Insider threats are a growing concern for organizations worldwide, coming from all levels within the organization (e.g., employees, contractors, or business associates) who have inside information on classified company data, company security practices, and company computer systems. Since these threats come from inside the organization, they can be difficult to detect and hard to avert. Insiders generally have the advantage of legitimate access and do not need to bypass cybersecurity guards, firewalls, or physical access points to gain access to data, making it problematic for security controls to distinguish normal from harmful activity. Without proper security, government contractor breaches are a constant threat and can have extreme impacts on your organization.
On May 18, 2016, the Department of Defense issued Conforming Change 2 of the “National Industrial Security Operating Manual” (“NISPOM”). NISPOM Change 2 requires all U.S. government contractors who require access to U.S. classified information to implement an Insider Threat Program (“ITP”) that will gather, integrate, and report relevant information related to potential or actual insider threats among cleared employees. This mandate is typically met by requiring that a training presentation be viewed and a new certificate of completion be issued annually.
Insider Risk, Threats, and Cases
Insider risk is where an employee may unintentionally compromise security by mishandling data, using weak passwords, or losing devices with sensitive information. While not malicious in intent, these actions can lead to security breaches. An insider threat is when someone within the organization deliberately attempts to steal, sabotage, or exploit its resources for financial gain, revenge, espionage, or even ideology. An insider has authorized access to the organization’s network, systems, or data through various means:
- Via physical access device to a building or sensitive area
- Via computer or network access
- The person is knowledgeable about and has access to the organization’s protected information
Insiders can be at any level of the organization. Examples include:
- Network administrators and executives
- Developers with access to data using a development
- Terminated employees with active profiles and credentials
- Vendors with internal access
- Contractors with internal access
With so much employee data, vendor data, financials and proprietary information at risk, even large companies are not immune to insider threats. Take these cases for example:
- Two former Tesla employees leaked names, addresses, phone numbers and email addresses of 75,000+ current and former employees to a German newspaper (2023)
- Two General Electric employees downloaded thousands of files with trade secrets from company servers to the cloud after the employees convinced a system administrator to grant them inappropriate access to sensitive corporate data (2020).
- Capital One bank engaged with Amazon Web Services (AWS) for a cloud hosting services and an AWS software engineer bypassed a firewall to access more than 100 million customers’ accounts and credit card applications (2019)
- A disgruntled Tesla employee used his insider access to make code changes to the Tesla Manufacturing Operating System then exported sensitive data to unknown third parties (2018)
- Edward Joseph Snowden leaked highly classified information from the National Security Agency while working as a government contractor (2013)
- An employee worked for Coca-Cola as a principal engineer and retained proprietary data by simply uploading data to her personal Google Drive account or used her smartphone’s camera to capture images bypassing the cybersecurity in place (2017)
- An employee who had resigned still had access to the company cloud system five months later via a third-party vendor and proceeded to delete 456 virtual machines (2018)
Identifying the Types of Insider Threats
A report from Proofpoint lists how diverse insider threats are as are methodologies:
- Malicious: individuals with authorized access who deliberately seek to harm the organization by selling or leaking confidential data or sabotaging systems
- Opportunistic: employees who become seduced by opportunity begin to hoard sensitive information during their tenure and attempt to exploit it for personal gain
- Negligent: without malicious intent an employee/vendor compromises security due to skipping established cybersecurity safeguards, transferring sensitive links or documents to their personal cloud drive not realizing that the data needs to be safeguarded, clicking on a phishing email at work, or sharing a passwordwith someone
- Accidental: purely unintended incidents where insiders cause data breaches through mistakes like sending files to incorrect recipients, accidentally deleting critical data, falling victim to phishing attacks which download malware onto a company device
- Compromised: when external entities steal a legitimate user’s credentials via phishing scams or malware
- Collusive threats: when insiders collaborate with external entities (e.g., competitors, cyber criminals) to conduct espionage or intellectual property theft
Motivations For Insider Threats
Unintentional insider threats can arise from a negligent employee falling victim to a phishing email, whereas examples of malicious threats include intentional theft of company/personal/proprietary data, corporate espionage, or data destruction. Insider threats can come from any organizational level and from anyone with access to proprietary data. Personal motivations can push an insider to act:
- Seeking financial incentives
- External entities like competitors or foreign powers manipulating insiders to act
- To seek revenge due to perceived wrongs
- Desire to breach a system to prove their capabilities
- Ideological or ethical beliefs cause the insider to believe he/she is serving a greater cause
- A perceived lack of consequences if the company has no clear method for employees to report suspicious activity or a weak information technology security culture
- The insider’s emotional state and personal stressors, such as family / financial issues or mental health challenges may cause the insider to irrationally
- Job dissatisfaction or feeling undervalued
A survey conducted by Fortinet revealed that the three primary insider threat motivations are fraud, monetary gain, and intellectual property theft. Proofpoint issued a 2022 report, Cost of Insider Threats Global Report, which estimated the average cost of insider threats in the North American region is $17.53 million. 23% of data breaches in 2022 were due to reused or weak passwords according a Nordpass survey. Phishing attacks, where an email or text message appears to be from a trusted entity but upon clicking a link installs malicious malware or prompts the victim to share login credentials on an imposter website, caused over 67% of accidental insider threats as noted by SoftActivity’s report.
Possible Consequences of Insider Threats
A Ponemon study puts “the current average cost at $15 million per attack, noting in February of 2022 that the frequency of insider threats has increased 44% since 2020.” Another consequence is that if the details of an attack are made public, the company’s reputation could be damaged. Insider threats can lead to significant financial losses for an organization directly through theft or indirectly through the cost of resolving the data breach. Additional costs include system downtime, regulatory fines, and lawsuits from affected parties. Insider data breaches can also impact productivity and service delivery resulting in missed opportunities. Also, many industries are governed by strict regulations that require companies to protect sensitive information and keep specific security practices thus an insider breach can result in security violations.
There may be distrust among employees if the company’s increased surveillance and stricter controls appears to infringe on the employee’s right to privacy. Exposed trade secrets or intellectual property can cost the company a competitive advantage. While cybersecurity insurance coverage is available, a history of insider incidents generally means the company will face higher insurance premiums or find it difficult to obtain cybersecurity insurance coverage.
Unintentional Threats
Telefonica Tech reports that human error is the leading cause of cybersecurity breaches due to misinformation, lack of awareness, and simple human errors due to lack of training. This can expose the company to several threats. Threats can come in several forms:
- Malware – Short for “malicious software,” malware is any unwanted application that harms your computer, your network, or your data. Malware can simply slow down your computer’s performance or be as severe as stealing financial data. Company should have adequate antivirus programs to scan for and remove malware threats and employees should be trained to never interact with suspicious websites or emails.
- Ransomware is a type of malware that holds sensitive data or device hostage, threatens to keep the data locked or worse, deletes the data unless the victim pays a ransom to the attacker. Tips to avoid a ransomware attack according to CISA, the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience are to “a) conduct regular vulnerability scanning to identify and address vulnerabilities, b) maintain offline, encrypted backups of data and regularly test your backups, and c) regularly patch and update software and Operating Systems.”
- Phishing – is when an attacker poses as a trusted friend, colleague, or vendor typically via email which leads to the victim clicking a link and landing on a nearly identical copy of a trusted website. Employees should be trained to never give any information away without verifying the source first.
Signs Of Insider Threats
Because insiders generally have legitimate access to files and data, good insider threat detection looks for unusual behavior or access requests. According to a Cybersecurity and Infrastructure Security Agency (CISA) report, “insider attacks are typically detected and reduced over extended periods. An insider threat scenario usually takes 200 days to be noticed and 75 days on average to be controlled”.
An employee exhibiting one or more of these behaviors is not necessarily an insider threat but could potentially be:
- Anomalies in work behavior such as accessing systems outside of regular work hours or attempting unauthorized access
- Attempts to access to information unrelated to their job function
- Logins from unfamiliar locations
- Massive or unusual data transfers to external devices / locations, can indicate potential data theft
- Sudden decline in job performance may indicate distractions or other motives
- Vocal dissatisfaction with the company or policies
- Behavioral changes such as heightened stress or increased isolation from colleagues
- Defensiveness to routine checks, security measures or audits
- Severe financial distress making the employee susceptible to bribes or attempting to sell proprietary information
Addressing Insider Threats
A study, 2022 Ponemon Institute Cost of Insider Threats, revealed that companies implementing a formal Insider Threats program are 50% less likely to have a data breach or cyberattack.
From a policy perspective, some ways to protect your company from an insider threat attack include training the employees about insider threats, and ensuring security measures are in place to prevent attacks.
- Companies should have open communications channels for employees to voice concerns, frustrations, or issues so the company can address potential grievances before they escalate
- Companies should conduct regular training sessions to prevent insider threats thus keeping employees educated about the risks and the employee’s responsibilities for data security
- Training can be supplemented by awareness campaigns through the year
- Companies should encourage employees to report any suspicious activities they come across
- Companies should have a clear policy regarding insider threats including examples and consequences for engaging in malicious behavior
- A standard termination procedure should be in place to immediately revoke the former employee’s access to sensitive information (e.g., computer login, network access, building access cards, remote access)
From an information technology perspective, a company’s security strategy may include:
- Establish a security policy for detecting and blocking misuse by insiders
- Restrict access to sensitive information using physical access controls and digital access controls such as identity verification
- Use multifactor authentication
- Passwords should be complex and unique
- Eliminate idle or dormant accounts so non-active users can not the system
Implementing some of these strategies can equip a company to prevent an insider threat, recover from an insider threat incident and reduce the likelihood of future attacks.
Additional Resources
- The Federal Trade Commission provides guidance on how to reach to a data breach and a small business fact sheet on purchasing first party/third party cyber insurance.
- CISA Insider Threat Mitigation Guide
- CISA Protective Security Advisors (PSA) Critical Infrastructure Vulnerability Assessments
- Ready.Gov Business Continuity Planning Suite