An insider threat refers to an individual who has been entrusted with access to or knowledge of an organization’s operational components, personnel, physical assets, networks, systems or technology. These individuals may include current or former employees, vendors, suppliers, investors, business partners or other third-party collaborators. Due to their understanding of and unique privileges to such sensitive information and resources, insider threats have the potential to compromise organizations’ most valuable assets and leave them increasingly vulnerable to various cyberattacks (e.g., ransomware incidents and data breaches), regardless of whether these individuals do so intentionally or unintentionally.
Insider threats pose significant cybersecurity risks for businesses of all sizes and sectors, often resulting in serious consequences. Specifically, cyber incidents stemming from insider threats (also known as insider events) can lead to prolonged operational disruptions, widespread data exposure, severe reputational damage and large-scale financial losses.
According to research from the Ponemon Institute, more than 7,300 insider events took place throughout the last 12 months. Further, a recent survey conducted by IT platform Cybersecurity Insiders found that the average insider event costs over $755,000. What’s worse, these incidents are on the rise, and the Ponemon Institute revealed that insider events have skyrocketed by 40% over the past four years, with the average event taking nearly three months (86 days) to contain.
Considering these findings, organizations across industry lines must take insider threats seriously and bolster their cybersecurity policies and procedures. That’s where this resource can help. The following guide provides information on different types of insider threats and key motivations among these individuals, outlines best practices for assessing insider threat risks, offers tips for minimizing insider threat events and losses, and highlights legal and compliance considerations associated with handling such threats. This resource also contains an appendix featuring several case studies and a checklist to help businesses better understand insider threats and deploy effective mitigation techniques. By utilizing this guide, organizations can equip themselves with the information needed to combat insider threats and reduce potential losses if related incidents occur.
This guide is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Businesses should contact legal counsel or an insurance professional for appropriate advice. Reach out to Wells Insurance today for further risk management guidance and insurance solutions.
There are three main types of insider threats: Negligent employees, malicious insiders and third-party collaborators. Here’s a breakdown of these threats:
1. Negligent employees — This type of insider threat consists of uneducated or careless employees who unintentionally expose an organization’s information and assets to unauthorized parties. Negligent employees may lack the experience, awareness or attentiveness necessary to identify possible security exposures, making them more error prone or easily manipulated by cybercriminals’ tactics. These individuals represent the most prevalent type of insider threat. In fact, multinational technology corporation IBM confirmed that human error is a contributing factor in nearly all (95%) of recorded cyber incidents.
As a whole, the Ponemon Institute reported that negligent employees are the cause of more than half (55%) of all insider events.
Common insider threat scenarios involving negligent employees include the following:
2. Malicious insiders — Unlike negligent employees, malicious insiders’ actions are intentional. That is, these individuals—usually current or former employees—knowingly abuse their knowledge of or access to an organization’s information and assets to participate in harmful activities. Malicious insiders are often motivated to engage in such activities for their own financial or professional gain or to incite “revenge” on the target company for its perceived wrongdoings. Some malicious insiders may even possess a false ideology that makes them want to carry out harmful actions for attention or causes them to believe that attacking an organization is necessary for the public good. According to the Ponemon Institute, one-quarter of insider events stem from malicious insiders. Some insider threat scenarios involving malicious insiders include the following:
3. Third-party collaborators — This type of insider threat pertains to individuals who are not formal members of an organization, but have still been provided with private details of or some security clearance to certain company data and resources, such as suppliers, vendors or other contractors. Although their access to organizational information and assets may be limited, it could still be leveraged to cause widespread disruption and damage, thus posing substantial cyber risks and leaving the door open for major losses. Insider events arising from third-party collaborators could be negligent (e.g., a supplier forgetting to install security patches on organizational technology and leaving external networks more susceptible to infiltration) or malicious (e.g., a vendor abusing their login credentials to steal company funds).
Before organizations can implement steps to mitigate insider threats, they must first conduct risk assessments. In particular, it’s imperative for a company to analyze and document its unique insider threat exposures and outline the potential ramifications that may result from insider incidents, ultimately making it easier to determine necessary risk management measures. After all, different industries and operations face varying exposures, largely based on their technological vulnerabilities and the types of information and assets they possess.
While businesses across all sectors face insider threats, certain industries are more likely to experience increasingly frequent and severe insider events. According to the Ponemon Institute, the following sectors have recorded the largest losses due to insider threats during the past 12 months:In light of these findings, organizations operating within such sectors should be especially aware of their insider threat exposures and carefully evaluate their heightened loss potential. Regardless of industry, all organizations should consider which categories of their data and resources could be deemed attractive to cybercriminals and, therefore, more susceptible to being targeted amid insider events.
Also known as critical assets, this generally includes any protected information or items that— if damaged, modified or otherwise diminished in value—would no longer be private or properly accessible to the affected organization and, consequently, severely impact the organization’s ability to uphold its essential operations, services and business functions.
Although critical assets differ between organizations, the Ponemon Institute identified the following data and resources as the most vulnerable to insider threats:
In addition to identifying critical assets, organizations should assess whether any aspects of their operations could carry digital vulnerabilities and provide avenues for exploitation, thus paving the way for insider threats. Key examples of these vulnerabilities include outdated systems; unpatched software, undivided networks; minimal layers of authentication or access controls; untrained, inexperienced or overworked employees; unencrypted data; a lack of secure backup locations for crucial files and records; and poor security awareness and related policies among third-party collaborators.
Like other cybersecurity risks, insider threats are constantly shifting and evolving. As a result, conducting risk assessments shouldn’t be a one-time occurrence. Rather, organizations should regularly reassess their insider threat exposures, making updates and adjustments as needed.
There are several measures that organizations can establish to help mitigate insider threats and keep related losses to a minimum. Here are some best practices for companies to consider.
First and foremost, organizations should be aware of the key signs that may allude to the presence of an insider threat. Common indicators of insider threats include the following:
Background indicators — These indicators refer to experiences or events that occur prior to an individual being hired by an organization or otherwise gaining access to its information and assets. Background indicators usually can’t be easily observed by company leaders, HR professionals or co-workers. Rather, such indicators may be detected amid mandated pre-employment background checks or through in-depth professional screenings. Still, it’s worth noting that some people may still withhold this information even when they are required to disclose it, thus making it more difficult to identify these individuals as potential insider threats. Examples of background indicators include having a history of criminal behavior, short-term employment, mental health concerns or addiction issues (e.g., substance abuse, excessive spending or gambling); being involved with groups or individuals who oppose an organization’s core values; engaging in activities that could be considered conflicts of interest; conducting troubling business transactions; and joining untrustworthy social or professional networks.
Personal indicators — Such indicators consist of both predispositional attributes and personal stressors that may cause tension in an individual’s life or impact their sense of judgment and self-control, ultimately leading them to be more likely to participate (whether willingly or unwillingly) in insider events. Personal indicators may be detected before an individual joins an organization or arise throughout their employment or professional services. Examples of these indicators include psychiatric or medical conditions; aggressive, compulsive, narcissistic or violent behavior; criminal conduct, legal problems or workplace violations; family struggles (e.g., death or divorce); growing financial challenges; and negative professional developments (e.g., demotions, transfers, contract disputes, conflicts with management or coworkers, disagreements related to intellectual property rights, poor performance reviews, or termination). In some cases, personal indicators may even stem from positive career changes (e.g., promotions or unexpected opportunities), as these events can still cause additional stress. These indicators play one of the most substantial roles in identifying insider threats. According to recent research from Cybersecurity Insiders, the vast majority (88%) of security professionals confirmed it’s necessary to consider personal indicators when detecting high-risk insiders.
Behavioral indicators — These indicators refer to patterns of behavior that differ from someone’s typical interactions and activities within work settings, therefore creating cause for concern and increasing the risk of the individual being involved in insider events. Behavioral indicators can be clearly identified by establishing a baseline for an individual’s usual actions amid their employment or professional services and detecting when these actions suddenly shift. Examples of these indicators include no longer being willing to comply with company policies or security protocols; carelessly breaching organizational rules; acting erratic or impulsive; working irregular hours or extended shifts without authorization; using company equipment without permission or bringing personal devices into high-security locations; taking unannounced time off; being hostile to co-workers or starting unnecessary arguments; withdrawing from social situations; making inappropriate jokes or statements; communicating with unapproved contacts (e.g., business competitors); and openly expressing resentment toward work responsibilities, discussing switching roles or resigning from the organization.
Technical indicators — Similar to behavioral indicators, technical indicators consist of abnormal actions that an individual engages in across an organization’s systems, networks or technology. These indicators can also be easily detected by monitoring an individual’s usual technical habits and observing any unexplainable changes in these activities. Most organizations that watch for technical indicators do so through the utilization of various scanning tools and software. This technology can help record and send alerts regarding suspicious actions that take place on company devices and within core IT infrastructure. Examples of technical indicators include sending emails with large attachments or vast amounts of data; leveraging unauthorized devices; connecting to prohibited networks or restricted systems; engaging in dark web activities; launching malware, viruses or other harmful software; trying to bypass network security controls, deploy masking tools or escalate user privileges; attempting to modify or copy protected files; operating organizational technology outside of normal working hours; connecting to an account from various locations or opening several accounts for a single user; trying to erase network logs; and sharing private company information or otherwise acting irresponsible across professional platforms and social media.
Environmental indicators — Such indicators refer to organizational factors or workplace characteristics that may limit an individual’s ability to respond appropriately to company security issues or serve as the “final straw” in motivating a malicious insider to execute an attack and justify their poor choices. Environmental indicators are largely established based on a company’s policies, procedures and cultural practices. In other words, a toxic work environment or unsupportive organizational culture may push an individual toward becoming an insider threat. Examples of these indicators include a lack of employee awareness or understanding of cybersecurity risks; toxic leadership measures (e.g., inappropriate disciplinary actions, inconsistent enforcement of organizational protocols, inaction following reports of workplace issues or grievances, indifference to complaints of mistreatment, minimal employee appreciation efforts and little transparency); aggressive reactions to threat notifications; a perceived tolerance of overworking and poor company performance; elevated financial or contractual uncertainty; and limited documentation of risk management processes.
By cultivating a positive company culture that values security and trust, organizations can promote adequate awareness of insider threats and ensure their employees and third-party collaborators stay vigilant in mitigating related exposures and losses. When individuals feel properly supported and respected by an organization, they are more likely to act in the company’s best interests, take accountability for understanding potential risks and come forward upon noticing suspicious activities.
Creating such a culture starts with the hiring process. This means that, when considering potential job candidates, companies should be sure to utilize adequate vetting protocols to help catch background indicators of insider threats and communicate to these individuals early on that security is a top organizational priority. Effective vetting protocols may include conducting interviews, performing character assessments or screenings, asking for multiple professional references and issuing background checks.
Another integral aspect of fostering a strong security culture centers around providing employees with regular education and training. Employees are widely considered an organization’s first line of defense against cyberattacks, which means the way they respond to insider threats can make all the difference in stopping incidents before they can progress into large-scale losses. As such, employee education and training should focus on the following key topics:
Even with employee education and training initiatives in place, organizations may fail to create an effective security culture if they can’t convince their workforce or senior leaders to take these measures seriously.
These issues may stem from staff and company executives upholding the outdated mindset that the IT department is solely responsible for ensuring organizational security or a lack of understanding regarding the rising severity of cyber exposures. With these concerns in mind, here are some measures that organizations can utilize to maintain a thriving security culture and keep insider threats at bay:
As a rule of thumb, it’s best for organizations to only provide employees and third-party collaborators with access to the systems, networks, data, technology and other organizational resources that are absolutely necessary for performing their key job functions. This concept, commonly known as the principle of least privilege (POLP), can help businesses minimize the risk of an insider threat obtaining access to all company information and assets upon exploiting or otherwise compromising their individual account, therefore limiting available resources to leverage in an insider event.
There are several POLP-related policies and procedures that organizations can utilize to promote adequate access controls and reduce the likelihood of insider threats causing widespread damage across critical IT infrastructure, including the following:
With adequate threat monitoring and detection solutions in place, organizations can better identify unusual and potentially harmful activities throughout their networks, systems and technology, thus allowing them to respond as quickly as possible amid insider events and limit associated losses. Here are some solutions for companies to consider:
Because confidential company information is commonly targeted during insider events, organizations need to ensure sufficient data safeguards. By keeping sensitive data secure, businesses can make it increasingly difficult for cybercriminals to access this information and use it against them amid insider events. When adopting data safeguards, businesses should first review their organizational information and divide it into distinct categories. Such categories should be based on overall sensitivity and level of importance. For example, an organization might classify corporate financial data and employees’ or customers’ PII as their most sensitive information. In contrast, data already accessible to the general public (i.e., those stored within public archives) would be deemed significantly less valuable.
Upon categorizing their data, organizations can implement varying types of safeguards, with the most sensitive information receiving the greatest protective measures. Potential data safeguards for companies to consider include:
If an insider event is suspected or detected, businesses need to have dedicated cyber incident response plans in place that outline steps to ensure timely remediation and keep damages to a minimum. These response plans should address a variety of possible attack scenarios and be communicated to all applicable parties. Both the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have resources available to help businesses create such plans. At a glance, a solid response plan should outline the following:
It’s not enough for businesses to simply create cyber incident response plans. Rather, they should routinely assess these plans for ongoing security gaps and make changes as needed to ensure maximum protection against insider threats.
Common assessment techniques include the following:
Since insider threats can shift and evolve, organizations’ associated mitigation measures should follow suit. That is, businesses should be sure to regularly assess their insider threat prevention and response policies and procedures and make improvements whenever necessary, such as when risks change (e.g., upon hiring new employees, entering new contracts with third-party collaborators, making operational adjustments, storing additional data, acquiring more company assets or implementing new workplace technology) or after insider events occur.
As it pertains to making updates to company policies and procedures following insider events, it’s important for businesses to conduct post-incident analyses. In particular, these analyses should focus on where events originated; how they were detected (as well as how quickly such detection occurred); how effective incident response plans were in handling these events; and the different technical, operational and financial impacts of such events. Depending on an event’s origin and the overall damages, it may also be worthwhile to evaluate whether employee training (or lack thereof), software vulnerabilities or data encryption and backup failures played a role in the incident.
Based on the results of these post-incident analyses, organizations should point out their cybersecurity weaknesses and make an effort to fill possible gaps with bolstered defenses. Doing so is critical to help prevent future insider events and minimize associated damages. Necessary adjustments may include modifying cyber incident response plans, enhancing employee training, updating or introducing new software, improving data backup and encryption protocols, and implementing stricter security policies.
Although having effective insider threat mitigation measures in place is vital for any organization, there are several legal and compliance considerations to keep in mind. Specifically, companies should ensure their mitigation strategies meet the data collection, processing and breach response requirements outlined within all applicable state, federal and international privacy laws. Key examples of such legislation include the following:
Altogether, companies can help ensure their insider threat mitigation measures remain compliant with applicable legislation by routinely reviewing these five data protection principles:
Moreover, organizations should remember that legal and compliance requirements may differ between industries and jurisdictions. As such, it’s best for companies to consult trusted legal counsel to determine their particular compliance needs.
Insider threats have become a pressing concern for all organizations, regardless of size or industry. With these incidents on the rise, businesses simply can’t afford to ignore their insider threat exposures. Nonetheless, by implementing effective mitigation measures, businesses can not only limit their likelihood of experiencing insider events but also reduce possible losses when incidents arise.
Above all, organizations should take note that they don’t have to navigate and address their insider threat exposures alone. Instead, they can seek assistance and supplement their existing resources with guidance from a wide range of trusted external parties, including insurance professionals, legal counsel, cybersecurity firms, law enforcement and government agencies (e.g., CISA and NIST).
Further, it’s crucial for organizations to purchase adequate cyber insurance to secure ample financial protection against potential losses that may arise from insider threats. Businesses should consult trusted insurance professionals to discuss their specific coverage needs. For more information, contact Wells Insurance today.
This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2023 Zywave, Inc. All rights reserved. Used with permission.