Marilyn Wilkinson, February 2024

Insider Threats in Cybersecurity: Navigating the Hidden Dangers

Imagine a scenario where the greatest threat to your organization’s security doesn’t lurk in the shadows of the dark web, but walks your corridors every day. This is not a hypothetical situation but a reality faced by a majority of businesses today: A recent study reveals over half of organizations have fallen victim to such threats in the past year, with 8% experiencing over 20 incidents. 

In this article, we’re going to break down exactly what insider threats are, why they happen, and most importantly, what you can do to stop them.

What Are Insider Threats?

Insider threats are incidents where individuals within an organization misuse their status and access to cause harm. Rather than safeguarding the organization’s assets, they might leak sensitive information, corrupt vital data, grant unauthorized access to dubious third parties, or otherwise sabotage the company.

Insider threats are particularly insidious as they come from individuals trusted by the organization. This includes people like:

  • Current employees with access to company resources
  • Former employees who have somehow managed to retain access rights
  • Contractors or consultants who could misuse their temporary access
  • Business partners or vendors with privileged information and/or system access
  • IT staff with high-level access exploiting their privileges
  • Executives or higher management misusing their comprehensive access

Their privileged access and knowledge of internal systems and procedures allow them to bypass traditional security measures, so they have the potential to unleash significant damage. At this point, you may be wondering, why do they do it?

Why do Insider Threats Happen?

Insider attacks and the motivations behind them are complex. Nonetheless, common reasons behind insider attacks include: 

  • Personal gain and financial motives
  • Revenge—typically a disgruntled employee conspiring against the company
  • Lack of care and attention
  • Lack of awareness of cybersecurity best practices
  • Poor cybersecurity of a third-party vendor 

Three Types of Insider Threats

Not every insider threat is an unhappy employee deliberately plotting against the company. Insider threats can be categorized into three main forms: accidental, negligent, and malicious.

  1. Accidental Insider Threats

These threats are the result of simple ignorance or error. An employee might inadvertently compromise security by falling prey to a phishing scam or clicking a harmful link. Such breaches typically stem from a lack of proper cybersecurity training and policy enforcement.

Example: The CEO of a UK energy provider received a phone call from someone claiming to be his boss from the parent company in Germany. In reality, fraudsters were using AI deepfake software to imitate his voice. The call was so convincing that the CEO transferred $243,000 to a “Hungarian supplier,” later realizing it was a scam.

  1. Negligent Insider Threats

Negligent threats arise when employees knowingly ignore or side-step security policies—often because it seems quicker and easier at the time. This could be an employee sharing sensitive data over unsecured channels, or using personal devices for work purposes. 

Negligent insiders don’t have malicious intent, but they can still cause serious security incidents. According to research by the Ponemon Institute, they are responsible for 56% of all insider attacks.

Example: In August 2022, several Microsoft employees exposed login credentials via Microsoft-owned GitHub. The data would have enabled anyone, including attackers, to access Azure servers and potentially other company systems. 

  1. Malicious Insider Threats

Malicious insider threats are deliberate actions taken by individuals aiming to harm the organization. Motivated by factors like revenge or financial gain, these insiders intentionally leak sensitive information or sabotage systems, causing significant damage.

Example: In 2023, two former Tesla employees leaked the personal data of current and former employees to a German news outlet, Handelsblatt. The leak exposed personal data from over 75,000 people. While the media outlet chose not to publish the stolen data, Tesla was still obligated to report the incident to regulators, resulting in negative press attention and reputational damage. 

How to Detect and Prevent Insider Attacks

As insider attacks are carried out by internal users— oftentimes with high-level access rights—they can be especially damaging.  According to IBM research, insider attacks are the most expensive, costing $4.90 million on average, which is 9.5% higher than the average data breach.

They are also challenging to prevent and detect. Nonetheless, there are some things you can (and should!) do to detect and prevent malicious activities from insiders. Let’s run through the main best practices.

Employee Training

With many insider attacks happening as a result of accidental or negligent employee behavior, education to raise awareness of cybersecurity issues is key. At a minimum, employees should be taught how to recognize suspicious behavior (like phishing attacks and social engineering) and the procedures for reporting suspicious behavior—even from other colleagues. 

Comprehensive System Monitoring 

Unusual file activity is a common indicator of insider threats, which is why system monitoring is so important. And with Prolion CryptoSpike, you can trace every change on your central storage system.

ProLion CryptoSpike monitors all activity, establishing baseline behaviors and comparing them to current actions. In the event of suspicious activity, like someone copying, moving or encrypting excessive numbers of files, it immediately blocks the user and notifies the system admin, stopping the attack in its tracks.

Strict Access Controls

Regularly updating and reviewing access privileges ensures employees have only the necessary access rights for their role, reducing the risk of insider threats. 

With DataAnalyzer from ProLion, you can keep track of user permissions and monitor how they change over time. Run reports at the user and file level to see who has access to what, and implement changes where needed. You can also set up periodic reporting to run automatically, so you can spot any strange developments and take action.

Prevent Insider Attacks With ProLion

Insider attacks can strike any organization, no matter how big or small, how strong their cybersecurity team, or how secure their infrastructure. These threats don’t discriminate, hitting even the best-prepared companies. Understanding and preparing for insider threats is crucial. 

ProLion offers tailored solutions to combat these hidden dangers. Talk to an expert to learn more about protecting your company from the inside out.