Insider breaches — those caused by employees and leaders within an organization — are among the costliest and hardest to detect of all data breaches. Two-thirds of total data records compromised in 2017 were the result of inadvertent insiders, according to the “2018 IBM X-Force Threat Intelligence Index,” and insider threats are the cause of 60 percent of cyberattacks. Meanwhile, misconfigured cloud servers and networked backup incidents caused by employee negligence collectively exposed over 2 billion records last year.

While organizations focus significant resources on the mitigation of external threat actors, insider risks are likely to pose an even greater financial threat to the enterprise. According to the Ponemon Institute’s “2018 Cost of Insider Threats” report, the average cost of insider-caused incidents was $8.76 million in 2017 — more than twice the $3.86 million global average cost of all breaches during the same year.

Traditional approaches to managing insider threats have focused extensively on the use of awareness training and access governance to reduce risks. While these activities are critically important, they’re likely not enough to mitigate all types of employee risk. Humans are enormously variable, and failing to account for all types of insiders could result in costly security incidents.

Read the Report: SIEM and UEBA, Better Together

The Five Types of Insider Threats

The inadvertent insider, the most common form of insider threat, is responsible for 64 percent of total incidents, according to Ponemon, while criminal behavior comprises 23 percent of incidents. Human risks are more complex than simple negligence and malicious intent, however.

Inadvertent insiders include both employees who don’t respond to training and those who create error through mistakes such as misconfigured cloud networks. Within the criminal category, there are instances of collusion, long-term malicious behavior and sabotage. A thorough understanding of the following five distinct categories of insider risk is essential for security teams to develop comprehensive safeguards.

1. Nonresponders

A small but significant percentage of the employee population is made up of nonresponders to awareness training exercises. While these users may not intend to behave negligently, they’re among the riskiest members of the population since their behaviors can fit consistent patterns. In 2017, Verizon found that an average 4.2 percent of people targeted in any given phishing campaign will click the malicious link. Individuals with a strong history of falling prey to phishing campaigns are most likely to be phished again.

While employees who consistently behave in insecure ways are generally a minority of the populace, the total impact of employee mistakes is staggering. Ponemon research found that 63 percent of incidents recorded last year were caused by all categories of negligence.

2. Inadvertent Insiders

Simple negligence is the most common form of insider threat, and also the single most expensive category of employee risk. Insider threats who fit this category might generally exhibit secure behavior and comply with policy, but cause breaches due to isolated errors. Basic misjudgment — such as storing intellectual property on insecure personal devices or falling for phishing schemes — caused two-thirds of breached records in 2017, according to the X-Force report.

Threat actors are increasingly savvy to the vulnerabilities caused by inadvertent insiders. X-Force analysis of the most common criminal tactics used to exploit employee error in the last year revealed several patterns:

  • Thirty-eight percent of external actors attempted to trick users into clicking a malicious link or attachment.
  • Thirty-five percent of external risks were attempts at man-in-the-middle (MitM) attacks.
  • Twenty-seven percent of external threats attempted to exploit misconfigured servers.

3. Insider Collusion

Insider collaboration with malicious external threat actors is likely the rarest form of criminal insider risk, but it’s still a significant threat due to the increased frequency of attempts by professional cybercriminals to recruit employees via the dark web.

One study by Community Emergency Response Team (CERT) placed the frequency of collusion, including insider-insider collusion, at 48.32 percent of all insider-caused incidents. Insider-outsider collusion, meanwhile, comprised 16.75 percent. These incidents took several forms:

  • About 37 percent of incidents involved fraud.
  • About 24 percent of incidents involved intellectual property theft.
  • About 6 percent of incidents involved combined fraud and theft.

According to the same source, insider-caused incidents, which include collusion, are among the costliest categories of a breach and may take four times longer to detect than incidents caused by insiders who fly solo.

4. Persistent Malicious Insiders

Most commonly, criminal insiders exfiltrate data or commit other malicious acts with the goal of financial rewards or other personal gain. A Gartner study on criminal insider threats found that 62 percent of insiders with malicious intent are categorized as “second streamers,” or people seeking a supplemental income. Seniority had little correlation with this category of behavior. Just 14 percent of persistently malicious insiders were in a leadership role and approximately one-third had sensitive data access.

So-called “second streamers” may exhibit sophistication in remaining undetected to maximize the personal benefits of data theft. This group of individuals may exfiltrate data slowly to personal accounts to avoid detection, instead of completing large data exports which could raise flags in traditional network monitoring tools.

5. Disgruntled Employees

As a final category of criminal insiders, disgruntled employees who commit deliberate sabotage or intellectual property theft are also among the costliest risks to an organization. The Gartner analysis of criminal insiders found 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.

Disgruntled employees can fit many behavioral sub-patterns. Some frustrated employees may start digging for information access without specific goals. Other employees may have very specific data intent from the moment they give two weeks notice, and set out to sell trade secrets to competitors.

Detecting and Responding to Patterns of Risk in Human Behavior

Human endpoints are likely among the greatest security risks in the enterprise, but insider threats are variable. There’s no single approach which can mitigate all categories of employee risk. Awareness training doesn’t account for individuals who are non-responders to education or searching for a second income stream.

There’s no complete patch for human endpoints. Increased awareness of human threats and tools for behavioral analytics are likely the best way to safeguard against the significant range of insider threats within the enterprise.

Start With Data Protection

The most valuable data and systems in the enterprise are the most vulnerable to any category of insider threat, including risks created by both negligence and criminal intent. To create transparency, organizations should discover and classify at-risk assets. Ongoing monitoring and cognitive analytics can safeguard intellectual property and sensitive data records against all categories of cybersecurity threat.

Adopt Behavioral Analytics

While each employee on a network behaves in deeply individual ways, changes in an individual’s patterns can predict risk. Artificial intelligence and behavioral analytics are exceptional tools for detecting risks in subtle patterns of workplace habits and information consumption. User behavioral analytics can mitigate all categories of insider threat with deep analytics to predict risk propensity.

Assign Risk Scores

Cognitive applications for behavioral analytics can assign risk scores to proactively identify potential insider risks before a breach has occurred. When employees are at heightened risk for error or criminal behavior is identified, organizations can respond with mitigating controls, heightened access management or, in extreme cases, account quarantine to prevent data loss.

Reduce Vulnerabilities

One of the greatest safeguards against both insider and external actor threats is strong security hygiene to address basic vulnerabilities in enterprise security. Maintaining continual compliance can facilitate transparency and data protection around critical assets. Patching and network monitoring can reveal compromised systems or employee threats from the moment they occur, not months after the incident.

Mitigating Internal Threats

While ransomware, cryptojacking and other external threats are among the most widely-discussed enterprise security risks, insiders are the cause of the statistical majority of data breaches. Negligence, criminal insiders and stolen credentials were linked to the majority of lost records last year. X-Force research reports a 5 percent year-over-year increase in the frequency of insider threats.

Understanding the enormous variation in human behavior is important in creating adequate safeguards against insider risks. With tools for compliance, data protection and user behavioral analytics, it’s possible to proactively protect against both inadvertent error and criminal intent within the network.

Read the Report: SIEM and UEBA, Better Together

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…