The term ‘insider threat’ is most commonly used to describe a cybersecurity incident that has been caused by an employee or a trusted third party. While the motivation for insiders varies, most often, breaches are financially-motivated. Insider threats are more common in certain industries, too — such as healthcare, the financial sector, and government institutions — but they can compromise the information security of any company.

There are two distinct types of insider threats — a rogue or malicious insider and a negligent insider. While many of the most highly publicized breaches were caused by external adversaries, rogue or malicious insiders knowingly and intentionally steal data. This type of threat is increasingly to blame for sensitive data loss because their behaviors appear to security analysts as legitimate users. These personas can range from system administrators, contractors and end users to developers, managers and executives. Insider threat detection is a major blindspot for security operations center (SOC) analysts because ‘trusted’ user behavior doesn’t set off alerts in most security tools.

Typically, a negligent insider is an average employee who has made a mistake. Often, breaches happen when an employee’s account credentials are stolen and used by external sources as legitimate keys to access and exfiltrate sensitive data like financials, patents, and customer information. This type of threat is the number one vector for data breaches, according to the Verizon 2021 Data Breach Investigations Report. 

Insider threats are particularly insidious because the risk is mostly unseen. When it comes to an employee or trusted partner using privileged access for malice, is it possible to know from their behaviors if someone is about to go rogue? Without a proverbial ‘crystal ball,’ it’s difficult to know for certain. But in this article, we will explore some behaviors that are strong indicators that a company has a potential turncoat within its ranks. 

The scale of the insider threat problem

Before we examine behaviors or preventative measures for insider threats, it’s important to understand the scale and scope of the problem. Unfortunately, the damage caused by compromised insiders continues to grow, and according to a recent Ponemon study, “2022 Cost of Insider Threats: Global Report,” which is updated every two years, insider threat is now the biggest cybersecurity risk for organizations. Since 2020:

●    The number of insider-related incidents increased by 44%. 

●    67% of organizations had more than 35+ insider-related incidents per year.

●    56% of insider-related incidents were the result of negligence.

●    26% of insider-related incidents were attributed to criminal insiders.

●    18% of insider-related incidents were attributed to credential theft.

●    Companies spend an average of $15.4 million annually to contain insider-related incidents.

A motivated attacker will use any and all tactics, techniques, and procedures (TTPs) at their disposal to reach their objective. Employees and trusted third parties can easily become unwitting accomplices by falling victim to a phishing or spear phishing attack by clicking a malicious link or opening a weaponized attachment. In essence, a compromised insider helps an attacker to carry out their plans.

Conversely, when a disenfranchised employee or contractor goes rogue and helps an attacker for personal gain, the effect can be quite damaging. In either situation, if the organization is caught flat-footed or not understanding the nefarious actions taking place in plain sight, it can be devastating. Compounding the challenges for organizations are the added risks brought on by current remote or hybrid work culture. 

Tell tale behaviors that lead to insider threats

Organizations can spot or predict insider threats by observing user behavior in the workplace and online. Being proactive may allow organizations to detect potentially malicious insiders before they exfiltrate proprietary information or disrupt operations. Here are some examples of behaviors that may lead to insider-related incidents:

●    Productivity has fallen, frequently completing a minimum amount of work.

●    Less willing to commit to long-term projects.

●    Exhibit a negative change in attitude or decreased focus on job matters.

●    Openly express dissatisfaction with their current job and/or supervisor.

●    Lost enthusiasm for the mission of the organization.

●    Decreased interest in working with customers.

Defending against the unseen enemy on the inside

Most legacy tools espouse a reactive security approach: collect data from across the organization, run static IOC and correlation rules to generate alerts. This approach is notorious for creating false positives. The result is slow, inaccurate responses and frustrated security analysts. When an attack materializes, the team struggles to outpace the attacker.

Proactive security platforms can help to detect threats based on risk using automated, machine learning-driven analysis, also known as behavioral analytics. With a baseline of normal behavior for users and assets, security teams are empowered to respond more quickly and decisively, increasing the accuracy of mitigating a security incident.

In addition to these benefits, automated risk visibility can illuminate the most common scenarios where organizations have become cyber-blind to user behavior issues. While predicting insider-related incidents is exceptionally difficult, there are things an organization can do to combat them, or prepare to limit any damage. These include security best practices that organizations can strictly implement. For example, frequent training for employees to understand and apply laws, mandates, or regulatory requirements that are related to their work; training and awareness on the steps to take that ensure all devices they use — both company issued and bring-your-own-device (BYOD) — are secured at all times; limiting the transmission of highly confidential data to unsecured cloud locations; ensuring that employees have access to automation for simple tasks, so they aren’t tempted to break the organization’s security policies to get work done faster; ensuring devices and services are kept patched and upgraded to the latest versions.

Insider threats are increasing in frequency, and in a work-from-anywhere business environment, they present greater risks to organizations than ever before. Through better understanding of the behaviors that potentially lead to compromise, organizations can proactively prepare to fight these threats. Using a combination of training, organizational alignment, and technology, the damage from an insider threat can be contained.