The Growing Insider Threat

A security threat originating from within the organization which is targeted or attacked is an insider threat. Insider attacks are rapidly increasing and becoming more prevalent in organizations. In the past year, believe insider attacks have become more frequent. Any present or former employee who at one point had access to the organization’s confidential information has the potential to turn rogue, and that is considered to be an insider threat. Insiders not only mean employees, but also include contractors and business partners as well. Attacks coming from within the organization can have added difficulty in detection and recognition, and could definitely increase the handling cost. In most organizations, employees have different level of privilege, according to their job descriptions and tasks. This gives employees access to certain private information pertaining to the organization. So, when these employees or partners turns rogue and become insider threats, they can often hurt the organization, providing an advantage over from an attack from the outside.

According to the Insider Threat Spotlight Report 2016 conducted by and Information Security Community, seventy-five percent say that inside attacks can cost up to $500,000 in damages, while twenty-five percent say damages can go up to the millions. Most attacks occur because the employees or former-employees feel they have been wronged by the organization and believe the benefit is greater than the cost of the action, or they have been influenced by delinquent peers and feel like they need to make a statement. The report also states that users with the present 60% of the insider threat to organizations.

For an inside attack to occur, it takes four stages. First, the attacker must have access to the organization’s network. Then the attacker finds the vulnerable access points and chooses the place where they believe will cause greatest damage, without too much effort. The attacker then goes forward and find the location of where the attack will take place. The most common launch points for attacks are: from endpoints (57%), from mobile devices (36%), and from the network (35%) [1]. Finally, the attack is put in place and carried out.

In most cases, the attack is set to take place over a period of time in order to avoid detection and can be 66% harder to detect than attacks from the outside [1]. The type of attack can vary from the implementation of a worm, trojan, viruses, theft of information or money, deletion of data, or the manipulation of data. It is important to recognize the potential behavior characteristics of insider threats, this can include, but is not limited to:

  • Repeatedly working long un-required hours outside of normal work day
  • Bringing unauthorized devices into a closed area
  • Threatening the people or the property of the organization
  • Making attempts to gain access to confidential information
  • Bringing private documents or information to an unauthorized location, such as the house
  • Downloading unauthorized or questionable things
  • Making copies of confidential files or documents
  • Talking confidential information over unsecure means, such as over the phone
  • Expressing loyalty to another organization or country
  • Expressing greed and financial gain
  • Continuously, presenting a pattern of frustration and disappointment
  • Presenting interest in work outside their job description

Insider threats are not always carried out by malicious users. Uninformed or careless employees can also unintentionally leak out organization information or invite a malware into the network, through careless behaviors, phishing, or theft.

To defend against both unintended and malicious attacks, organizations can take a number of steps. It is important to educate all employees on keeping certain security practices and being aware of threats. This can be done through mandatory monthly educational training sessions. The best defense is to build a layered defense making up of two parts. The first is to make it mandatory to perform background checks before hiring new employees. All employee activity and behavior should also be monitored. Watch employees to see if they are unhappy or exhibit a change in their behavior. Use action monitoring software, to keep a close eye on all activity, this can include video recording of all user action. The second is to limit the number of privileged users. This means every new account created should have the minimum amount of privileges and gradually increase privileges if necessary. This can be applied to employees and to the third-parties. Privileged users’ activity should be controlled, ensuring they do not have the capability to delete or manipulate logs on the system. This can be applied with a multiple log servers and administrative controls.  The number of insider threats and attacks is growing and as a result, organizations are growing vulnerable to the threats. It is important to put controls in place, before facing an expensive attack.

[1] Insider Threat Spotlight Report 2016 , Crowd Research Partners, Information Security Community, 2016