Skip to content ↓ | Skip to navigation ↓

Alphabet, Google’s parent company, recently filed a lawsuit against its former engineer Anthony Levandowski, who is now working with Uber. The company accused Levandowski of copying more than 14,000 internal files and taking them directly to his new employer. While this case is far from over, it brings about a very interesting and important discussion that we should probably have right now. Are insider threats the main security threat in 2017?

What are insider threats?

What is a security threat caused by insiders? It is true that cyber security threats, such as malware attacks, hacking, denial-of-service attacks and ransomware, are much more frequent than insider attacks. It is true until you look deeper, that is. While insider threats in cyber security are often associated with malicious users, in truth, employees are inadvertently causing corporate data breaches and leaks daily

Loss of credentials due to phishing, theft, or even carelessness invites malware into the system when an employee clicks on a link in a spam email or unknowingly brings an infected device to work. This doesn’t include honest mistakes like sending sensitive files to the wrong address. All of these are only a small list of ways in which your own employees can inadvertently compromise your data and cost your company tons of money.

Here is the fact: when you combine the incidents involving malicious and inadvertent insiders, you will see that they are dwarfing any other computer security threat that your company faces. Among 874 incidents, as reported by companies to the Ponemon Institute for its recent 2016 Cost of Insider Threats Study, 568 were caused by employee or contractor negligence; 85 by outsiders using stolen credentials; and 191 by malicious employees and criminals.

But why should we lump all those incidents together? Because regardless of whether they are malicious or not, the action was taken by an employee or a person with legitimate access located inside of the company network – that is, where security is much more relaxed than on the perimeter.

Fortunately, there are specific strategies and tools to deal with those incidents but before we talk about those, let’s look into how dangerous information security threat caused by insiders really can be and why.

The danger of insider threats

Here’s another fact for you: insider threats are the cause of the biggest security breaches out there, and they are very costly to remediate. According to a 2017 Insider Threat Report, 53 percent of companies estimate remediation costs of $100,000 and more, with 12 percent estimating a cost of more than $1 million. The same report suggests that 74 percent of companies feel that they are vulnerable to insider threats, with seven percent reporting extreme vulnerability.

So, why are insider threats so costly to remediate and so hard to deal with? There are several reasons:

  • Insider threats can go undetected for years – The longer you take to detect a breach or a leak, the more remediation costs go up. Insider threats can be very tough to detect, which is why they are the most expensive to remediate.
  • It is hard to distinguish harmful actions from regular work – This is why insider threats are so hard to detect. When an employee is working with sensitive data, it is almost impossible to know whether they are doing something malicious or not.
  • It is easy for employees to cover their actions – While it’s hard to detect malicious actions when they happen, it can be almost impossible to detect them post-factum. Any tech-savvy employee will know how to clean up after themselves by editing or deleting logs to conceal malicious action.
  • It is hard to prove guilt – Even if you do manage to detect malicious actions, employees can simply claim that they made a mistake and get away with it. It is almost impossible to prove guilt in such cases.

Ponemon’s 2016 Cost of Data Breach Study tells us that the industries spending most on remediating data breaches include healthcare, education and finance. All of these industries suffer from extremely high number of insider attacks, from copying and selling medical information to insider trading to data leaks by mistake.

Think about this for a moment. How attractive does your company look to malicious insiders?

The cause of insider threats

Okay, insider threats are dangerous. We established that, but what’s causing them? Who are those insiders that we should be on the lookout for?

While any employee can cause a data misuse or leak by mistake, the three groups that you should give the most attention to are:

  1. Privileged users – These are usually the most trusted users in a company but they also have the most opportunities to misuse your data, both intentionally and unintentionally.
  2. Third parties – Remote employees, subcontractors, third-party vendors and partners all usually have access to your system. Since you know nothing about the security of their systems and often even about the very people accessing your data, you should treat them as a security risk.
  3. Terminated employees – Similar to the case mentioned at the beginning of this article, employees can take data with them when terminated. Even more importantly, sometimes they can access your data even after termination, either via malware or backdoors or by retaining their access because nobody bothered to disable it.

Okay, but what are they thinking? What makes malicious insiders conduct such crimes?

There are several reasons:

  • Acting on opportunity – An employee sees an opportunity to use data for personal gain or to steal it and sell it, and then decides to act on it – such actions are rarely preceded by long-term planning and preparation. They usually happen relatively spontaneously.
  • Taking revenge for perceived injustice – Disgruntled employees can steal data or, more often than not, simply leak it online or damage it in order to get back to you for a perceived injustice.
  • Making a statement – Sometimes, an employee wants to make a political or social statement and leaks data online or damages it in order to do so. A good example of this is Edward Snowden, who leaked his employer’s data in order to protest government surveillance.
  • Doing competitors bidding – Corporate espionage is a thing, and even honest trustworthy employees can be approached and offered a deal they would be hard pressed to refuse (which often involves blackmail and/or bribery).
  • Seeing themselves as a future competition – Employees may want to start their own competing business and decide to get ahead by using your data. They may steal or alter your client list or even contact clients and offer their services while still at work.

Of course, apart from malicious insiders, there are always inadvertent ones. The main reason for malicious actions on part of those employees is the fact that they usually don’t realize the full consequences of what they are doing. They are often unaware of common cyber security practices that they should follow, and even if they do know about them, they don’t realize how much non-compliance can affect the bottom line. This leads employees to not take cyber security seriously and even sometimes disregard it in the name of convenience and productivity.

Fighting insider threats

Here’s the deal: fighting insider threats may seem hard and excruciating but it is actually simpler than you think. All it takes is taking the right approach and arming yourself with the right solutions.

These are the steps every company should take in order to minimize insider threats:

Background checks

The most basic thing you can do is to thoroughly research your employees as you hire them. Background checks don’t need to be complicated; a simple Google search of their name, a look at their social network profiles, and a call to their previous employers can get you all the info you need.

Sure, background checks are not the end-all be-all of fighting insider threats, but they will help you filter out the obvious con artists and risky applicants.

Watch employee behavior

It is always important to keep an eye on your own employees. If your employees are unhappy, it is a good sign that they may try something. Try to reach out to them and understand why they aren’t happy. If you fix the problem, you may save yourself a lot of troubles and garner their respect and gratitude.

Apart from that, look at the changes in employee behavior and their monetary situation. If they suddenly pay out their debts, start traveling more, or simply start to stay at work late or come at odd hours, chances are there is something fishy going on. You should check it out.

Use the principle of least privilege

The fewer privileged employees you have, the easier it is to protect your data. Not only does it mean that fewer employees can conduct malicious actions; it also means that there are fewer accounts to be hacked and fewer people to make mistakes.

To limit the number of privileged users, you should use the principle of the least privilege if you aren’t using it already. This is a cyber security standard that dictates that each new account in the organization be created with the least number of privileges possible. The level of privilege is then escalated if necessary.

This also applies to third-parties accessing your data. Make sure that they have the least amount of privileges possible and that their credentials are terminated when their work is complete. A good solution for third-parties is to grant them temporary credentials, which eliminates the need to manually manage each and every account.

Control user access

Strong account protection can defend against both outsider and insider threats alike. There are several rules when it comes to protecting your accounts:

  • Your employees should use unique complex passwords that shouldn’t be shared with any other accounts.
  • Prohibit credential sharing between employees and limit the use of shared accounts as much as possible. While sometimes shared accounts are necessary (such as a shared admin account), you should use additional authentication methods to distinguish between such users.
  • Use two-factor authentication. Seriously, most definitely use it. It protects your accounts by requiring a user to employ a security token or an additional device to complete authorization. There are a tons of enterprise-level two-factor authentication solutions out there available for free. Plus, they are very easy to set up and get running.

All and all, controlling access to your data not only makes sure that external attackers wouldn’t get in but also helps prevent employees from using the accounts of their colleagues without authorization. It can also provide insight if employees are authorizing at odd times.

Monitor user actions

The crown jewel of your insider threat detection and prevention arsenal is user action monitoring software. Such tools allow you to check any potential incident in its original context and see exactly what happened – whether it was malicious action, inadvertent mistake, or nothing at all.

User action monitoring software is very simple to use. It provides video recording of all user sessions that your security specialists can review in order to clearly see what users have done with your data. Many of these types of solutions also provide access control and incident response capabilities.

Apart from being a great investigative tool, user action monitoring solutions also provide concrete evidence, which can be used in court.

Educate employees

It’s just as important to minimize mistakes and negligence on part of your employees. The best way to do this is to make sure that your employees are well-aware of the dangers your company faces and how you deal with them.

Educate them on why certain security practices are put in place and what are the consequences of not following them. Tell them about phishing and various ways to deal with it. Arm your employees and make sure that they are an asset to your security, not a liability.

If your employees know that their actions can affect your bottom line, which in turn can jeopardize their income, they will be much more careful when it comes to upholding cyber security regulations and practices.


As a closing word, it’s worth the time to reiterate that insider threats are one of the top cyber security threats and a force to be reckoned with. Every company will face insider-related breach sooner or later regardless of whether it will be caused by a malicious action or an honest mistake. And it’s much better to put the necessary security measures now than to spend millions of dollars later.


About the Author: Marcell Gogan is a specialist within digital security solution business design and development, virtualization and cloud computing R&D projects, establishment and management of software research direction. He also loves writing about data management and cyber security.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.