What Is an Insider Threat? Definition, Types, and Prevention | Fortinet (2024)

An insider threat is a type of cyberattack originating from an individual who works for an organization or has authorized access to its networks or systems. An insider threat could be a current or former employee, consultant, board member, or business partner and could be intentional, unintentional, or malicious.

Typically, an insider threat in cybersecurity refers to an individual using their authorized access to an organization’s data and resources to harm the company’s equipment, information, networks, and systems. It includes corruption, espionage, degradation of resources, sabotage, terrorism, and unauthorized information disclosure. It can also be a starting point for cyber criminals to launchmalwareorransomware attacks.

Insider threats are increasingly costly for organizations. The Ponemon Institute’s2020 Cost of Insider Threatsresearch found that this form of attack cost an average of $11.45 million and that 63% of insider threats result from employee negligence.

An unintentional insider threat involves data being lost or stolen as a result of employee error or negligence. Accidental unintentional insider threats occur due to human error and individuals making a mistake that leads todata leakage, a security attack, or stolen credentials. Accidental data leaks include sending business information to the wrong email address, mistakenly clicking on malicious hyperlinks or opening malicious attachments inphishingemails, or failing to delete or dispose of sensitive information effectively. These threats can often be avoided by following security best practices.

A negligent unintentional insider threat occurs through carelessness that leads to exposing an organization to a threat. For example, ignoring security and IT policies, misplacing portable storage devices, using weak passwords, and ignoring software updates or security patches can leave organizations vulnerable to a cyberattack.

A malicious threat is a form of intentional insider threat that intends to cause harm either for personal benefit or as an act of vengeance.

Malicious insider threats aim to leak sensitive data, harass company directors, sabotage corporate equipment and systems, or steal data to try and advance their careers. Many of these malicious threatsare financially motivated, as employees steal corporate data to sell to hackers, third-party organizations, or rival companies.

A collusive threat is a type of malicious insider, in which one or more insider threat individuals work with an external partner to compromise their organization. Collusive insider threats often involve a cyber criminal recruiting an employee to steal intellectual property on their behalf for financial gain.

Insider threat individuals are typically split into two types of actors:

1. Pawns:Pawns are company employees manipulated into carrying out malicious activity, such as disclosing their user credentials or downloading malware. Pawns are often targeted by attackers throughsocial engineeringorspear-phishingcampaigns.
2. Turncloaks:A turncloak is an employee who actively turns on their employer. Turncloaks often act to gain financially or to cause harm to an organization. However, turncloaks also include whistleblowers, who serve to bring public attention to the failings of their employer.

Additional insider threat individuals include:

1. Collaborators:A collaborator is an employee who collaborates with a cyber criminal and uses their authorized access to steal sensitive data, such as customer information or intellectual property. Collaborators are typically financially motivated or reveal information to disrupt business operations.
2. Goofs:A goof is an employee who believes they are exempt from their organization’s security policies and bypasses them. Whether through convenience or incompetence, goofs’ actions result in data and resources going unsecured, which gives attackers easy access.
3. Lone wolf:Lone-wolf attackers work alone to hack organizations or seek out vulnerabilities in code and software. They often seek to gain elevated levels of privilege, such as database or system administrator account passwords, that enable them to gain access to more sensitive information.

When an insider attacks, they sometimes need to hack security systems or set up hardware or software infrastructure to make it easier for them or others to access your system. By knowing how to identify the tactics and tools they use to do this, you can spot the attack and take steps to mitigate it. Here are some telltale signs:

1. Backdoors that enable access to data: To find backdoors, perform a backdoor file scan or monitor your system for external requests from hackers who may be trying to use the backdoor.
2. Hardware or software that enables remote access: Look out for instances of remote access software, such as TeamViewer or AnyDesk, and check for physical servers installed around your campus, such as Synology devices.
3. Changed passwords: Any time a user’s old password does not work and they feel it may have been changed, check to see if this is true. It could have been an inside attacker changing it to enable them access to the resources that the user has rights to.
4. Unauthorized changes to firewalls and antivirus tools: Any time the settings of a firewall or antivirus change, it could be the result of an inside attacker trying to pave an easy path to your system.
5. Malware: If you discover malware, it is best to investigate when and where it was installed. It could have been put there by an insider.
6. Unauthorized software: When unauthorized software gets installed, this should always raise a red flag. In many cases, the software may look innocent, but it could be a Trojanhorse virus, which contains hidden malware.
7. Access attempts to servers or devices with sensitive data: Any time someone tries to access a sensitive area of your network, this could be an insider threat, particularly because you often need credentials issued by the organization to do so.

There are two basic types of insider threats in cybersecurity: malicious and negligent. As mentioned at the outset, not all threats are intentional and may be due to negligent or careless decisions, but they still fit the insider threat definition because they come from within the organization. Malicious attacks, on the other hand, are often carefully planned, executed, and concealed.

Here are some insider threat examples that involve a mix of malicious and accidental incidents:

Organizations need to be able to detect malicious, suspicious, or unusual activity on their networks.Threat detectionincludes having real-time insight into user logins, such as where and when a user has logged in to the corporate network and the location they have accessed it from.

Security solutions and rapid threat detectionhelp organizations increase the visibility of their network, track employees’ actions, and get alerts regarding anomalous activity.

When it has been determined that the suspicious activity is malicious or unauthorized, organizations need to prevent users from gaining access to their networks and systems. They need athreat prevention solutionthat blocks an attacker from gaining access to data and snooping on user activity.

Organizations can also prevent insider threats by deployingvirtual private networks (VPNs), which encrypt data and enable users to keep their browsing activity anonymous behind a VPN solution.

Organizations need to protect their users and devices by enforcing security policies and securing their data. Critical assets, such as facilities, people, technology, intellectual property, and customer data need to be protected at all times with the appropriate levels of access rights and privileges.

Policies need to be clearly documented, and all employees must be familiar with the security procedures they need to follow, their data privileges, and their intellectual property rights. This final step of the process is crucial to complying with increasingly stringent data privacy regulations.