• Daniel Metcalf
• February 1, 2024
• No Comments

Many people assume that cyberattacks against a company can only originate from outside the organization. This is a common myth – the idea that threats exist out there in the nebulous “cyberspace”, but that a company’s own employees could not present a serious cybersecurity risk. While attacks do occur from external entities, the reality is that insiders pose a very real and often underestimated threat. In fact, research indicates that between 30-50% of cyberattacks and data breaches originate from within the company walls. Ignoring the possibility of insider attacks leaves organizations extremely vulnerable.

Insider Threats

Insider threats refer to cybersecurity risks that originate from within an organization. They can include both intentional and unintentional actions by employees, contractors, or business partners that put an organization’s data, systems, and operations at risk. Though insider threats may not garner the same attention as external cyberattacks, they are a significant and pervasive risk that all organizations face.

Studies show that insider threats account for a substantial portion of data breaches and cyber incidents. According to the 2022 Verizon Data Breach Investigations Report, 15% of breaches involved internal actors. Another report by Cybersecurity Insiders found that 90% of organizations felt vulnerable to insider attacks. The prevalence of insider threats demonstrates why they warrant serious attention in an organization’s cybersecurity strategy.

According to the 2022 Verizon Data Breach Investigations Report, 15% of breaches involved internal actors.

Insider threats can take many forms, such as:

• Malicious insiders: Employees or contractors who intentionally steal data, sabotage systems, or commit fraud. Disgruntled or motivated insiders are the most dangerous threats.

• Compromised accounts: Insider credentials being hijacked by external threat actors to gain access. Account takeover was linked to nearly 20% of insider threat incidents in one report.

• Accidental breaches: Insiders unintentionally expose data through improper data handling, misconfigured systems, falling for phishing schemes, or other errors.

• Third-party risks: Breaches by vendors, suppliers, partners, or other entities with network or system access. Third parties often have trusted access yet lack security controls.

Any insider with authorized access can potentially abuse that access to harm an organization, either intentionally or by accident. Developing controls and safeguards to secure insider access is critical for risk mitigation.

Real-World Examples

Insider threats can take many forms, from malicious to unintentional. Here are some real-world examples of insider attacks at companies:

• A disgruntled employee at a financial services company planted logic bombs that deleted thousands of mortgage loan records and software programs months after he left the company. This attack cost the company over $10 million in damages.
• An engineer at an automotive company, who was quitting his job, attempted to download over 300,000 confidential documents onto a personal hard drive on his last day of work. This could have exposed sensitive trade secrets.
• A network administrator at a healthcare organization abused his access privileges to improperly access and steal patient healthcare records. He then sold the stolen information to fraudsters.
• An employee at a software company accidentally emailed a confidential product roadmap to a reporter when attaching the wrong document. This exposed upcoming product features before official announcements.
• A contractor working with source code at a technology company secretly made copies of proprietary algorithms and later tried selling them to a competitor.

These examples demonstrate how insider threats can damage companies through intended malicious actions as well as unintentional mistakes. Companies need safeguards in place to protect against threats that originate from inside the organization, even by trusted employees.

Addressing Insider Threats

Organizations can take several steps to help mitigate insider threats:

• Implement access controls: Restrict employee access to only the systems and data they need for their specific roles. Utilize the principle of least privilege when granting access.
• Employee monitoring: Monitor employee online activities for signs of suspicious behavior. This can include monitoring email, internet usage, file access, etc. However, be sure to have clear policies around monitoring and only do so in a legal, ethical manner.
• Security training: Educate employees on security best practices and what constitutes suspicious activity. Training can help prevent insider incidents stemming from negligence rather than malicious intent.
• Separation of duties: Ensure no single employee has too much control over critical systems or data. Split up responsibilities to reduce opportunities for fraud or abuse.
• Background checks: Thoroughly vet employees before granting access to sensitive systems or data, especially for those in high-risk roles. Periodically run background checks even after hiring.
• Implement logging/auditing: Log employee activities so they can be reviewed if suspicious activity is detected. Audit logs regularly to identify potential issues.
• Encourage reporting: Provide employees an anonymous way to report potential insider threats without fear of retaliation. Make it easy to report suspicious activity.
• Prompt termination: Quickly terminate employees who violate security policies to reduce their ability to cause harm.
• Limit third-party risks: Extend insider threat precautions to third party vendors, contractors and partners where appropriate.

A multi-layered strategy is required to protect against insider threats. Technical controls should be coupled with policies and procedures to encourage a security-focused organizational culture.

Key Takeaways

The myth that cyberattacks only come from outside a company is dangerous and false. Insider threats are a very real cybersecurity risk that all organizations face. Employees with malicious or careless intent, or even compromised credentials, can inflict massive damage from within.

Companies must implement cybersecurity strategies specifically designed to address insider threats. Technical controls like user monitoring, access restrictions, and data loss prevention play a role. But organizations also need clear policies, security awareness training for employees, and a workplace culture that discourages harmful behavior.

Employees have a responsibility as well. They should follow cyber hygiene best practices, watch for suspicious activity by coworkers, and speak up if they witness policy violations. With proactive participation from management and staff, organizations can detect insider threats early and prevent attacks.

The bottom line is that threats exist both inside and outside the company. Security leaders must protect against both external hackers and internal actors to fully secure critical systems and data. Realizing insider threats are just as real and prevalent as external ones is the first step toward mitigating this serious cyber risk.