What Is an Insider Threat?
Insider Threat Definition
An insider threat is a type of cyberattack originating from an individual who works for an organization or has authorized access to its networks or systems. An insider threat could be a current or former employee, consultant, board member, or business partner and could be intentional, unintentional, or malicious.
Typically, an insider threat in cybersecurity refers to an individual using their authorized access to an organization’s data and resources to harm the company’s equipment, information, networks, and systems. It includes corruption, espionage, degradation of resources, sabotage, terrorism, and unauthorized information disclosure. It can also be a starting point for cyber criminals to launch malware or ransomware attacks.
Insider threats are increasingly costly for organizations. The Ponemon Institute’s 2020 Cost of Insider Threats research found that this form of attack cost an average of $11.45 million and that 63% of insider threats result from employee negligence.
Types of Insider Threats
Various types of insider threats can lead to an organization suffering data loss or other security exploits. These include:
An intentional insider threat occurs when an individual sets out to purposely cause harm to an organization. Many intentional insider threats aim to get even with a company over a lack of recognition or a failure to meet expectations, such as not receiving a desired bonus or promotion.
An unintentional insider threat involves data being lost or stolen as a result of employee error or negligence. Accidental unintentional insider threats occur due to human error and individuals making a mistake that leads to data leakage, a security attack, or stolen credentials. Accidental data leaks include sending business information to the wrong email address, mistakenly clicking on malicious hyperlinks or opening malicious attachments in phishing emails, or failing to delete or dispose of sensitive information effectively. These threats can often be avoided by following security best practices.
A negligent unintentional insider threat occurs through carelessness that leads to exposing an organization to a threat. For example, ignoring security and IT policies, misplacing portable storage devices, using weak passwords, and ignoring software updates or security patches can leave organizations vulnerable to a cyberattack.
A third-party threat is typically a business partner or contractor that compromises an organization’s security. Third-party threats can be a result of negligent or malicious activity.
A malicious threat is a form of intentional insider threat that intends to cause harm either for personal benefit or as an act of vengeance.
Malicious insider threats aim to leak sensitive data, harass company directors, sabotage corporate equipment and systems, or steal data to try and advance their careers. Many of these malicious threats are financially motivated, as employees steal corporate data to sell to hackers, third-party organizations, or rival companies.
A collusive threat is a type of malicious insider, in which one or more insider threat individuals work with an external partner to compromise their organization. Collusive insider threats often involve a cyber criminal recruiting an employee to steal intellectual property on their behalf for financial gain.
Insider Threat Individuals
Insider threat individuals are typically split into two types of actors:
- Pawns: Pawns are company employees manipulated into carrying out malicious activity, such as disclosing their user credentials or downloading malware. Pawns are often targeted by attackers through social engineering or spear-phishing campaigns.
- Turncloaks: A turncloak is an employee who actively turns on their employer. Turncloaks often act to gain financially or to cause harm to an organization. However, turncloaks also include whistleblowers, who serve to bring public attention to the failings of their employer.
Additional insider threat individuals include:
- Collaborators: A collaborator is an employee who collaborates with a cyber criminal and uses their authorized access to steal sensitive data, such as customer information or intellectual property. Collaborators are typically financially motivated or reveal information to disrupt business operations.
- Goofs: A goof is an employee who believes they are exempt from their organization’s security policies and bypasses them. Whether through convenience or incompetence, goofs’ actions result in data and resources going unsecured, which gives attackers easy access.
- Lone wolf: Lone-wolf attackers work alone to hack organizations or seek out vulnerabilities in code and software. They often seek to gain elevated levels of privilege, such as database or system administrator account passwords, that enable them to gain access to more sensitive information.
What Are the Risks Caused by an Insider Threat?
Insider threat attacks can result in malware being installed on user devices, routers, and corporate networks. It can also result in organizations falling prey to data corruption, data theft, and financial fraud, while their users could become victims of identity theft. The loss of sensitive data can lead to organizations suffering reputational damage, losing business, and being subjected to fines and legal action.
How To Stop Insider Threats
Insider threats can be prevented by constantly monitoring user activity, gaining real-time insight into network activity, and taking action immediately when a security incident occurs.
Insider threat prevention relies on the following four-step security event process:
Organizations need to be able to detect malicious, suspicious, or unusual activity on their networks. Threat detection includes having real-time insight into user logins, such as where and when a user has logged in to the corporate network and the location they have accessed it from.
Security solutions and rapid threat detection help organizations increase the visibility of their network, track employees’ actions, and get alerts regarding anomalous activity.
Once the suspicious activity has been detected, organizations need to be able to investigate it immediately. There is no use detecting suspicious activity but not investigating it until several days after the event, as the attacker will likely have escalated their privileges and carried out their attack.
When it has been determined that the suspicious activity is malicious or unauthorized, organizations need to prevent users from gaining access to their networks and systems. They need a threat prevention solution that blocks an attacker from gaining access to data and snooping on user activity.
Organizations can also prevent insider threats by deploying virtual private networks (VPNs), which encrypt data and enable users to keep their browsing activity anonymous behind a VPN solution.
Organizations need to protect their users and devices by enforcing security policies and securing their data. Critical assets, such as facilities, people, technology, intellectual property, and customer data need to be protected at all times with the appropriate levels of access rights and privileges.
Policies need to be clearly documented, and all employees must be familiar with the security procedures they need to follow, their data privileges, and their intellectual property rights. This final step of the process is crucial to complying with increasingly stringent data privacy regulations.
How Fortinet Can Help
Fortinet allows organizations to proactively detect and prevent insider threat attacks. Its user and entity behavior analytics (UEBA) solution protects businesses from insider threats through automated detection and response and by constantly monitoring devices and users.
The Fortinet UEBA solution uses artificial intelligence and machine learning to identify anomalous, noncompliant, and suspicious behavior and instantly alerts organizations of potentially compromised accounts. The Fortinet approach ensures organizations gain enhanced visibility and advanced protection regardless of whether users are on their corporate network or not.