Insider Threats in Cyber Security : Types, Examples and Detection

If knowledge is power, then in the business world, data is the bloodline. After all, companies spend a lot of time collecting different data types, from sales statistics to customer information. All these are crucial to keeping the business going—as any business plan requires such information to propel itself forward. Insider threats in cyber security are not a discovery but a new dimension due to complexity and heavy reliance on technology. 

Feel free to watch this video containing a condensed version of the article.

Unfortunately, the solutions to collect and store this information have grown more complicated over time, causing many businesses to have complex networks to facilitate this activity. In turn, this presents a whole host of problems in terms of security issues such as insider threats.

While you might be thinking these problems are mainly from external sources, there are, in fact, even more problems that you may face from within your organisation itself! These security hazards are widely known as insider threats.

What are insider threats in cyber security?

Insider threats are threats that come from within your organisation. It can be caused by a current or even former employee who has the credentials to access networks, devices, and other sites that hold data caches for your business.

These threats can either be unintentional, meaning that the individual did not mean any harm, to one with criminal intent, such as an individual seeking revenge. Nevertheless, it is crucial to address this problem.

What types of insider threats are there?

There are three types of insider attackers, these are:

1. Unintentional Insiders
2. Negligent Insiders
3. Problematic Insiders

Some unintentionally put your networks under fire. This is known as an unintentional threat. A simple example of this would be an employee downloading a file from the internet, thinking it is safe, while, in reality, it is malicious to your network.

Another type is negligent individuals who ignore any safety precautions when utilising business computers. For example, an employee may have ignored any warnings about phishing emails, still choosing to open one up without knowing what kind of trouble they will cause.

Finally, some intentionally carry out malicious activities. These are known as problematic insiders. They can be anyone, from unhappy employees seeking revenge to employees looking to make extra money by sharing confidential information.

What are the famous examples of insider threats?

There are many famous insider threat cases, some of which you may have heard of before.

Perhaps the most famous of all would be Edward Snowden. This name is quite popular as the individual who stole millions of intelligence files from the NSA (National Security Agency). Corporate insider attacks are not likely to end and will continue with varying attack vectors. 

The following examples of insider threats are different scenarios showcasing how different circumstances led to data theft, data loss or data breaches:

• Starting with the COVID theme, the first example of an insider attack relates to data exfiltration after this employee was fired in March 2020. He granted admin rights to his account, then went ahead with deleting shipping records—this an example of a problematic insider example.
• Twitter’s work from the home staff was targeted in a campaign where internal tools were compromised to take over high-profile Twitter accounts. It is a negligent insider where employees were socially engineered to allow attackers into the internal network. 
• Spear phishing attack targeting a senior staff member at an Australian university led to 700 MB data theft. Leaked data included personal data as well as payroll, tax and academic records.
• July 2020 – General Electric employees downloaded thousands of files containing trade secrets, then uploaded them to private email accounts. This was done by the insider attackers convincing IT department employee to grant them explicit rights to access the repositories.
• July 2019, Capital One Data Breach Compromises Data of Over 100 Million. The data contained thousands of social security numbers and bank accounts. It was the case of a problematic insider who knew what she was doing.
• Another example includes a disgruntled employee of the popular brand Tesla, who exported large amounts of data and shared it with other parties.

Attack vectors may vary in terms of how an unauthorised or authorised threat actor had their hands-on data. With relevant direct and compensatory controls, measures involving technical controls and processes can be in place to generate alerts in time for action. There are loads of more insider threat examples. However, the above examples are sufficient to explain the concept here. 

While these may seem to be due to these entities being “large” and well-known brands, the same kinds of threats can also plague your business’ security.

What are the consequences of such threats?

Your business can face a whole host of consequences when an insider threat succeeds in an attack. It can come in various forms, ranging from data loss to a damaged reputation. Nevertheless, any attack leads to a loss in finances, whether from the drop in sales due to loss of trust from customers to legal costs you have to pay for your negligence.

How can insider threats be detected?

There are plenty of ways where these threats can quickly be detected through the help of direct and indirect indicators.

Examples of direct indicators would be exporting suspiciously large amounts of files to another medium, such as external storage and abnormal activities on a corporate network. Examples of indirect indicators would be working in the work area outside of work hours and indications of misbehaviour and erratic moods regarding a specific individual.

While these signs will not directly point at an insider threat, the possibility of such a threat happening increases significantly.

Here is the list of direct indicators in case of insider threat attacks:

• Data Exfiltration
• Unauthorised use of external systems (USB, tablets, laptops)
• Abnormal corporate network activities such as crawling, downloading of internal portals
• Sharing data with outsiders
• Unusual data requests

Detection of insider attacks using indirect indicators includes:

• Workspace access outside job hours
• Attempts to access privilege areas (physical and digital)
• Complaints of unethical or hostile behaviour
• Violation of corporate policies
• Disgruntled behaviour

How to address insider threats?

The only way to address insider threats is to minimise the possibility of it from ever happening.

There are various ways to address such a risk. For example, you can conduct technical security assessments to find gaps in your controls, run simulated phishing campaigns to test how well your employees are facing these issues, and regularly monitor your data sources for any breaches. Other implementations include regular audits to ensure the right individuals maintain the right level of access and procuring CREST penetration testing services to assess and analyse how vulnerable your infrastructure is from the inside.

Conclusion

Insider threats are always looming. While they can never be eliminated, having the right implementations set to reduce it is your best chance of keeping your business safe from any unintentional or intentional insider threats.

That said, if you are struggling to keep such attacks in check, do not be afraid to work with third parties to assess your security controls. If that has never been performed before, an IT security health check should show you blind spots in your infrastructure, more likely in your cyber security strategy. It ensures thorough validation and analysis of all your networks, devices, and data infrastructures, ensuring that the security is well maintained and that the issue of insider threats is minimal.

We have also mentioned the worst cyber threats of today in an interview with Aviva Zacks.

Should you wish to discuss your primary concerns, schedule a no obligation call with our experts.