What are insider threats?

While external threats are more common and grab the biggest cyberattack headlines, insider threats can be more costly and dangerous. According to IBM's Cost of a Data Breach Report, data breaches initiated by malicious insiders were the most costly, at USD 4.99 million on average.

A recent report from Verizon revealed that while the average external threat compromises about 200 million records, incidents involving an inside threat actor have resulted in the exposure of 1 billion records or more.¹

Not all internal threats are malicious. An IBM Institute for Business Value study found that well-meaning staff can share private organizational data into third-party products without knowing whether the tools meet their security needs. The study also reports that 41% of employees have acquired, modified or created technology without their IT or security team’s knowledge, creating a serious opening in security.

Malicious insiders are disgruntled current employees, or disgruntled former employees whose access credentials have not been retired, who intentionally misuse their access for revenge, financial gain or both. Some malicious insiders collaborate with an external threat, such as a hacker, competitor or nation-state actor to disrupt business operations by planting malware or tampering with files and applications. Others focus on leaking customer information, intellectual property, trade secrets or other sensitive data to benefit their outside accomplices.

Some recent attacks by malicious insiders:

• At the start of the COVID-19 pandemic, a disgruntled former employee of a medical packing company used a previously created admin account to set up a fake new user account, then altered thousands of files in a way that would delay or stop shipments of personal protective equipment to hospitals and health care providers.
   

• In 2022, an X employee was arrested for sending X users' private information to officials of the Kingdom of Saudi Arabia and the Saudi Royal family in exchange for bribes. According to the US Department of Justice, the employee “...acted in secret as an agent of a foreign government targeting dissenting voices.”

Negligent insiders do not have malicious intent but inadvertently create security threats through ignorance or carelessness, such as falling for a phishing attack or bypassing security controls to save time. Their actions can also include losing a laptop that a cybercriminal could use to access the organization’s network or mistakenly emailing sensitive files to individuals outside the organization.

Among the companies surveyed in the 2022 Ponemon Cost of Insider Threats Global Report, most of insider threats, 56%, resulted from careless or negligent insiders.²

Outside threat actors steal the credentials of legitimate users, turning them into compromised insiders. Threats that are launched through compromised insiders are the most expensive insider threats, costing victims USD 804,997 to remediate on average according to the Ponemon report.³

Often, compromised insiders are the result of negligent insider behavior. For example, in 2021 a scammer used a social engineering tactic, specifically a voice phishing (vishing) phone call, to gain access credentials to customer support systems at the trading platform Robinhood. More than 5 million customer email addresses and 2 million customer names were stolen in the attack.

Insider threats are carried out, either partially or entirely, by fully credentialed users, including privileged users. This approach makes it particularly challenging to distinguish careless or malicious insider threat indicators and behaviors from regular user actions. According to one study, it takes security teams an average of 85 days to detect and contain an insider threat ⁴, but some insider threats have gone undetected for years.

To better detect, contain and prevent insider threats, security teams rely on a combination of practices and technologies.

Continuously training all authorized users on security policy—such as password hygiene, proper handling of sensitive data, and reporting lost devices—can help reduce the risk of negligent insider threats. In addition, security awareness training on topics like recognizing phishing scams and correctly routing requests for system access or sensitive data can mitigate the overall impact of threats. For example, according to the Cost of a Data Breach Report, the average cost of a data breach at companies with employee training was USD 285,629 less than companies without training.

Identity and access management (IAM) focuses on managing user identities, authentication and access permissions in a way that ensures the right users and devices can access the right reasons at the right time. Privileged access management, a subdiscipline of IAM, focuses on finer-grained control over access privileges granted to users, applications, administrative accounts and devices.

A key IAM function for preventing insider attacks is identity lifecycle management. Limiting the permissions of a departing disgruntled employee or immediately decommissioning accounts of users who have left the company are examples of identity lifecycle management actions that can reduce the risk of insider threats.

User behavior analytics (UBA) apply advanced data analytics and artificial intelligence (AI) to model baseline user behaviors and detect abnormalities that can indicate emerging or ongoing cyberthreats, including potential insider threats. A closely related technology, user and entity behavior analytics (UEBA), expands these capabilities to detect abnormal behaviors in IoT sensors and other endpoint devices.

UBA is frequently used together with security information and event management (SIEM), which collects, correlates and analyzes security-related data from across the enterprise.

Offensive security (or OffSec) uses adversarial tactics, the same tactics that bad actors use in real-world attacks to strengthen network security rather than compromise it. Ethical hackers, cybersecurity experts skilled in hacking techniques, lead offensive security by identifying and resolving IT system flaws, security risks and vulnerabilities in how users respond to cyberattacks.

Offensive security measures that can help strengthen insider threat programs include phishing simulations and red teaming, in which a team of ethical hackers start a simulated, goal-oriented cyberattack on the organization.