Risks abound in the current cyber threat landscape. While it’s tempting to focus on the many external threats, now is not the time to lose sight of insider threats.

Can the information technology (IT) team identify common motivators and risk factors? Most importantly, can security leaders answer this question: are employees the best defense or weakest link in the fight against insider threats? Organizational cybersecurity depends on getting this answer right.

#1: Acknowledge the risk 

Ideals about employee loyalty fall apart in the face of cold, hard statistics. Over the past year, a staggering 94% of organizations experienced an insider breach. Of those, human error was the root cause (84%). But of the 16% of breaches that weren’t caused by error, 66% originated from a malicious leak. Concerning? Yes, especially when the same study reports only 28% of IT leaders are worried about “intentionally malicious behavior” as a potential cause of an insider breach. Add to that, 23% of employees surveyed think it’s fine to take company data with them to a new job (which can have dramatic consequences, as seen in the high-profile trial against two former GE employees). There’s clearly a disconnect between reality and perception of the danger of insider threats — one that puts organizations at risk. 

#2: Learn to recognize potential inside actors 

After acknowledging the risk, the next step is to anticipate where an insider threat might come from. By definition, an insider threat means that the actor has either internal or remote access, bypassing the system’s firewall or other network defenses. These insiders are often employees, but they can also be business partners, contractors or vendors. Anyone who has access to the network from inside can sabotage your security, misconfigure the system to allow data leaks, or commit IP theft or fraud. 

#3: Identify what drives an insider threat

What motivates an insider threat? The exact answer depends on an organization’s industry, size and IT infrastructure. Yet a few motivators appear time and again across industries and company sizes. Here are a few of the most common drivers of an insider threat.

Human error

Most of the time, insider threat actors have no malicious intent. They’re simply careless or neglect to follow security protocols. Or, they aren’t aware that their actions can compromise security (as we see often in non-technical roles). 

Confusion about cybersecurity responsibility

Confusion about who exactly is responsible for cybersecurity is common. IT leaders know how hard it is to get users to take responsibility for the role they play in data security. Then, there’s the reality that some users need more convincing than others. Cybersecurity leaders can best prevent insider threats when management leads by example, encouraging all employees to take ownership of IT security. 

Malicious intent

A malicious insider usually has one goal: to gain from exploiting or sharing company data. Maybe they’re a disgruntled employee who just got fired or passed over for a promotion. Or maybe they simply don’t like the company or person responsible for cybersecurity. IT leaders shouldn’t work in a silo; it’s important to keep a pulse on what’s going on in the company.

Conscientious objection

Organizations in industries like defense, intelligence or critical infrastructure also face additional risks. In some industries, the employee you trust with sensitive information could be a spy. And high-profile cases of whistleblowers sharing sensitive information with regulatory bodies or even the public exemplify insider threats. 

#4: Monitor risk factors

While motives are tricky to identify, especially for busy IT teams, risk factors are often easier to spot. Let’s take a look at a few of the most common. 

User behavior

IT administrators should be on the lookout for suspicious user behaviors, like employees who: 

  • Log in at unusual times or from unusual locations
  • Access applications or systems for the first time
  • Copy large amounts of information
  • Badge into work at unusual times

Level of access

Next, look at who has the highest level of access in the organization: the IT administrator. Consider the risks of employee threats at every access level. For example, if an IT administrator is let go and decides to use their access privileges to threaten the organization, they hold the access and knowledge to execute a severe threat. Insider threats like these can bankrupt smaller organizations and heavily damage the reputation of larger ones. In other words, “watch the watchers.”

Remote work

As more teams go hybrid or fully remote, insider threats increasingly originate from outside the network. Why? It’s easier for hackers to access devices offsite, especially if employees use their own devices. But even if remote employees use only company-issued devices, remote work opens a Pandora’s Box of risk:

  • What if the device gets lost or stolen?
  • Can the organization remotely wipe all devices?
  • Has the cybersecurity team educated employees to minimize careless user behavior (like leaving the laptop unattended at a coffee shop)? 

The IT team should mandate same security software and protocols for remote devices as they do for onsite devices.

Stop insider threats before damage is done

Identifying an insider threat or risk factor isn’t easy, but knowing what to look for and developing an alert security posture is the first step. Because if the security team doesn’t, the consequences of an insider attack (data loss, service outage, penalties and reputational damage) can sink even successful companies.

In a world where insider threats are increasingly common, the question is not so much whether employees are a weakness or not, but what security measures can secure the network from attack? When it comes to insider threats, an ounce of prevention is worth a pound of cure.