mistake, the earlier you know about the incident, the less likely it is to become a catastrophic event for the company.

If you create a culture where employees are afraid to report that they made a mistake because they’re afraid they’re going to be fired for insider threat, you’ll have a serious problem.

It’s also incredibly important to not overreact or panic. If insider threat is suspected, the first thing you should do is meet with legal counsel. Also engage your forensics team to gather data to prove the suspicion and ensure evidence is collected and retained.

Do not notify the suspected employee that they’re under investigation. As creepy as that sounds, it’s important that the employee doesn’t feel uncomfortable or that they’ve been unduly monitored. However, it’s important to be discreet about the investigation.

Unless you already have data to prove there is a problem with an employee, they shouldn’t know they’re under investigation until something is found that warrants adverse action. This will also ensure false alarms don’t rapidly escalate with innocent employees.

Keeping investigations over insider threat discreet also prevents malicious insiders from learning they have been discovered. Once they’re found out, they’ll cover their tracks or escalate the situation.

Just because someone gets investigated doesn’t mean they’re a bad person or that they’ve done anything wrong. The forensic team’s job is to discreetly determine what is and isn’t a problem and to collect and preserve evidence. They’re not there to make judgment calls or accusations.

This is true for all types of incidents, even the negligence incidents or the mistakes.

In the negligence incidents, if the consequences of the mistake are bad enough, the company may still wish to take legal action. In order for them to be able to do so, it’s imperative that they collect evidence, and in such a way that it will be able to stand up in court.

Insider threat needs to be treated like any other cybersecurity incident. Affected systems need to be isolated, and data must be collected and preserved using forensic tools and techniques.

You may have to make an SEC filing for an insider threat issue. An insider threat incident could require disclosure for compliance or other regulatory reasons as well. Your legal team can advise you on the specifics of filings or other necessary procedures.

Black Kilt Helps Secure Organizations Against Insider Threat

Black Kilt’s employees have been dealing with insider threat for decades. We’ve seen scenarios ranging from garden variety to the truly bizarre. We can help you build an insider threat program from scratch or breathe new life into an existing solution that may not be up to par.

We can review existing processes, policies, and tools to identify and fill the gaps. In addition to expertise on industry leading vendor solutions, we’re also experienced with a variety of open source tools sure to meet any budget requirements.

If you’re concerned about insider threat, head to our contact page and call for a free consultation.

Related Posts