The term "insider threat" refers to the potential for an insider at an organization, such as an employee or contractor, to maliciously cause harm to company-owned or company-confidential data or systems. In recent years, the term has expanded to include third parties, such as suppliers, partners, or other third parties that have legitimate knowledge of and access to networks, applications, and data.
According to the 2015 Vormetric Insider Threat Report, companies are concerned about the risk insiders pose to the organization's information. Broken down by job type, security professionals are most worried about the damage privileged users and contractors or services providers—those with the most access—could affect:
Insider threats, while less commonly reported than attacks by external parties, can be even more devastating in their result due to the fact that authorized system credentials and access allow the perpetrator to remain undetected for long periods of time. Insiders can more easily abuse privileges and permissions (especially admins or other IT staff with higher levels of access), and are able avoid the challenges of navigating firewalls or other network-based security measures that normally set off red flags when an attacker attempts to gain unauthorized access.
Insiders typically have different motivations for data theft or abuse. Current or ex-employees might feel disgruntled and want to seek revenge on the organization. They might be looking for ways to "get ahead" and may use their access to obtain information that could help them do so. These scenarios could lead to intentional fraud, sabotage, or intellectual property (IP) theft.
Accidental insider threats are also common; an employee may lose a laptop that contains sensitive data; she might transfer work documents to a USB that, in turn, is lost or stolen; the USB itself might be (unbeknownst to the user) infected with malware. Data leaks or loss are more common types of threats when the act is inadvertent.
Whether accidental or intentional, security and operations teams should be on the lookout for suspicious behavior and anomalous activities. Some of the ways teams can prevent or mitigate damage from a malicious insider include:
• Apply the principle of least privilege
• Enable enhanced auditing and monitoring of privileged users
• Institute separation of duties
• Encrypt sensitive data
• Implement, document, and enforce strict data usage policies
• Automate change controls, when possible
• Offer regular security training and awareness
• Regularly audit password change policies
• Continuously monitor and correlate logs
• Evaluate removable media policies
• Establish a baseline of normal employee behavior