Insider threat defined in Data Protection 101, our series on the fundamentals of data security.
A Definition of Insider Threat
An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.
Contractors, business associates, and other individuals or third-party entities who have knowledge of an organization’s security practices, confidential information, or access to protected networks or databases also fall under the umbrella of insider threat. An insider threat may also be described as a threat that cannot be prevented by traditional security measures that focus on preventing access to unauthorized networks from outside the organization or defending against traditional hacking methods.
Types of Insider Threats
Insider threats occur for a variety of reasons. In some cases, individuals use their access to sensitive information for personal or financial gain. In others, insiders have aligned themselves with third parties, such as other organizations or hacking groups, and operate on their behalf to gain access from within the network of trust and share proprietary or sensitive information.
Another type of insider threat is often referred to as a Logic Bomb. In this instance, malicious software is left running on computer systems by former employees, which can cause problems ranging from a mild annoyance to complete disaster.
Insider threats can be intentional or unintentional, and the term can also refer to an individual who gains insider access using false credentials but who is not a true employee or officer of the organization.
Insider Threats are Tricky to Detect
Insider threats are often more difficult to identify and block than outside attacks. For instance, a former employee using an authorized login won’t raise the same security flags as an outside attempt to gain access to a company’s network. For this reason, insider threats are not always detected before access is granted or damage is done.
Insider threats often begin with an individual or entity being given authorized access to sensitive data or areas of a company’s network. This access is granted in order to enable the individual to perform specific job duties or fulfill a contractual obligation. But when an individual makes the decision to use this access in ways other than intended – abusing privileges with malicious intent towards the organization – that individual becomes an insider threat.
There are many more factors that make insider threats more difficult to detect. For one, many individuals with authorized access are also aware of certain security measures which they must circumvent in order to avoid detection. Insider threats also don’t have to get around firewalls or other network-based security measures since they are already operating from within the network. Finally, many organizations simply lack the visibility into user access and data activity that is required to sufficiently detect and defend against insider threats.
How Does UEBA Protect Against Insider Threats?
Insider Threats Exist Everywhere
Even the U.S. Government is subject to insider threats, which can be particularly dangerous to the nation’s security. In fact, the National Counterintelligence and Security Center points out that, “Over the past century, the most damaging U.S. counterintelligence failures were perpetrated by a trusted insider with ulterior motives.”
Often, warning signs are present but may go unreported for years because colleagues of these individuals are unwilling or hesitant to accept the idea that a trusted co-worker could be engaged in treason. Insiders convicted of espionage have often been active for years prior to being caught, leading to incomprehensible security risks within the country.
These same scenarios are present when insider threats occur within private enterprises and organizations. Businesses are built on teams and require counterparts to trust and support one another, making it difficult for colleagues to acknowledge warning signs and red flags when they are present. This further complicates the challenges that exist in successfully defending against insider threats. Despite these challenges, addressing insider threats to sensitive data is a critical component of any modern security program.