Internal threats refer to risks that originate from within an organization, company, or entity. They are caused by employees, contractors, or business partners who have authorized access to a system and data. Internal threats can be intentional or unintentional and can come from current or former insiders.
What are some examples of internal threats?
There are many different types of internal threats that organizations face. Some common examples include:
- Malicious insiders – Employees or contractors who intentionally steal data, sabotage systems, or cause other damage.
- Accidental insiders – Well-meaning insiders who make errors or expose data unintentionally.
- Compromised credentials – Internal accounts that are compromised through phishing, social engineering, or other means.
- Data leakage – Sensitive data that is shared externally through improper security controls.
- Poor security hygiene – Failure to follow security best practices like strong passwords or access controls.
- Shadow IT – Use of unauthorized devices, software, or cloud services that skirt IT policies.
- Non-malicious insiders – Insiders who unintentionally introduce vulnerabilities through poor training or lack of security awareness.
Malicious internal threats are often the most concerning as they indicate malicious intent to cause harm. However, accidental and uninformed insider threats can also cause significant damage and loss of sensitive data.
What motivates insider threats?
There are a variety of motivations that can drive an internal actor to cause harm to an organization. Common motivations include:
- Financial gain – Stealing and selling data or assets for profit.
- Revenge – Disgruntled employees sabotaging systems or destroying data.
- Ideology – Employees driven by personal beliefs to leak data or support certain causes.
- Espionage – Spying and stealing data to support a nation state or competitor.
- Unintentional mistakes – Well-intentioned employees making errors that cause incidents.
Understanding insider motivations can help inform mitigation strategies. For example, better employee screening and monitoring may help combat intentional threats, while security awareness training can reduce unintentional insider incidents.
What types of assets are targeted?
Nearly any type of sensitive organizational asset can be targeted by insider threats. Common assets at risk include:
- Intellectual property – Trade secrets, proprietary source code, confidential product information.
- Customer/employee data – Personally identifiable information, health records, financial data.
- Credentials – Usernames, passwords, security keys that enable access.
- IT infrastructure – Critical servers, databases, networking hardware.
- Email communications – Email servers, mailboxes containing sensitive messages.
- Business systems – ERP systems, CRM tools, proprietary business applications.
Attackers may target assets based on their value, ease of access, and ability to monetize or leverage the assets. High value assets like intellectual property, customer data, and credentials are common targets.
What methods do insiders use to attack?
Insiders have a number of techniques they can use to carry out attacks or exfiltrate data. Common methods include:
- Abusing privileged access – Using excessive privileges and access rights to access unauthorized resources.
- Querying databases – Running queries to extract and copy sensitive table data.
- Using backdoors – Creating unauthorized access points like remote desktops or hidden accounts.
- Uploading to cloud drives – Exfiltrating data to personal cloud storage or email accounts.
- Using USB devices – Downloading data locally onto a USB or hard drive.
- Printing documents – Printing hard copies of proprietary information.
- Screen captures – Taking screenshots of confidential data.
In addition to stealing data, insiders may also tamper with systems, delete or corrupt data, or disrupt operations. Understanding common attack methods allows organizations to better monitor for and detect potential insider threats.
What are the impacts of insider threats?
Insider threats can severely damage an organization when sensitive assets and data are compromised. Impacts may include:
- Data loss – Permanently losing proprietary or customer data.
- Intellectual property theft – Losing competitive advantage through IP theft.
- System downtime – Disruption of business operations due to system outages.
- Reputation damage – Loss of customer and public trust after a breach.
- Financial costs – Direct costs related to incident response, fines, and legal action.
- Non-compliance – Data breaches causing violations of regulations like HIPAA or GDPR.
Quantifying the business impact can help justify investments in insider threat detection and response capabilities.
How can organizations mitigate insider threats?
A holistic approach is required to manage the risk of insider threats. Leading practices include:
- Least privilege access – Only provide access to systems and data needed for a user’s role.
- Separation of duties – Divide privileged roles to prevent concentrated power.
- Monitoring and logging – Logging and monitoring user activity to detect anomalies.
- Endpoint controls – Blocking unauthorized applications, encryption to limit data exfiltration.
- Security awareness training – Educating employees on security policies and responsibilities.
- Background checks – Vetting employees before granting access to sensitive systems.
- Data loss prevention – Solutions to detect and block potential data exfiltration.
Capabilities like user behavior analytics and data loss prevention tailored to detect insider threats are crucial. Ongoing attention should also be paid to managing risk from third parties with access to systems such as contractors, vendors, and partners.
What are the challenges in addressing insider threats?
Effectively combating insider threats poses a number of challenges for organizations:
- Difficulty detecting authorized users abusing access
- Legal limitations on monitoring employee activity
- Reliance on trust-based access models
- Lack of visibility into cloud environments
- Shortage of specialized skills to investigate threats
- Negative organizational culture or poor employee-employer relations
- Insufficient data collection needed for threat detection
A lack of visibility into privileged user activity and limitations around collecting certain types of data make insider threats hard to detect. Organizations also face challenges balancing security monitoring with employee privacy expectations.
What are the costs of insider threat prevention and detection?
Implementing controls and capabilities to address insider threats requires significant investments. Some example costs include:
- User activity monitoring solutions – $100 to $500 per user license.
- Privileged access management – $25,000 to over $100,000 depending on users.
- Data loss prevention – Ranges from $10,000 for small deployments to over $500,000.
- Cloud access security brokers – $15 to $100 per user a year.
- Security information and event management (SIEM) – $50,000 to $500,000 for initial deployment.
- Insider threat analytics tools – Can cost over $250,000 for large organizations.
- Security awareness training – Approximately $400 per employee per year.
There are also costs related to incident response and forensics if a major breach occurs. Due to the severity of potential insider threat impacts, most organizations consider these security investments justifiable.
Insider threats present a substantial risk as employees and internal actors naturally have trusted access to sensitive systems and data. While malicious insiders are concerning, accidental and negligence-driven threats are equally important to address.
Organizations require layered defenses to monitor, detect, and respond to insider threats. Technical controls provide visibility and data protection while processes like least privilege and security awareness training mitigate risk. Addressing insider risk requires ongoing commitment, coordination between IT security and HR, and buy-in across the business.