An insider threat is a cyber security risk that comes from the internal network of an organization. It occurs when an employee (current or former, contractor or partner) with legitimate access misuses that access to damage the organization’s network, systems or data. An insider may act intentionally or unintentionally. The result is compromised confidentiality, availability, and integrity of enterprise systems or data.

Most data breaches are caused by Insiders. Traditional cybersecurity policies often target on external threats, leaving the company vulnerable to attacks from inside. The insider already has authorization to systems, so it’s difficult for Security Officers to identify malicious intent.

Types of Insiders

• Malicious Insider
  

  The goals of a malicious insider include intellectual property theft and fraud. They intentionally abuse the privileged access they have to leak information for malicious reasons.

• Negligent Employee
  

  Negligent insiders act inadvertently. It is about human error or social engineering victims

• Outsiders
  

  An outsider has gained insider access to the organization. They may be a vendor, partner, or contractor.

Detection

Most threat intelligence applications analyze the network, and application data checking the behavior of authorized persons who could misuse their access. To secure cyber against an insider threat, companies are analyzing anomalous behavioral and general network activity.

Behavioral & Digital Indicators

• A dissatisfied employee, contractor, or partner.
• Working off-hours.
• High abnormal volume of network traffic.
• Violation of organizational policies.
• Using USB drives.
• Signing into applications at unusual times.
• Resignation announced.
• Emailing sensitive information to personal emails
• Accessing HR or Finance data (not relevant for their day-to-day activities).

How to combat insider threats

• Secure Critical Assets
  

  Identify your organization's critical assets. These are networks, systems, data, facilities and people. Understand each critical asset, and rank them

• Baselining of Normal Behavior
  

  There are many different systems that can analyze and alert on incidents from insider threats. These tools work by creating a baseline of normal behavior for entities, then deviations can be flagged and investigated.

• Increase Visibility
  

  Security officers should deploy systems that monitor user activity and correlate information from multiple sources. This information would then be sent to other security solutions to identify and prevent the attack.

• Enforce Policies
  

  Define the organization's security policies. Employees, contractors, vendors or partners should recognize their responsibility to not give privileged information to unauthorized parties.

• Culture modification
  

  Detecting insider threats is important. But educating users on Cyber and Information Security is more proactive and less expensive. Running a security-aware culture change and digital transformation is the key.

Conclusion

Mitigating insider threats requires a strategy that involves a wide range of stakeholders and operational areas. As the workplace became more complex and insider threats become more difficult to detect, the actions and techniques must be more comprehensive, smarter and capable of adjusting to the new threats. Having too many security controls is not the proposed solution. Insider threat programs should focus on the balance between defending from the threat and accomplishing the organization’s business objectives. The goal is to detect anomalies as early as possible and investigate alerts in order to interrupt potential insider threats before assets or data are compromised.