Over the years, several high profile cases of insider data breaches have occurred. Some have been whistle-blowing cases while others have involved corporate or foreign espionage. While you can help prevent insider threats caused by negligence through employee education, malicious threats are trickier to detect. In a webinar we hosted with Forrester, Identifying and Stopping the Insider Threat, Senior Security Analyst Joseph Blankenship discussed the different warning signs of an insider threat.
Malicious insiders tend to have leading indicators. Focus on monitoring employees that display these high-risk behaviors. Here's what to watch out for:
1. Poor Performance Appraisals
An employee might take a poor performance review very sourly. In 2012, Ricky Joe Mitchell, a former network engineer at an energy company, learned that he was going to be fired and intentionally sabotaged his company's computer system, leaving them unable to fully communicate or conduct business operations for about 30 days.
2. Voicing Disagreement with Policies
Someone who is highly vocal about how much they dislike company policies could be a potential insider threat. They may want to get revenge or change policies through extreme measures. Employees have been known to hold network access or company data hostage until they get what they want. In 2008, Terry Childs was charged with hijacking his employers network. He was arrested for refusing to hand over passwords to the network system that he had illegally taken control over.
3. Disagreements with Coworkers
Look out for employees who have angry or even violent disagreements with their coworkers, especially if those disagreements are with their managers or executive staff.
4. Financial Distress
An employee who is under extreme financial distress might decide to sell your organization's sensitive data to outside parties to make up for debt or steal customers' personal information for identity and tax fraud.
5. Unexplained Financial Gain
Watch out for employees who have suspicious financial gain or who begin to buy things they cannot afford on their household income. If someone who normally drives an old, beat-up car to work every day suddenly shows up in a brand new Ferrari, you might want to investigate where the money is coming from, especially if they have access to expensive and sensitive data.
6. Odd Working Hours
Pay attention to employees who normally work 9-5 but start logging in or accessing the network later or outside the usual hours of their peer group without authorization or a true need to work outside of normal hours.
7. Unusual Overseas Travel
Unusual travel to foreign countries could be a sign of corporate or foreign espionage, especially if they are not required to travel for work, are traveling to a country in which they have no relatives or friends, or are going to a place that's not typically a tourist destination. However sometimes travel can be well-disguised. For example, Greg Chung spied for China for nearly 30 years and said he was traveling to China to give lectures. Instead, he was stealing hundreds of thousands of documents from his employer and meeting with Chinese agents. Look for unexpected or frequent travel that is accompanied with the other early indicators.
8. Leaving the Company
Anyone leaving the company could become an insider threat. When someone gives their notice, take a look back at their activity in the past 90 days or so and see if they've done anything unusual or untoward or accessed data they shouldn't have.
Enjoyed this clip? Watch the full webinar here for a 10-step guide on setting up an insider threat detection and response program.
