Insider Threats and Internal Investigations

Some of the best crime and action movies follow a predictable narrative template for corporate espionage:the central conflict revolves around a double-crosser. Someone “on the inside” is not who they seem. Maybe that person leaves a door unlocked, provides access to unauthorized accounts, steals intellectual property, or simply looks the other way when something bad happens, but in all situations, they’re playing both sides in a way that eventually leads to conflict for people, or their, company, city, world, universe, etc. Put another way, these characters play the role of the insider threat.

Despite our familiarity with these characters and the damage we’ve all seen them cause, many companies are hesitant to focus on insider threats due to fears about how acknowledging the issue may tarnish the company. But focusing only on external risks will not make these potential internal risks go away.

Spiral stairs to the basement

Today, many companies are aware of the risk presented by internal threat actors, but this hesitance means there is still work to be done. For example, Verizon’s 2019 Inside Threat Report found insider threats were involved in 57% of all data breaches, but a recent report from CA Technologies found only 36% of organizations have a formal insider threat program in place to address insider attacks while another 50% are in the process of developing these programs. Though these threatening characters are easy to spot in Hollywood blockbusters, they’re often more difficult in real life, but understanding who and what an insider threat is can help you prepare for these threats and identify issues before they arise.

Defining “Insider Threat”

Windows building from outside

The National Cybersecurity and Communications Integration Center defines an insider threat as “a current or former employee, contractor, or another business partner who has or had authorized access to an organization’s network, system, or data” and uses this privilege maliciously. These threats, including everything from sabotage to competitive advantage, may be the result of abused access, theft of property, or even simply the mishandling of devices or credentials.

Though it’s possible to further categorize insider threats into several groups, two main groups emerge: intentional and unintentional insider threats. Unintentional actors are unaware they’re aiding in malicious activity and therefore can often be corrected or reduced with training. Nonetheless, CA Technologies noted companies are equally–and rightly–concerned about the risks posed by intentional and unintentional threat actors. The main risks pertain to excessive access privileges, a large number of connected devices, and the complicated IT landscape.

What You Stand to Lose

Small piggy bank in white background

The risk of loss associated with these insider threats is similar to the potential loss attached to external attacks, but not identical.

Assets at risk:

  •         Employee information
  •         Confidential business data
  •         Intellectual property

According to a recent insider threat study, approximately one-third of the 500 executives surveyed reported higher financial losses from insider threats than any other threats. And, perhaps even more significant over time, they noted a great reputational risk as well.

Any security breach has the potential to damage a company’s reputation, but insider threats call into question the caliber of people employed by–and running–the organization. This damage is arguably more challenging to overcome as the negative image is associated less with an organization’s preparedness in today’s ever-connected world and more with the management itself. Acknowledging the potential threat presented by internal actors and taking steps toward addressing these threats will help you safeguard your business and your reputation.

Preventing and Identifying Internal Threats

Analytical data

Though external threat actors can come from anywhere and are difficult to identify before a breach occurs, insider threats can be easier to spot if you know what to look for and you remain vigilant. These threats can be mitigated in two ways:

  1.  Monitor employee activity and logins. In addition to security measures – including physical, network, and data security – monitoring allows you to track patterns and quickly identify abnormal activity. Most importantly, this process should not be kept secret. Letting your employees know you monitor activity and are very good at it can act as a natural deterrent to malicious activity.
  1.  Build a behavior and personality baseline for employees and contractors. Employees and/or contractors may have different reasons for abusing their privileges, be it personal gain, revenge, or profit from working with an outside party, but deviations from normal behavior are likely in all cases. To quickly identify when things may be turning malicious before significant damage is done, you need to understand normal behavior. Certain personality characteristics can help you identify potential insider risks, and understanding behavior prediction theories will help you learn why these risks may have been taken.
Man shadow reflects on the concrete wall

“At-risk” characteristics come in many forms, including the tendency to minimize mistakes or avoid taking responsibility, “flexible” ethics, or a history of frustration or disappointment with the company, an individual’s job, or performance reviews. At-risk behaviors can be anything from abnormal network login times, late hours without explanation, or the use of personal storage devices. Though none of these immediately indicate an employee is a risk, establishing a behavior baseline helps you identify changes and allows you to act before the situation escalates.

With these potentially risky characteristics identified, behavior theories help you understand situations that may convince someone to take malicious action. For example, the General Deterrence Theory (GDT) of behavior says if the expected benefit of an action outweighs the consequence, a person is more likely to take the risk. However, creating a supportive work environment is just as important as flagging potential threat actors and establishing consequences. A healthy and supportive work environment encourages communication and reduces the likelihood of insider threats. Additionally, establishing a culture of proactive cyber security, including employee training and internal guidelines that govern things such as access, helps employees become more aware of what to watch for, and your organization is better prepared to respond.

As with all risks, it’s always easiest to address them before they start, and insider threats are no exception. However, no system is ever perfect and, if a breach occurs, a respected outside party can help you thoroughly investigate the cause and ultimately identify the culprit. Though the subject may still be a sensitive one, it’s time to overcome that hurdle. Organizations who choose to acknowledge the possibility of insider threats, prepare for the road ahead, and take necessary action are saving their reputation by demonstrating their desire to take a stand.