Insider Threat

34 Percent of Data Breaches Involve Insiders

According to these statistics, insiders have the capabilities, motivations, and privileges to cause a data breach. In a 2019 SANS Report on Advanced Threats, security practitioners identified significant gaps in insider threat defense caused by lack of visibility into typical user behavior. The report also revealed weaknesses in privilege user account management.  

Types of Insider Threats

There are different types of insider threats, including:

• Turncloaks – a turncloak is an employee or contractor who maliciously steal confidential information. The insider has legitimate access to company networks and systems but abuses their access for fun or financial gains. Turncloaks are also collaborators who cooperate with competitors, nation-states, and hacktivists to breach systems and steal information
• Pawn – a typical employee can make a mistake that hackers exploit to steal sensitive information. A pawn is an unintentional do-gooder who unintentionally aids a data breach.
• Goof – these insiders take deliberate and potentially harmful actions, even without malicious intentions. Goofs are ignorant and arrogant employees who operate without following security policies. Goofs cause 90 percent of insider threats.
• Lone Wolves – these independent insiders act maliciously without external influence. Lone wolves with privileged access are dangerous. A classic example of a lone wolf is Edward Snowden, who used his skills and privileged access to leak sensitive information at NSA.

Previous Examples of Insider Threats

Some of the previous insider threats include:

• A Chinese-born engineer, Dongfan “Greg” Chung, was sentenced to more than 15 years in prison for hoarding sensitive information about the U.S. space shuttle. The 74-year-old former Boing Co. Engineer had 300,000 pages of sensitive information he intended to share with China.
• A malicious insider sabotaged Tesla systems and shared proprietary data with third-parties. The insider also used false credentials to make direct code changes to the Tesla Manufacturing Operating System
• A Facebook engineer used legitimate access to stalk women. The employee allegedly called himself a “professional stalker” in a message to a lady he met on Tinder

• A former employee of Coca-Cola Company stole employee personal data using an external hard drive. The incident impacted 8,000 company workers.   

Detecting Insider Threats

Various behaviors suggest the presence of an insider threat. Some indicators of insider threats include:

• Employee downloading or accessing substantial data amounts
• Insiders accessing sensitive information that does not involve their job function
• Personnel accessing data that is outside of their specific behavioral profile
• Using unauthorized and external storage devices such as USB drives
• Data hoarding – copying files from confidential folders
• Sharing sensitive information with external parties through emails
• Users attempt to bypass security policies

Preventing Insider Threats

Traditional perimeter security measures are not effective in detecting and preventing insider threats. You can employ the following security measures to respond to insider threats:

• Monitor emails, files, and other activities on systems
• Inventory all location with sensitive files
• Update access control policy to determine and manage user access to company data
• Implement a least privilege model
• Install a tool to collect, monitor, analyze, and detect abnormal behaviors
• Conduct user awareness training to educate employees to avoid mistakes that lead to cyberattacks