July 12, 2016 By Laurène Hummer 4 min read

It is always terrible to be the victim of theft, but it’s even worse when the perpetrators were people you trusted. Not only do you have to admit you were deceived about who they truly are, but generally their closeness to you means they had access to the things you valued most. They knew what was most important to you, knew where to find it and ended up causing maximum damage. Talk about an insider threat.

For businesses, trusting the wrong person can have devastating consequences. In its newly released report, the “IBM 2016 Cyber Security Intelligence Index,” IBM X-Force revealed just how pervasive the insider threat is in organizations.

Insiders carried out 60 percent of all attacks in 2015. In almost three-fourths of these cases, the insiders had malicious intent and were knowingly stealing valuable information from the organization. Others served as inadvertent actors that put their organization at risk through bad security habits or by falling prey to outside schemes such as phishing attempts.

Read the complete IBM 2016 Cyber Security Intelligence Index

How Can Organizations Spot the Insider Threat?

The hard truth is that you can never reduce your risk of an insider threat to zero. Philosophically, if you give anyone access to your systems, there is a chance you will suffer a loss — and it’s hard to conduct business without people.

However, some organizations do end up more at risk than others because they don’t have the right systems in place to protect their information and secure the identities of their trusted users. But what are the warning signs that your organization might be at risk? How do you spot them?

The following user behaviors and organizational patterns could be indicators that your organization is particularly at risk.

The Presence of Orphaned Accounts

Many organizations don’t adequately deprovision users when they move from one role to another or, even worse, when they leave altogether. This is obviously a huge issue; most disgruntled employees end up leaving, whether voluntarily or not, and a failure to deprovision gives them the means and the motive to steal data.

Unfortunately, eliminating orphaned accounts is much easier said than done. With so many systems, identity stores and applications managed in silos, accounts can easily fall between the cracks. In some cases, especially for privileged users such as administrators, login credentials are shared. What happens when one of the admins leaves or changes roles? Is the shared account updated with a new password? Or maybe deprovisioning doesn’t happen because users have accounts IT doesn’t even know about — also known as shadow IT.

Lines of Business Engaging in Shadow IT

Shadow IT happens when someone in a line of business pulls out a credit card and signs up for an app without going through the IT department. If you don’t know an app exists, you can’t make sure the right people have access to it or that appropriate access controls are put in place to protect the information stored there. You also can’t guarantee that the disgruntled employee you just fired had access revoked.

Shadow IT is hard to spot because you don’t know what you don’t know. However, if things are tense with the lines of business you support, chances are good they are resorting to shadow IT. When the IT department is forced to say no to line-of-business requests for easier access, well-meaning employees, who just want to get their work done, find their own solutions. It may not be malicious, but it is risky behavior that can be difficult to stop.

It’s important to note that the presence of shadow IT can be an indicator of other serious issues, not just an insider threat. Consider whether there’s a failure of IT operations management and whether its existence can be tied to IT governance gaps that need to be addressed.

Weak or Inappropriate Authentication

Some insiders don’t mean to put you at risk and are genuinely good people who would never steal. But what happens when their credentials get stolen? While accounts that are protected only with usernames and passwords — without step-up or multifactor authentication (MFA) — are the worst representation of this issue, an inappropriate level of strong authentication can cause risks as well.

If an employee has to jump through a million hoops to sign up for the company softball team from a personal tablet but can easily access private personnel information, your company is at risk — not to mention your users get annoyed enough to justify behaviors like shadow IT. Any illogical rules can also be taken as justification that it’s OK to bypass security measures, which leads to rogue access.

Unfortunately, having consistent access controls that are appropriately tuned to the sensitivity of the information they are protecting can be a challenge, especially when many systems and apps are managed in silos.

Minimizing Your Risks

If any of the risks above are present in your organization, what are your next steps? While it could be tempting to look for point solutions that check off each of these boxes, they likely won’t be effective for long if your identity and access management (IAM) program as a whole is incomplete or poorly integrated. Your organization continues to evolve, and point solutions don’t automatically mature to support your changing landscape.

Additionally, these risk factors could point to serious underlying issues with your IAM system as a whole, or even more broadly to other IT systems. For that reason, the best way to solve these issues for the long term is to take a two-pronged approach. First, take a step back and design an IAM program that has the right level of integration and automation to support your business goals. Then you can find solutions that fit within your security framework, making it easy to roll out a specific insider threat program to protect your crown jewel data and govern your privileged users.

For now, take a look at your organization and talk to your lines of business. Are you seeing any of the risk factors for an insider threat?

Read the white paper to Learn more about Designing an optimized IAM program

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today