Insider Threats are Closer Than You Know

8 minute read

You might be surprised to learn some insider threats are costlier and more damaging than external threats. This risk is an easy one to overlook, considering just how close to home they are. Your everyday routine may be placing you unknowingly as one yourself. It’s nothing to be taken lightly, whether malicious or unintentional the outcome remains the same. An insider threat brought to fruition can bring an entire organization to its knees when it comes to digital risk protection.

The risk posed is enough to make it a staple awareness campaign for September. National Insider Threat Awareness Month (NIATM) stems from President Obama’s 2011 Executive Order that established a National Insider Threat Task Force (NITTF) to prevent future exposure of government secrets such as those made public by WikiLeaks. NIATM is also supported by the National Counterintelligence and Security Center (NCSC), the Office of the Under Secretary of Defense Intelligence and Security (USDI&S), the Defense Counterintelligence and Security Agency (DCSA) and the Department of Homeland Security (DHS). In this post, we will take a closer look at insider threats, the risks they pose and resources available to help organizations circumvent them. 

What is an Insider Threat?

Both accidental threats and insider threats are common phrases in the world of cybersecurity; the two are closely tied but do have their differences. Accidental threats can be related to tailored attacks such as phishing, social engineering and even ransomware. This broad term can include any attack that pulls in a social component, be it business email compromise (BEC), phishing, lost or stolen credentials, or malware triggered with a simple click. All of which can be closely tied to your typical accidental threat.

An insider threat is specific to an inside source that inflicts harm through a loss of resources, capabilities or other damaging consequences. NIST SP 800-53 Rev. 5 from CNSSI 4009-2015 defines it as “The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation. This threat can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of organizational resources or capabilities.”

To be clear, an “insider” isn’t always a criminal spy and may not be as apparent as the term implies. An insider can be an employee simply going to work with no malicious intent at all. The term includes anyone with authorized access or knowledge of an organization’s assets. This could range from product development, trade secrets, contract and pricing information, networks, systems, physical facilities and more. Insider threats tied to public resources or government functions could cause such severe damage as to impact national security, infrastructure or public safety.

Global Average Costs and Frequency of Incidents Tied to Insider Threats
Source: Ponemon Institute’s 2020 Cost of Insider Threats: Global Report

Your insiders could include both employees and third parties as well. Employees might fall into this category if they are privileged users, analysts or developers, formerly employed or involved in a merger. Third parties might include supply chain partners, vendors, contractors and more. These are just a few examples to help paint the picture. It’s essential to assess your risk profile within your organization before identifying proactive measures and building your response plans.

Are Insider Threats Really a Concern?

Insider threats are more common than you may think and can cause just as much damage as a ransomware attack. The worst association anyone can have would be: “It won’t happen to me.” When it comes to cybersecurity, it’s only a matter of time before a vulnerability is actively exploited. You might not consider yourself an insider threat if you aren’t working with classified information, or what you would consider sensitive information. This is not the case. There is no environment immune from the potential of insider threats.

Malicious insiders and lurking spies might come to mind as the most significant insider risk, but most instances are caused by simple carelessness. In the Ponemon Institute’s 2020 Cost of Insider Threats study, researchers found internal data breach’s average annual cost was $11.45 million with 4,716 insider incidents over a 12-month period alone. Of the 4,716 incidents reported and collected for the study, almost 3,000 “were due to negligent or inadvertent employees or contractors.”

Insider Threat Cost Trends by Category Type
Source: Ponemon Institute’s 2020 Cost of Insider Threats: Global Report

Consequences that drive costs tied to an insider threat can include monitoring, investigation, remediation and more. Numbers vary depending on the type of insider, but the study showed those linked to negligence averaged $307,111 and jumped to $871,686 when tied to a threat actor stealing credentials. Malicious insiders cost, on average, organizations $756,760 for each incident alone. Out of the thirteen industry sectors assessed, financial services saw the highest total costs coming in at $14.50 million.

Insider Threat Costs by Industry
Source: Ponemon Institute’s 2020 Cost of Insider Threats: Global Report

What an Insider Threat Looks Like

These are hard-hitting numbers, and although we have clear definitions of what an insider threat might include, real-world examples help to illustrate just how these threats work in action and highlight the extent of possible damage. Here are just a few:

  • In September 2021, a Dallas Police Department IT employee who showed a history of errors during their nine years of employment was fired after being found responsible for erroneously deleting 22.5 TB of police data, including evidence. 
  • In July 2021, a disgruntled sailor was charged with intentionally setting fire to the USS Bonhomme Richard. Aside from additional damages and injuries caused, the Navy chose not to seek repairs as cost estimates came in at $3 billion and would have taken more than five years to complete.
  • In April 2021, a chemist working for Coca-Cola was convicted of conspiracy to steal trade secrets as well as economic espionage and wire fraud. These trade secrets cost roughly $120 million to develop and the chemist was hoping to aid a new company in China.
  • In March 2020, a former employee of a medical device packaging company hacked into the company’s computer network and corrupted nearly 120,000 records, causing substantial delays in medical equipment delivery to healthcare providers during a global pandemic.
  • In December 2019, a researcher noticed over 200 million Microsoft customer records detailing sensitive personal information had been released on the open web and were accessible to anyone with a web browser. This is a perfect example of the negligent insider threat because employees tied to the leak had failed to secure databases appropriately.
  • In February 2018, scientists were found abusing access to Russia’s most vigorous supercomputers to aid a secret bitcoin-mining data center. Insiders were misusing resources and exposing additional vulnerabilities to find new ways to outsource the expense of crypto mining by using other infrastructures.
  • In July 2018, Tesla filed a lawsuit that alleged an employee wrote code to periodically export gigabytes of company data that included confidential details of manufacturing systems, financials and more.

Some clues can help pinpoint an insider threat that may be at hand. Security teams can watch for behavioral signs such as attempts to bypass security, exhibiting disgruntled viewpoints, online defamation, working hours outside of the norm and more. Digital warning signs might include moving large amounts of data, accessing data outside of their role, emailing sensitive data to external resources and more. While behavioral warnings can indicate possible threats, this can often be a gray area that is difficult to pinpoint consistently. Performance appraisals and decommissioning access promptly following termination is a great place to start. However, digital analytics and risk protection platforms are typically the most efficient ways to detect insider threats proactively. 

Resources for Proactive Mitigation

Luckily there is no shortage of resources available. Most are designed to aid organizations in detecting and identifying these threats, as well as assessing and managing the associated risks. To get started, we recommend visiting these trusted sources:

  • The Center for Development of Security Excellence created a dedicated platform to aid in developing tools against insider threats that include interactive visuals as well as case studies and real-world scenarios aimed to promote awareness.
  • The Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to view a recorded webinar, A Holistic Approach to Mitigating Insider Threats, to further organizational resilience. There is also an entire library dedicated to defining these threats and providing tools for mitigation.
  • DCSA offers a dedicated insider threat site that includes resources for education specifically tied to printable posters and handouts.
  • The NITTF provides free access to a specialized Resource Library containing best practices, policy templates and guidance to support Insider Threat Programs and Insider Threat Training.
  • NITAM’s dedicated site walks users through education, advocacy and promoting cultural awareness.

The ZeroFox team continues to produce informative resources and engaging events to help security teams and organizations as a whole navigate unknown territory as the landscape continues to evolve. To learn more about the top threat trends as well as predictions on the tactics and techniques expected to increase, download the latest ZeroFox Quarterly Threat Landscape Report.

See ZeroFox in action