Insider breaches — those caused by employees and leaders within an organization — are among the costliest and hardest to detect of all data breaches. Two-thirds of total data records compromised in 2017 were the result of inadvertent insiders, according to the “2018 IBM X-Force Threat Intelligence Index,” and insider threats are the cause of 60 percent of cyberattacks. Meanwhile, misconfigured cloud servers and networked backup incidents caused by employee negligence collectively exposed over 2 billion records last year.

While organizations focus significant resources on the mitigation of external threat actors, insider risks are likely to pose an even greater financial threat to the enterprise. According to the Ponemon Institute’s “2018 Cost of Insider Threats” report, the average cost of insider-caused incidents was $8.76 million in 2017 — more than twice the $3.86 million global average cost of all breaches during the same year.

Traditional approaches to managing insider threats have focused extensively on the use of awareness training and access governance to reduce risks. While these activities are critically important, they’re likely not enough to mitigate all types of employee risk. Humans are enormously variable, and failing to account for all types of insiders could result in costly security incidents.

Read the Report: SIEM and UEBA, Better Together

The Five Types of Insider Threats

The inadvertent insider, the most common form of insider threat, is responsible for 64 percent of total incidents, according to Ponemon, while criminal behavior comprises 23 percent of incidents. Human risks are more complex than simple negligence and malicious intent, however.

Inadvertent insiders include both employees who don’t respond to training and those who create error through mistakes such as misconfigured cloud networks. Within the criminal category, there are instances of collusion, long-term malicious behavior and sabotage. A thorough understanding of the following five distinct categories of insider risk is essential for security teams to develop comprehensive safeguards.

1. Nonresponders

A small but significant percentage of the employee population is made up of nonresponders to awareness training exercises. While these users may not intend to behave negligently, they’re among the riskiest members of the population since their behaviors can fit consistent patterns. In 2017, Verizon found that an average 4.2 percent of people targeted in any given phishing campaign will click the malicious link. Individuals with a strong history of falling prey to phishing campaigns are most likely to be phished again.

While employees who consistently behave in insecure ways are generally a minority of the populace, the total impact of employee mistakes is staggering. Ponemon research found that 63 percent of incidents recorded last year were caused by all categories of negligence.

2. Inadvertent Insiders

Simple negligence is the most common form of insider threat, and also the single most expensive category of employee risk. Insider threats who fit this category might generally exhibit secure behavior and comply with policy, but cause breaches due to isolated errors. Basic misjudgment — such as storing intellectual property on insecure personal devices or falling for phishing schemes — caused two-thirds of breached records in 2017, according to the X-Force report.

Threat actors are increasingly savvy to the vulnerabilities caused by inadvertent insiders. X-Force analysis of the most common criminal tactics used to exploit employee error in the last year revealed several patterns:

  • Thirty-eight percent of external actors attempted to trick users into clicking a malicious link or attachment.
  • Thirty-five percent of external risks were attempts at man-in-the-middle (MitM) attacks.
  • Twenty-seven percent of external threats attempted to exploit misconfigured servers.

3. Insider Collusion

Insider collaboration with malicious external threat actors is likely the rarest form of criminal insider risk, but it’s still a significant threat due to the increased frequency of attempts by professional cybercriminals to recruit employees via the dark web.

One study by Community Emergency Response Team (CERT) placed the frequency of collusion, including insider-insider collusion, at 48.32 percent of all insider-caused incidents. Insider-outsider collusion, meanwhile, comprised 16.75 percent. These incidents took several forms:

  • About 37 percent of incidents involved fraud.
  • About 24 percent of incidents involved intellectual property theft.
  • About 6 percent of incidents involved combined fraud and theft.

According to the same source, insider-caused incidents, which include collusion, are among the costliest categories of a breach and may take four times longer to detect than incidents caused by insiders who fly solo.

4. Persistent Malicious Insiders

Most commonly, criminal insiders exfiltrate data or commit other malicious acts with the goal of financial rewards or other personal gain. A Gartner study on criminal insider threats found that 62 percent of insiders with malicious intent are categorized as “second streamers,” or people seeking a supplemental income. Seniority had little correlation with this category of behavior. Just 14 percent of persistently malicious insiders were in a leadership role and approximately one-third had sensitive data access.

So-called “second streamers” may exhibit sophistication in remaining undetected to maximize the personal benefits of data theft. This group of individuals may exfiltrate data slowly to personal accounts to avoid detection, instead of completing large data exports which could raise flags in traditional network monitoring tools.

5. Disgruntled Employees

As a final category of criminal insiders, disgruntled employees who commit deliberate sabotage or intellectual property theft are also among the costliest risks to an organization. The Gartner analysis of criminal insiders found 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.

Disgruntled employees can fit many behavioral sub-patterns. Some frustrated employees may start digging for information access without specific goals. Other employees may have very specific data intent from the moment they give two weeks notice, and set out to sell trade secrets to competitors.

Detecting and Responding to Patterns of Risk in Human Behavior

Human endpoints are likely among the greatest security risks in the enterprise, but insider threats are variable. There’s no single approach which can mitigate all categories of employee risk. Awareness training doesn’t account for individuals who are non-responders to education or searching for a second income stream.

There’s no complete patch for human endpoints. Increased awareness of human threats and tools for behavioral analytics are likely the best way to safeguard against the significant range of insider threats within the enterprise.

Start With Data Protection

The most valuable data and systems in the enterprise are the most vulnerable to any category of insider threat, including risks created by both negligence and criminal intent. To create transparency, organizations should discover and classify at-risk assets. Ongoing monitoring and cognitive analytics can safeguard intellectual property and sensitive data records against all categories of cybersecurity threat.

Adopt Behavioral Analytics

While each employee on a network behaves in deeply individual ways, changes in an individual’s patterns can predict risk. Artificial intelligence and behavioral analytics are exceptional tools for detecting risks in subtle patterns of workplace habits and information consumption. User behavioral analytics can mitigate all categories of insider threat with deep analytics to predict risk propensity.

Assign Risk Scores

Cognitive applications for behavioral analytics can assign risk scores to proactively identify potential insider risks before a breach has occurred. When employees are at heightened risk for error or criminal behavior is identified, organizations can respond with mitigating controls, heightened access management or, in extreme cases, account quarantine to prevent data loss.

Reduce Vulnerabilities

One of the greatest safeguards against both insider and external actor threats is strong security hygiene to address basic vulnerabilities in enterprise security. Maintaining continual compliance can facilitate transparency and data protection around critical assets. Patching and network monitoring can reveal compromised systems or employee threats from the moment they occur, not months after the incident.

Mitigating Internal Threats

While ransomware, cryptojacking and other external threats are among the most widely-discussed enterprise security risks, insiders are the cause of the statistical majority of data breaches. Negligence, criminal insiders and stolen credentials were linked to the majority of lost records last year. X-Force research reports a 5 percent year-over-year increase in the frequency of insider threats.

Understanding the enormous variation in human behavior is important in creating adequate safeguards against insider risks. With tools for compliance, data protection and user behavioral analytics, it’s possible to proactively protect against both inadvertent error and criminal intent within the network.

Read the Report: SIEM and UEBA, Better Together

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today