It is always terrible to be the victim of theft, but it’s even worse when the perpetrators were people you trusted. Not only do you have to admit you were deceived about who they truly are, but generally their closeness to you means they had access to the things you valued most. They knew what was most important to you, knew where to find it and ended up causing maximum damage. Talk about an insider threat.

For businesses, trusting the wrong person can have devastating consequences. In its newly released report, the “IBM 2016 Cyber Security Intelligence Index,” IBM X-Force revealed just how pervasive the insider threat is in organizations.

Insiders carried out 60 percent of all attacks in 2015. In almost three-fourths of these cases, the insiders had malicious intent and were knowingly stealing valuable information from the organization. Others served as inadvertent actors that put their organization at risk through bad security habits or by falling prey to outside schemes such as phishing attempts.

Read the complete IBM 2016 Cyber Security Intelligence Index

How Can Organizations Spot the Insider Threat?

The hard truth is that you can never reduce your risk of an insider threat to zero. Philosophically, if you give anyone access to your systems, there is a chance you will suffer a loss — and it’s hard to conduct business without people.

However, some organizations do end up more at risk than others because they don’t have the right systems in place to protect their information and secure the identities of their trusted users. But what are the warning signs that your organization might be at risk? How do you spot them?

The following user behaviors and organizational patterns could be indicators that your organization is particularly at risk.

The Presence of Orphaned Accounts

Many organizations don’t adequately deprovision users when they move from one role to another or, even worse, when they leave altogether. This is obviously a huge issue; most disgruntled employees end up leaving, whether voluntarily or not, and a failure to deprovision gives them the means and the motive to steal data.

Unfortunately, eliminating orphaned accounts is much easier said than done. With so many systems, identity stores and applications managed in silos, accounts can easily fall between the cracks. In some cases, especially for privileged users such as administrators, login credentials are shared. What happens when one of the admins leaves or changes roles? Is the shared account updated with a new password? Or maybe deprovisioning doesn’t happen because users have accounts IT doesn’t even know about — also known as shadow IT.

Lines of Business Engaging in Shadow IT

Shadow IT happens when someone in a line of business pulls out a credit card and signs up for an app without going through the IT department. If you don’t know an app exists, you can’t make sure the right people have access to it or that appropriate access controls are put in place to protect the information stored there. You also can’t guarantee that the disgruntled employee you just fired had access revoked.

Shadow IT is hard to spot because you don’t know what you don’t know. However, if things are tense with the lines of business you support, chances are good they are resorting to shadow IT. When the IT department is forced to say no to line-of-business requests for easier access, well-meaning employees, who just want to get their work done, find their own solutions. It may not be malicious, but it is risky behavior that can be difficult to stop.

It’s important to note that the presence of shadow IT can be an indicator of other serious issues, not just an insider threat. Consider whether there’s a failure of IT operations management and whether its existence can be tied to IT governance gaps that need to be addressed.

Weak or Inappropriate Authentication

Some insiders don’t mean to put you at risk and are genuinely good people who would never steal. But what happens when their credentials get stolen? While accounts that are protected only with usernames and passwords — without step-up or multifactor authentication (MFA) — are the worst representation of this issue, an inappropriate level of strong authentication can cause risks as well.

If an employee has to jump through a million hoops to sign up for the company softball team from a personal tablet but can easily access private personnel information, your company is at risk — not to mention your users get annoyed enough to justify behaviors like shadow IT. Any illogical rules can also be taken as justification that it’s OK to bypass security measures, which leads to rogue access.

Unfortunately, having consistent access controls that are appropriately tuned to the sensitivity of the information they are protecting can be a challenge, especially when many systems and apps are managed in silos.

Minimizing Your Risks

If any of the risks above are present in your organization, what are your next steps? While it could be tempting to look for point solutions that check off each of these boxes, they likely won’t be effective for long if your identity and access management (IAM) program as a whole is incomplete or poorly integrated. Your organization continues to evolve, and point solutions don’t automatically mature to support your changing landscape.

Additionally, these risk factors could point to serious underlying issues with your IAM system as a whole, or even more broadly to other IT systems. For that reason, the best way to solve these issues for the long term is to take a two-pronged approach. First, take a step back and design an IAM program that has the right level of integration and automation to support your business goals. Then you can find solutions that fit within your security framework, making it easy to roll out a specific insider threat program to protect your crown jewel data and govern your privileged users.

For now, take a look at your organization and talk to your lines of business. Are you seeing any of the risk factors for an insider threat?

Read the white paper to Learn more about Designing an optimized IAM program

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…