The Ins And Outs Of Insider Threats

Ben Allen is a cybersecurity and financial forensics expert. He is the CEO at Allen Forensics Inc.

A good cybersecurity program can protect your company from hackers and cyberattacks, but malicious or negligent employees within your organization pose a significant threat to cybersecurity. Internal cybercrime occurs when an employee uses their access to a company’s computer network to steal money or confidential information. It includes embezzlement, in which an employee transfers funds to a private bank account, and industrial espionage, in which an employee copies sensitive information—such as trade secrets, financial data, or client lists—and sells it to a competitor or even a foreign government.

Another insider threat is the negligence of one or more employees who inadvertently release data or allow intruders into your system or who lose a laptop in an airport.

According to a report by the Ponemon Institute (via CISO MAG) the number of cybersecurity threat incidents caused by insiders rose by 47% from 2018 to 2020, and the cost of insider threat incidents reached $11.45 million. Much of this is spent on detection and investigation.

Internal cybercrime can also involve the manipulation of data to create false expense reports, misrepresent a company’s performance or mask illegal expenses such as bribes. This type of cybercrime can have serious consequences for your business and your reputation if it comes to the attention of an auditor or regulator.

Surveys conducted by several cybersecurity firms have found that approximately one-third of electronic crimes were caused by insiders, and the percentage is steadily rising. Globally, 34% of businesses experience some kind of insider attack every year, and according to another report from the Ponemon Institute, “…67% of companies are experiencing between 21 and more than 40 incidents per year.”

Insiders are former and current employees, contractors or trusted associates (such as third-party vendors) who have access to your computer networks and sensitive data. These people know your company’s business model, technologies and security protocols—they might even have helped configure them. They are also aware of any vulnerabilities or security lapses and are likely to have contacts in your industry.

There are two types of dangerous insiders: those who deliberately act with malicious intent and those who inadvertently release data or allow hackers into your network.

Here are some examples of both malicious and inadvertent insider threat behavior:

Malicious

  • National security espionage.
  • Theft of intellectual property (IP) or trade secrets.
  • Modifying or stealing confidential information for personal gain.
  • Financial theft (fraud, embezzlement).
  • Sabotage of an organization’s network to data to get revenge for a perceived injustice.
  • Selling of access credentials to hackers.
  • Theft of confidential information to take to a new employer.

Inadvertent

  • Unintentional exposure of an organization’s critical assets (such as a client list) to external adversaries.
  • Human error.
  • Bad judgment.
  • Response to phishing email (67% of accidental insider attacks are due to phishing emails).
  • Malware installed from a website or email.
  • Unintentional aiding and abetting.
  • Stolen credentials.
  • Bypassing security protocols for convenience.

Any employee can inadvertently present an insider threat, but cybersecurity officers agree that higher-level officials are the biggest threat, followed by contractors, regular employees, IT administrators and staff, and third-party service providers. Executives and managers have greater access to computer networks, and some have a tendency to ignore security protocols because they feel the rules do not apply to them. Younger employees often attempt to enhance their productivity by adopting insecure cloud applications that automatically synchronize with the cloud whenever there is an open connection. A hacker can spy on the network or steal credentials over a public network in an airport or coffee shop or introduce malware through another application.

Conventional cybersecurity defenses are often ineffective against insider threats. The only protection is to engage your entire organization in employee education and strict enforcement of security protocols. Give each employee access only to the systems required for his or her job. Your IT department can employ user entity behavior analytics (UEBA) software that combines machine learning, algorithms and statistical analyses to monitor each employee’s use of the network and detect abnormal activity.

The people most likely to present an insider threat are:

  • Privileged users, such as IT team members and high-level administrators.
  • Knowledge workers, such as analysts or developers.
  • Resigned or terminated employees.
  • Employees involved in a merger or acquisition.
  • Vendors.
  • Contractors.
  • Partners.

Regardless of the advent of technology, an insider threat program is all about people. By focusing on one of an organization’s primary assets, its people, an organization can systematically identify and manage the risks associated with insider threats.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?