In a recent survey conducted by Lancope, the insider threat was a major concern for respondents, with 40 percent citing it as a top risk to their organization. Recent news events such as the WikiLeaks disclosures have also brought the insider threat into focus.
But what do people really mean when they say “insider threat”? Often, they are referring to negligent insiders who accidentally harm systems or leak data due to carelessness. However, it is important to understand that there are various types of insider threats, each one coming with its own set of challenges and different ways to combat them.
So who are these “insiders” attacking your network? At Lancope, we view the insider threat as three distinct categories of threat actor:
Negligent insiders are insiders who accidentally expose data – such as an employee who forgets their laptop on an airplane. They don’t mean to do anything wrong – they are just employees who have access to sensitive data and inadvertently lose control of it. A large number of security incidents and “data breaches” fit this description.
Malicious insiders are employees who intentionally set out to harm the organization either by stealing data or damaging systems, such as a disgruntled employee who deletes some records on his last day of work. In most cases, malicious insiders were once happy employees – cases of malicious attacks on computer systems by employees often result from a breakdown in the relationship between the employee and the company, which can happen for a variety of different reasons.
Research by the CERT Insider Threat Center at Carnegie Mellon University surrounding hundreds of real-world cases of attack by malicious insiders has shown that most incidents fit into one of three categories:
- IT Sabotage - Someone destroys data or systems on the network
- Fraud - Someone is stealing confidential data from the network for financial gain
- Theft of Intellectual Property - Someone is stealing intellectual property for competitive advantage or business gain
A compromised insider is an employee whose access credentials or computer have been compromised by an outside attacker. A compromised insider is really an outsider – it is someone who has access to your network as an authorized user, but they aren’t who they are supposed to be. Compromised insiders are a much more challenging type of insider threat to combat since the real attacker is on the outside, with a much lower risk of being identified.
Knowing the various types and characteristics of insider threats can help organizations put the right defensive measures in place for each threat. The next post in this series will cover multiple tactics that can be used to address these three types of insider threats.