Understanding the Difference Between Insider Risks and Insider Threats
As wave after wave of layoffs are announced, organizations are rightfully concerned about their intellectual property leaving with former employees. They feel this way for
good reasons. One study found that 85 percent of employees admitted to taking company documents and information when they left. However, while all insiders present
risk, not all insiders are threats.
What is an Insider?
An insider is an individual with access to an organization’s data. While this can include individuals with access to physical copies of data left on printers or in unsecured file
cabinets, from a Data Loss Prevention perspective the focus is on credentialed users who can access sensitive electronic data. This can include engineering staff working
with design documents or source code, financial professionals with access to sales and profitability statements, sales teams working with customer and prospect lists, and
product management teams developing product roadmaps and strategic plans. Insiders can also include non-employees including partners and vendors who may require
access to internal systems to provide their services.
What is an Insider Risk?
Every individual that can access sensitive data presents a risk of data loss. Insider risk does not require malicious intent. It is inherent with being a user. It can be caused by
negligence; a careless user may mistype an email address and send confidential information to an unauthorized person. It can also be from a lack of knowledge of good
security practices, such as when a user uploads a document to a personal cloud drive when the file is too large to email.
Poor training was cited when a Dallas, Texas IT worker accidentally deleted over 20 terabytes of the city’s data, including over 13 terabytes of
Dallas police files, while trying to move them from online storage. A report found the technician “appears to have been attempting to carry out the
data migration consistent with his sincerely-held understanding, although flawed, of the Commvault software.”
Non-employees, too, can make mistakes with data, often with good intent. A service provider experiencing trouble solving a problem may forward it to colleagues who are not authorized to view the material for assistance.
What is an Insider Threat?
An insider changes from a risk to a threat when malicious intent is present. Insider threats have an objective of compromising data security. Common insider threats
Departing employees: As noted, an employee leaving their role often takes information they believe will be helpful to their new job. This can include material
they have created or information that would demonstrate a “quick win” to their new employer.
Malicious insiders: The motivations of an insider threat can include personal gain, including industrial espionage for a competitor or providing criminals with access to Personally Identifiable Information on consumers.
A former Amazon Web Services engineer allegedly created an application to detect which AWS customers had misconfigured firewalls, then extract privileged account credentials. She used this to steal sensitive data from Capital One’s systems, including “106 million credit card applications, which included names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers.”
An employee in China stole sensitive information from Dutch chip equipment maker ASML Holding. There are reports that the employee had ties to a “Beijing-backed spy ring.” In addition to losing IP to a potential competitor, ASML reported that the loss may also have violated export control regulations.
Disgruntled insiders: Another insider threat motivation is sabotage. The individual may seek to release sensitive information and publicize a breach to prompt
regulatory penalties or damage an organization’s reputation.
After being fired via a text message, a former employee of Penn South Cooperative Federal Credit Union in New York deleted more than 20,433 files and 3,478 directories from the credit union’s IT system.
How to Address Insider Risk and Threats
Stopping insider risks requires better security hygiene. Employees who understand when data is at risk and self-correct contribute to a security-positive culture and provide organizations with a “human firewall.”
Annual training events simply don’t work. A better approach is contextual training as data is put at risk. Reveal provides users with incident-based training as they interact
with data. If an action puts data at risk, Reveal automatically provides policy reminders and safe alternatives. It can even require acknowledgement of company policies before proceeding.
Stopping malicious threats requires visibility to sensitive data and contextual intelligence on the user’s actions. Next Reveal agent delivers continuous protection with Machine Learning on the endpoint. Next DLP’s smart agent identifies and categorizes data as it is exposed to risk. It begins baselining activity at installation and multiple behavioral analytics algorithms monitor user, entity, and network behavior, to model and define typical and anomalous behavior. Because the behavioral analysis works autonomously on the endpoint, protecting data does not rely on a connection to a separate analysis engine and all personal data remains on the device.