When you think about security, it's usually from external factors. We lock the doors to our homes and businesses, when we go to the gym our belongings are kept safe in locked lockers from theft, and our computers and phones have security measures in place to keep people out.
Our focus is on external threats but the biggest danger can come from within — insider threats.
Consider the classic thriller When a Stranger Calls. The protagonist believes the threat is an outsider, only to discover the chilling reality: the call is coming from inside the house. This twist dramatically reinforces the concept of an insider threat.
Just like in the film, in any corporate setting, the danger does not always come from the outside. It could be a disgruntled employee, a negligent teammate, or even a malicious insider exploiting their access rights. These people can cause significant damage to your organization's sensitive data, reputation, and overall security.
What are insider threats?
Unlike external threats, insider threats are one of the most harmful risks to an organization's security and overall integrity. According to CISA, insider threats “present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors.”
That’s because these threats typically originate from individuals within the organization, such as:
- Former staff
- Partners & business associates
These individuals have inside information concerning your security practices, data, and computer systems. The threat posed by insiders is enormous due to their granted access and understanding of the organization, making their activities potentially far more harmful and harder to detect than external threats.
Insider threats are the cause of most data breaches and can cost organizations millions of dollars.
Types of Insider Threats
There are two primary types of insider threats: intentional and unintentional. Understanding and mitigating both types of insider threats is crucial for maintaining a robust and secure environment.
Intentional insider threats
Intentional insiders are individuals who deliberately exploit their access to damage the organization. Typically, these individuals have malicious intent — they mean to cause harm or to otherwise enrich themselves.
Intentional insider threats have been depicted in movies like Office Space and Hackers to comedic effect — and yet their damage can be huge. In both, a computer program designed to divert small amounts of money per transaction was used to steal thousands of dollars from the company.
Examples of intentional insider threats include:
- Sabotage: This occurs when an employee alters data, deletes information, or otherwise performs actions to cause harm.
- Profit: Diverting funds from a company’s account or selling sensitive data to make money.
- Espionage: Spying or stealing sensitive data for personal gain.
Unintentional insider threats
Unintentional insider threats occur when employees accidentally cause security breaches — without intending to.
Accidents may include actions like emailing sensitive documents to their personal email address so they can work over the weekend. Increasingly, however, these unintended threats are a result of social engineering: that is, an unsuspecting insider may be coerced or bribed into actions that undermine the organization's security. (This is known as social engineering.)
These threats can happen due to human error, lack of awareness, negligence, or simply being untrained in security protocols. Examples of unintentional insider threats include:
- Human error: Accidentally deleting critical data or downloading malware.
- Negligence: Sharing confidential information over an unsecured network, failing to update software, or falling for phishing scams.
- Lack of awareness: Employees not following proper security procedures and protocols due to lack of training or understanding.
Consequences & trends of insider threat incidents
Insider threats — whether intentional or not — can cause severe and costly damage to an organization. They can lead to:
- Loss of sensitive data. Insiders with access to critical data could leak or steal it, leading to significant financial and reputational damage.
- Financial consequences. Data breaches caused by insider threats can result in costly legal fees, regulatory fines, and settlements.
- Damage to reputation. Insider incidents can cause irreparable damage to the organization's reputation and take a long time to regain the trust of customers and shareholders.
- Disruption to business operations. Insider threats can lead to business disruption, resulting in lost productivity and revenue.
- Legal and regulatory consequences. Organizations can face legal action from individuals or regulatory penalties for failing to protect sensitive data.
Real-life examples of insider threats
Insider threats have caused severe damage to numerous high-profile companies, reinforcing the critical need for insider threat management. This time, let’s skip the silver screen and look at three real-life examples.
City of San Francisco (2008)
In 2008, network admin Terry Childs locked the city out of its FiberWAN networking system, preventing valid users from accessing email, payroll, police records and more. Users were locked out of the system for nine days before Childs finally gave up the passwords.
The lockout cost the City of San Francisco approximately $900,000, simply trying to regain control of their own network.
Marriott Hotel (2010s)
Marriott Hotels were victims of a major database breach that left over 500 million customer details exposed. The breach occurred through a reservation database that was acquired as part of Starwood Hotels & Resorts Worldwide.
It wasn’t until 2018 that the company discovered unauthorized access to its network — with some data being stolen as early as 2014. The data breach cost Marriott an estimated £18.4 million.
X, fka Twitter (2020)
On July 15, 2020, hackers used social engineering to gain access to Twitter's administrative tools, compromising 130 high-profile Twitter accounts to promote a Bitcoin scam. Within minutes of the initial tweets, over 320 transactions occurred, depositing bitcoins worth over $100,000 into an account before the scam messages were eventually removed by Twitter.
Best practices for mitigating insider threats
Like most areas of cybersecurity, mitigation requires continuous security monitoring (which Splunk can help you with). Proper security protocols, employee training, and continuous monitoring are crucial in mitigating insider threats. Some best practices include:
- Background checks. Conduct thorough background checks on employees, contractors, and other associates before granting access to sensitive data.
- Access controls. Limit employee access to critical data and systems based on their job responsibilities.
- Employee training. Train employees on security protocols and how they can spot potential insider threats.
- Security monitoring. Continuously monitor network activity and user behavior for any suspicious activity.
- Incident response plan. Have a well-defined incident response plan in place for quickly responding to and handling insider threats.
Minimizing your risk of insider threats
No matter your size or your industry, insider threats pose a significant risk to organizations. Having a better understanding of the types of insider threats, potential consequences, and best practices for mitigating them is crucial in maintaining a secure environment for your organization.
By implementing proper security protocols and employee training, along with continuous monitoring and incident response plans, organizations can better protect themselves against insider threats and minimize the potential damage they can cause.
As technology continues to advance, so do the methods used by insiders to cause harm — whether intentionally or not. Therefore, it is crucial to stay vigilant and proactive in mitigating insider threats to safeguard your organization's sensitive data and reputation.
Let us all strive towards creating a safe and secure digital environment for everyone.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.