Article

Insider threat indicators

Security
Time to read: 6 minutes

Insider threats are a particularly difficult type of cybersecurity challenge, because insider threat indicators can be hard to catch. Since insiders are authorized users who have been legitimately granted certain access privileges, they are inherently trusted. Knowing what insider threat indicators are is crucial to identifying and stopping individuals who are doing harm to an organization intentionally or accidentally.

What is an insider threat?

An insider threat is a security compromise that originates from within an organization. When insider threat indicators go unnoticed, damage is caused by malicious, negligent, or unintentional acts by insiders who have authorized access privileges and knowledge of an organization’s processes and procedures.

Failure to heed insider threat indicators can compromise the confidentiality, integrity, and availability of an organization’s vital resources, such as data, equipment, facilities, finances, networks, operations, personnel, and systems.

Insider threat indicators provide warnings about a number of potential risks to an organization, including:

  1. Corruption
  2. Degradation of an organization’s resources or capabilities
  3. Espionage (e.g., corporate, criminal, or nation-state)
  4. Sabotage
  5. Terrorism (e.g., state, religious, or political)
  6. Unauthorized access and disclosure of information
  7. Workplace violence

Types of insider threats

Inside threat indicators, when followed, can identify the various types of insider threats. These fall into two main categories—intentional and unintentional.

Intentional insider threats

An intentional insider threat is caused by a malicious insider who takes advantage of the access privileges and knowledge of the organization to deliberately commit or facilitate misdeeds, such as data theft or leakage, disrupting operations fraud, revenge, sabotage spying, or stealing money or other assets. Among the many motivations for malicious insiders’ nefarious acts are a desire for financial gain or vengeance.

Intentional insiders who use their positions and access to commit malicious acts include:

  1. Collusive insiders—one or more insiders collaborate with someone or a group outside of the organization
  2. Third-parties—trusted third parties (e.g., contractors or vendors) who have insider access
  3. Lone wolves—individuals inside an organization who act alone

Unintentional insider threats

An unintentional insider threat is caused by an insider who inadvertently compromises an organization with no intention of committing malicious acts.

Although unintentional insider threat actors have no ill intent, they can pose a more significant risk than malicious insiders.

Studies have shown that unintentional insiders are responsible for far more compromises than intentional insiders. While much is made of the malicious insider, detecting insider threat indicators should also focus on the various types of unintentional insiders and their mistakes, including:

  1. Accidental insiders who make honest mistakes such as:
  2. Careless insiders do not pay attention to security procedures and unwittingly:
  3. Third-party insiders who are either careless or make honest mistakes that give a malicious actor access to an organization’s systems and resources
  4. Being manipulated into opening an attachment in a phishing email that contains a virus
  5. Improperly disposing of sensitive documents
  6. Mistyping an email address and accidentally sending sensitive information to an unauthorized recipient
  7. Allow someone to “piggyback” through a secure entrance point
  8. Misplace or lose a portable storage device containing sensitive information
  9. Ignore messages to install new updates and security patches or change their passwords
  10. Store confidential information on their personal devices

Insider threat indicators

Insider threat indicators are behavioral patterns or activities that identify a person or other entity as a potential security risk. The wide range of insider threat indicators that can indicate a problem are grouped into two categories—behavioral and digital.

Digital insider threat indicators

Regardless of the type of insider (e.g., malicious or accidental), digital insider threat indicators can provide clear alerts that inappropriate activities are occurring. Examples of digital insider threat indicators include:

  1. Data accessed by users who do not need it for their job function
  2. Files renamed in a way that does not match the content
  3. Network crawling and searches for sensitive information
  4. Repeated requests for escalated privileges or permissions to access system resources that are not associated with the job function
  5. Resources accessed without authorization
  6. Sensitive information emailed outside the organization
  7. Logins to an organization’s applications and networks at unusual times
  8. Surges in the volume of network traffic that could indicate large downloads or volumes being copied
  9. Unsanctioned software and hardware in use
  10. Use of unauthorized devices, such as USB drives

Behavioral insider threat indicators

Both malicious and accidental insiders can be identified by being vigilant about behavioral insider threat indicators. Less quantitative than digital insider threat indicators, behavioral insider threat indicators still effectively surface potential risks. Behavioral insider risk indicators include:

  1. Actions associated with disgruntled employees, such as:
  2. Attempts to circumvent security controls
  3. Discussing resignation and potential new opportunities
  4. Displaying resentment, disappointment, or dissatisfaction toward management, coworkers, or the organization at large
  5. Drastic changes in personality
  6. Engineering situations to compromise managers or coworkers
  7. Routine violation of organizational policies
  8. Arriving late and leaving early
  9. Conflicts with managers and coworkers
  10. Decline in work performance and quality
  11. Unexplained absences

Insider threat prevention

Administrative, technical, and physical threat detection can minimize the risks associated with intentional and unintentional insider threats. Tools and strategies that can be used as part of insider threat indicator monitoring and identification include:

  1. Conducting cybersecurity awareness training with a focus on insider threats regularly
  2. Developing and enforcing policies for data and network security
  3. Establishing baselines for users’ normal activities
  4. Following a zero trust approach to security
  5. Implementing robust access controls
  6. Monitoring logins, logs, and physical activities
  7. Protecting and backing up all data

Avoiding complacency when it comes to insider threat indicators

For many people, it is difficult to believe that a coworker or partner would hurt an organization, but it happens every day. The stakes are high, too.

Compliance rules consider a breach a breach, whether it was intentional or unintentional. And with many data breaches resulting from unintentional insider missteps, staying vigilant about insider threat indicators is imperative.

Savvy organizations utilize the right technology and encourage team members to pay attention to particular activities and behaviors and look for possible risks. Using all available resources and staying alert to insider threat indicators is the best way to mitigate these risks.

Smart, scalable, seamless identity security

Trusted by 48% of the Fortune 500

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief