They can go undetected for years. They do their questionable deeds in the background. And, at times, one wonders if they’re doing more harm than good.
Although this sounds like we’re describing some sophisticated PUP you haven’t heard of, we’re not.
These are the known attributes of insider threats.
Insider threats are one of a handful of non-digital threats troubling organizations of all sizes to date. And―to bang on the hype―the danger they pose is real.
When once companies thought that risks to their high-valued assets can only come from outside actors, they’re slowly realizing that they are also facing potential dangers from within. The worst part is no one can tell who the culprits are until the damage is done.
In the Osterman Research white paper entitled White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime , it is found that insider threats account for a quarter of the eight serious cybersecurity risks that significantly affect private and public sectors. To put it another way, an organization’s current and former employees, third-party vendors, contractors, business associates, office cleaning staff, and other entities who have physical or digital access to company resources, critical systems, and networks are collectively ranked in the same list as ransomware , spear phishing , and nation-state attacks .
The majority of insiders who have caused their employers a headache didn’t necessarily have technical backgrounds. In fact, they didn’t have the desire or the inclination to do something malicious against their company to begin with. In the 2016 Cost of Insider Threats [PDF] , a benchmark study conducted by the Ponemon Institute, a significant percentage of insider incidents within companies in the United States was not caused by criminal insiders but by negligent staff members. This finding remains consistent with the 2018 Cost of Insider Threats [PDF] , where coverage also includes organizations in the Asia-Pacific region, Europe, Africa, and the Middle East. The insider’s general lack of attention and misuse of access privileges, coupled with little-to-no cybersecurity awareness and training, are some of the reasons why they’re dangerous. Understanding insider threatsMany have already described what an insider threat is, but none as inclusive and encompassing as the meaning put forward by the CERT Insider Threat Center , a research arm of Carnegie Mellon University’s Software Engineering Institute (SEI). They have defined an insider threat as:
…the potential for individuals who have or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.
From this definition, we can classify insiders into two main categories: the intentional and the unintentional. Within those categories, we’ve described the five known types of insider threats to date. The are as follows:
Intentional insidersThey knowingly do harm to the organization, its assets, resources, properties, and people.
The malicious insiderThis type has several names, including rogue agent and turncoat. Perhaps its main differentiation from the professional insider (as you will see below) is that not one insider of this type started off with malicious intent. Some disgruntled employees, for example, may decide to compromise the company’s networkif they perceive that their company has done them wrong by planting malware, deleting company files, stealing proprietary intellectual property to be sold, or even withholding essential accounts and data for ransom .
In certain circumstances, employees go rogue because they want to help their home country. Such is the case of Greg Chung , who was found guilty of supplying China with proprietary military and spacecraft intel during his tenure in Rockwell and Boeing by stealing nearly three decades worth of top-secret documents. The number of boxes of files retrieved from his home was not disclosed, but we can assume it to be in the hundreds.
Employees who are coerced or forced to perform malicious acts on behalf of one or more entities also fall under this type.
The professional insiderThis type is usually referred to as a spy or mole in an organization. They enter an organization generally as employees or contractors with the intent to steal, compromise, sabotage, and/or damage assets and the integrity of the company. They can either be funded and directed by nation states or private organizations―usually a competitor of the target company.
When the Jacobs Letter was made public, a 37-page allegation penned by former Uber employee Ric Jacobs, it seemed that the civil suit between Google and Uber was no longer your usual intellectual property theft case. In this letter, Jacobs claimed that Uber ex-CEO Travis Kalanick was the mastermind behind the theft, with Anthony Levandowski as the actor. Although this allegation has yet to be substantiated, Levandowski would fit this type if found true.
The violent insiderActs that negatively impact organizations don’t start or end in the abuse, misuse, and theft of non-physical assets. They can also include threats of a violent nature. Peopleware is as essential as the software and hardware an organization uses, if not even more crucial. So, what negatively affects employees in turn affects the organization, too.
Therefore, it’s imperative that organizations also identify, mitigate, and protect their staff from potential physical threats, especially those that are born from within. The CERT Insider Threat Center recognizes workplace violence (WPV) as another type of insider threat , and we categorized it under intentional insiders.
WPV is defined as violence or threat of violence against employees and/or themselves. This can manifest in the form of physical attacks, threatening or intimidating behavior and speech (written, verbal, or electronically transmitted), harassment, or othe