An insider threat is a risk for an organization that comes from people inside the security loop. These people, known as insiders, can include either current or former employees of the company, as well as contractors or partners — that is, anyone with access to the company’s confidential information or critical infrastructure.
Insider threats can be the result of malicious intent or plain carelessness. For example, an employee who loses a USB flash drive with classified data is also an insider. For an in-depth classification of insiders, see the Knowledge Base.
The danger of insider threats
Insiders have legitimate access to the company’s computer network as part of their job responsibilities, for which reason security tools do not view them as a threat. As such, they do not need to hack employee accounts or bypass perimeter defenses (firewalls, antivirus software) to access data. Insiders can use their position to study the company’s security policies and determine their weak spots.
Insiders can cause harm by:
- Stealing confidential information and passing it to competitors;
- Disclosing personal data that is subject to government regulations;
- Destroying critical information;
- Installing and running malware;
- Disabling or disrupting information security systems in advance of external attacks.
The most common result of insider actions is data breaches.
Fighting insider threats
Insider threats need to be dealt with on two levels:
- Organizational — by training employees and introducing security policies. Zero trust policies and regular audits of access rights can help mitigate risks.
- Technical — by applying a DLP (Data Leak Prevention) system. Such programs analyze sent documents and block the transfer of files containing confidential information. With the help of UEBA (User and Entity Behavior Analytics) solutions, it is possible to detect abnormal user behavior in good time and revoke access rights as necessary.