Security professionals and managers are increasingly concerned that the leading information security risk to organizations comes from within. But despite the sinister overtones of this problem, insider threats are associated more with accidents and oversights than malicious actors.

The danger is amplified by shortfalls in training and expertise, and the challenge of protecting against threats that arise from within the basic security perimeter of the organization itself. Further complicating matters is the fact that the greatest risk comes from administrator accounts and privileged users.

A Fine Line

A crowd-based survey of 300,000 members of the LinkedIn Information Security Community, conducted by Haystax Technology, revealed growing concern about insider threats. Nearly three-quarters (74 percent) of the respondents said they felt exposed to insider threats, while 56 percent reported that insider attacks had increased in the last 12 months. Meanwhile, almost half (49 percent) were uncertain whether their own organizations had experienced such an attack.

While much of the survey explored deliberate threats and attacks, survey respondents were more concerned about accidental breaches or data leaks (71 percent) and negligent breaches (69 percent) than malicious breaches (61 percent).

The rise of social engineering threats such as phishing has surely heightened concern that insiders might be tricked into exposing data. But the line between pure mishap and negligence can be tricky to draw. Similarly, a malicious outsider might target specific data, then exploit an employee’s carelessness to gain access to it.

Targeting the Basics

For malicious insiders, the primary motive is the oldest and most familiar of all: money. CIO Insight noted that 55 percent of insider attacks sought to monetize sensitive data. Committing fraud accounted for 51 percent, with sabotage, theft of intellectual property (IP) and espionage all in the 40-percent range.

The leading specific target of insider attacks is customer data, followed by financial data and IP. Credit card account numbers are catnip for bad actors.

The leading specific point of vulnerability also has a familiar ring: Endpoints are implicated in 57 percent of attacks, far ahead of mobile devices (36 percent), networks (35 percent) and the cloud (20 percent). This may reflect the basic reality that internal endpoints are unavoidable since old-fashioned desktop endpoints still sit on practically everyone’s desk.

Identifying Insider Threats

The group most implicated is administrators and other privileged users, who were identified by 60 percent of survey respondents. These are the users in the best position to carry out a malicious breach, and whose mistakes or negligence could have the most severe effects.

They are closely followed by contractors, consultants and temporary workers (57 percent), who may be less loyal to the organization or insufficiently trained in its systems. Employees and privileged business users account for 51 and 49 percent, respectively, while executive managers trail far behind at 31 percent.

In short, insider threats take familiar forms, but the effects are amplified because they come from within and thus don’t have to kick down the door to the organization’s network. That said, survey respondents identified insufficient data protection strategies or solutions as the leading reason why insider threats are growing. The best protection against risks from within, as well as against all threats, is a strong institutional focus on security basics.

Read the white paper: Get smart to shut down insider threats

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today