Insider threats pose a significant risk to organizations, as attackers often have privileged access to sensitive systems and data. Understanding the scope of insider threats and the percentage they make up of overall cyber attacks is important for security professionals looking to mitigate this risk.
What is an Insider Threat?
An insider threat refers to a security breach or cyber attack that originates from within an organization, typically by employees, contractors, or business partners who have privileged access. Insider threats can be malicious in nature, such as an disgruntled employee stealing data, or unintentional, like an employee accidentally exposing sensitive information.
Types of Insider Threats
There are various types of insider threats, including:
- Malicious insiders: Employees or contractors who intentionally steal data, sabotage systems, or commit fraud.
- Negligent insiders: Insiders who unintentionally expose confidential data through poor security practices.
- Compromised credentials: Attackers compromise the credentials of legitimate users to gain unauthorized access.
- Third-party risks: Business partners, vendors, or suppliers who misuse access to sensitive systems or data.
What Percentage of Attacks are Insider Threats?
Estimates on what percentage of attacks originate from insiders versus external attackers vary. According to the 2022 Verizon Data Breach Investigations Report, 15% of breaches involved internal actors. The report analyzed over 23,000 security incidents across a range of industries.
Some other estimates on insider threat percentages include:
- IBM: 34% of breaches are caused by insiders
- Proofpoint: More than 1 in 3 cybersecurity incidents are caused by insiders
- Cybersecurity Insiders: 21% of breaches are caused by malicious insiders; 27% from negligent employees
The variance in these estimates can be attributed to differences in industries, geographic regions, and type of cyber incidents being considered. But overall, insiders are responsible for a substantial minority of breaches, demonstrating the need for robust insider threat programs.
Motivations for Insider Threats
Why do insiders commit cyber attacks or security policy violations? Common motivations include:
Financial Gain
Insiders may steal and sell confidential data, embezzle funds, or commit fraud for monetary gain. Healthcare and financial services are frequent targets.
Revenge
Disgruntled employees may seek to sabotage systems, delete data, or otherwise damage the organization. Their knowledge of internal systems often lets them evade defenses.
Espionage
Malicious insiders may secretly collect intellectual property to provide to competitors or foreign states. This is a particular concern for government agencies and contractors.
Convenience
When policies are burdensome, employees may bypass security controls to be more productive. But this puts data at risk.
Types of Assets Targeted
What types of assets do malicious insiders tend to go after? Frequent targets include:
- Intellectual property – Product designs, source code, proprietary research
- Customer/employee data – Personally identifiable information, health records, credentials
- Financial data – Payment information, accounting records, bank account details
- System access – Admin credentials, privileged system permissions
Highly sensitive assets like customer data, intellectual property, and financial information provide significant value to insiders who steal and sell it. Access credentials allow attackers to maintain their foothold within systems as well.
Most Affected Industries
Some industries are more prone to insider attacks based on the sensitive data they handle:
Healthcare
Medical records contain a wealth of PII and health data that fetches high prices on the black market. Healthcare insiders may steal records to sell or engage in medical identity theft.
Finance
Banks and insurers have highly valuable financial data. Fraud, embezzlement, and theft of funds are risks.
Technology
Intellectual property like source code and product plans are top targets. Tech industry insiders may steal IP to sell or to gain advantage for a competitor.
Government
Admin credentials, classified data, and intelligence information have high value to insiders or foreign states. Snowden incident was a major government breach.
Biggest Insider Threat Data Breaches
Some of the most damaging insider threat incidents include:
Chelsea Manning – US Army
In 2010, analyst Chelsea Manning leaked 700,000 military and diplomatic documents to Wikileaks. This included video of a U.S. airstrike that killed civilians.
Edward Snowden – NSA
NSA contractor Edward Snowden leaked a massive trove of classified documents about global surveillance programs in 2013. It led to major reforms in US intelligence practices.
Canadian Immigration Records – Anish Basu
In 2014, a Canadian citizenship manager stole and leaked over 5,000 Canadian immigration records, exposing personal applicant details.
Uber – Anthony Levandowski
Former Google engineer Anthony Levandowski allegedly stole 14,000 self-driving car trade secrets before leaving to found Otto, which was acquired by Uber. This led to a major lawsuit between Uber and Waymo.
These incidents illustrate how much damage can come from insider access to sensitive data or systems. Proper controls and monitoring are necessary to catch insider threats early.
Financial Impact of Insider Threats
Insider threats have major financial costs in addition to damaged reputation and liability. According to IBM’s 2022 Cost of Insider Threats report:
- Average cost of insider threat incident – $4.37 million
- Average time to contain incident – 77 days
And according to Ponemon Institute:
- Average cost of a malicious insider incident – $756,000
- Average cost of a negligent insider incident – $307,000
The direct costs come from investigating the incident, implementing remediation, and enduring regulatory penalties or lawsuits. There is also loss of productivity as resources are diverted to mitigation.
How Insider Attacks are Changing
Some trends around how insider threats are evolving include:
- Increased cloud usage expands the insider risk, with 33% of incidents now involving cloud resources.
- Remote work makes monitoring insider actions harder with workers outside the corporate network.
- More use of third-parties exposes organizations to risky contractor/vendor access.
- Attackers recruit company insiders through messaging platforms and social media.
As the workplace and technologies change, insider threat programs must continuously adapt risk models and controls. Cloud usage, remote access, and digital transformation all impact the insider threat landscape.
Best Practices in Mitigating Insider Threats
How can organizations implement robust defenses against insider threats? Key best practices include:
Limit Access Control
Use zero trust and least privilege controls to restrict access to only necessary data/systems based on the user’s job role. This helps limit damage from compromised accounts.
Monitor User Activity
Analyze endpoint actions, network behavior, and system/data access patterns to detect out-of-policy actions that could indicate a malicious insider.
Enforce Separation of Duties
Require collusion between multiple users to complete sensitive transactions. This prevents unilateral insider abuse.
Implement Defense in Depth
Use layered controls (network, host, application, data) so compromise of any one does not undermine the whole security posture.
Formalize Insider Threat Program
Have dedicated resources to develop insider threat strategy, monitor indicators, provide training, and streamline incident response.
Conduct Background Checks
Thoroughly vet employees and third party users to identify potential red flags around fraud, negligence, or espionage risk.
Provide Security Awareness Training
Educate employees on data handling policies and how to avoid unintentional insider threats through good security habits.
Critical Capabilities for Insider Threat Detection
Technical controls and capabilities that aid prompt detection and response to insider threats include:
User and Entity Behavior Analytics
Identify anomalies in user activity based on behavioral profiles and analytics to detect potential threats.
Network Traffic Analysis
Analyze internal network traffic paths and payloads to uncover unauthorized actions and communications.
Data Loss Prevention
Prevent sensitive data exfiltration across network channels through deep content inspection and policy enforcement.
Privileged Access Management
Manage and audit actions performed with privileged credentials to identify misuse.
Endpoint Detection and Response
Gather visibility into host activities and analyze events for indicators of compromise from insiders.
Security Information and Event Management
Aggregate and correlate event data across systems to identify behavioral patterns, trends, and anomalies.
Using AI to Combat Insider Threats
Artificial intelligence and machine learning techniques can help enhance insider threat detection through:
- Identifying anomalies and outliers in massive data sets of user activity.
- Developing context-aware behavioral profiles for users and entities.
- Uncovering complex relationships and patterns across disparate data sources.
- Automating threat hunting workflows to accelerate investigations.
- Continuously improving algorithms through new data and feedback.
AI has become an invaluable tool for insider threat programs to augment human analysts and keep pace with growing data volumes.
Putting Humans at the Center of Insider Threat Defenses
However, the most effective approach puts humans at the center of an insider threat program. AI and automation provide insights, but investigation and judgement require human discernment. Key human elements of a mature program include:
- CISO and leadership buy-in to promote collaboration across teams like IT, HR, legal, and data privacy.
- Dedicated insider threat analysts to investigate alerts, tune detections, and share findings.
- Security awareness training and organizational culture of transparency and personal responsibility.
- Incorporating human resources data into context for alerts like job changes and performance issues.
- Ensuring privacy protections so monitoring is not cross-purposed into overreach.
With the right balance of human expertise and technical capabilities, organizations can implement insider threat programs that are high efficacy, ethical, and aligned to business risk tolerances.
The Critical Role of Data Privacy in Insider Threat Programs
As insider threat monitoring necessarily involves collecting and analyzing data about employee activities, it poses a tension with worker privacy rights that must be carefully balanced. Organizations can incorporate data privacy into their insider threat programs through:
- Being transparent about what data is collected and how it is used to detect threats.
- Allowing employees visibility into the data collected about them upon request.
- Minimizing data collection only to what is needed to identify potential insider risk according to documented use cases.
- Following need-to-know principles in compartmentalizing sensitive findings.
- Seeking legal counsel to ensure monitoring policies comply with local privacy laws.
- Providing secure storage and transmission of any collected personal data.
Reinforcing personal privacy while still allowing threat detection reassures employees and builds trust in the program. It also reduces legal liabilities.
Conclusion
Insider threats represent substantial data breach and fraud risks for organizations today. While estimates vary, insiders are attributed to between 15-35% of incidents. Key focus areas for maturing insider threat programs include controlling access with least privilege, implementing layered monitoring controls, leveraging AI for detection, and putting humans at the center of investigation and response. With the right balance of technical defenses and data privacy practices, organizations can mitigate the risks posed by insider threats. But no program can prevent all cases – some risk must be accepted, and damage limited through rapid response when incidents do occur. Inside threats require constant vigilance and adaptation as workforces, environments, and technologies evolve.