Globally, 67% of companies experience between 21 to 40 insider-related incidents per year, according to Ponemon Institute’s The Cost of Insider Threats 2022 report. The same report reveals that the frequency and cost of insider attacks have increased significantly over the past two years. Insider threats are one of the tougher attacks to predict and prevent, because of the difficulty in identifying insiders. The general understanding of an insider is an employee with potential access to sensitive data. But there’s more to an insider than just being an employee, which makes us reconsider: Who is an insider?

Who is an insider?

Based on the combination of scenarios and various definitions available, an entity can be considered an insider if:

  • They are directly or indirectly associated with the organization.

  • They have regular access to sensitive information belonging to, or controlled by, the organization.

  • They inadvertently expose data due to negligence or lack of security know-how.

Stakeholders who act upon malicious intent to steal data are called insider threat actors. To keep it simple, “users” in the following section refers to not just employees, but all stakeholders, such as partners, who have access to organizational data. Broadly, insiders can be of two types:

Inadvertent insiders: This group involves all users who, due to lack of awareness or negligence of company procedures, end up exposing organizational data. This could be losing USB drives containing official data, or employees not adhering to password security rules.

Insider threat actors: This group includes all the users with monetary or personal incentive for exposing organizational data. For example, this might include disgruntled former employees, current employees who can get better professional opportunities by trading insider data, and partners who can get better deals based on insider data.

Why is it hard to spot insider threats?

Insiders are often trusted entities with specific organizational roles. You wouldn’t be able to predict attacks from a non-existent threat, that is, until they happen. This alone makes it extremely difficult to predict. Throw in the inadvertent users who might not know that they’ve exposed organizational data, and the difficulty increases multifold. Negligent employees or contractors were the cause of 56% of insider threats the Ponemon ”Insider Threat 2022” report notes. To identify the source of a threat, IT security specialists have to monitor inadvertent leaks and pin down intentional exploits of security loopholes. Akin to firefighting while trying to find the source of the fire, this brings us to the most important question.

How do you mitigate insider threats?

To combat tricky insider threats, it is best to organize efforts along insider definition lines. By this, I mean creating threat detection and response strategies for as many scenarios as possible. A combination of user activity auditing; protection for data in use, in transit, and at rest; stakeholder awareness campaigns; and adequate security controls for data storage devices are some of the approaches. Several insider threat detection tools are available to kick-start user and data activity monitoring in organizations.

A rough plan to get started on insider threat prevention is provided below. Note that ideas for tools and processes to help with the suggestions are listed in the subsequent row. This is not a security expert’s recommendation, but learnings derived from continuous studies of insider threats.

Detection and prevention control

Inadvertent insiders

Insider threat actors

Collusive insiders (external and internal entities teamed up)

Third-party users

Enforce awareness programs and establish checks.

Familiarize employees with what constitutes sensitive data exposure.

Emphasize that conversations involving personal or competitive information are harmful.

Monitor unusual logins and file activity of users with access to sensitive data.

Examine and correlate patterns between suspicious file events and logins.

Conduct periodic awareness programs and checks to ensure vendors adhere to organizational procedures and rules.

Tools and processes

Phishing and malware simulations, training programs based on the GDPR, HIPAA, or other mandates, and BYOD  policy.

Real-time user activity monitoring tools,

file modification and access tracking tools,  file permissions  management, and identity management software for secure logins.

Active directory auditing tool, USB auditing tool, and file access monitoring to spot unauthorized file transfers.

Partner training programs on sensitive data, data mandates, and consequences of a breach. Strict regulation of access by allowing permissions to data only when required and for a limited period of time.

Implement sound identity and credential security measures.  

Ensure all employees follow updated authentication and authorization measures.

Be selective in providing access and review undue privileges for all users.

Implement a zero-trust model to treat all users, whether employees or partners, as untrusted entities.

Institute partner identity management and identify key personnel that need data. Review and address role changes and requirements periodically.

Tools and processes

Periodic emails, alerts for new source of or unusual time of logins, multi-factor authentication (MFA).

Monitoring file permissions landscape and revoking permissions not required by user roles.

Industry standards and guidelines, say by NIST 800 207 regulation or Forresters’s ZTX.

MFA, clear-cut process for resource requests, vendor screening process with higher relevance to previous cybersecurity incidents or controls implemented.

Strengthen infrastructure safety controls.

Ramp up physical locks and authorization in office spaces and physical data stores.

Since one cannot identify malicious intent, it is better to restrict access to physical servers and office stores.

Personnel handling devices or networks must not make exceptions even for their closest of peers. Install cameras in areas to monitor entry and exit as one of the physical controls.

Validate third-party requirements and follow up with revocation of access after the need has been satisfied.

Tools and processes

Reward employees who adhere to security protocols.

Deploy role-based access controls, review personnel handling personal data.

Set clear accountability for users that have access to sensitive data. Restrict official conversations to on-the-record meetings.

Verify third-party requirements and set a process for evaluation and approval for data requests.

Conduct forensic analysis of past events.  

Examine past user actions leading up to the incident by maintaining an audit trail.

Maintain and analyze previous incidents to arrive at a recurring pattern.

Investigate machines, storage devices, and other official channels used by insiders to leak data and correlate with current user setup.

Examine vendor relations and past incidents that might be linked to vendors or other business affiliates.

Tools and processes

Employ AD change monitoring tools that offer the benefit of preserving audit trails.

Initiate memory analysis, file system forensics, and network forensics to understand how an attack was launched undetected.

Perform network analysis and examine communication channels to detect unauthorized data transfers and secure them sufficiently.

Document all third-party violations and blocklist non-compliant vendors. Use this information to evaluate vendors.

Across the globe, 57% of IT professionals use user and entity behavior analysis (UEBA) to reduce insider threats. UEBA is an updated version of user behavior analysis (UBA) technology that helps spots unusual user activity, immediately alerting IT admins of potential insider threat. Both technologies are widely used to detect unusual organizational activity and capture attacks early. 

UBA-driven insights to help you spot insider threats in time

ManageEngine ADAudit Plus provides a suite of AD auditing tools with real-time reports and responsive threat alerts. Besides essential AD change monitoring, you can deploy:

  • UBA-driven analytics to instantly capture anomalous user activity

  • Real-time change monitoring to spot questionable AD changes say, in user creation or permissions

  • Logon auditing to investigate multiple failed user logons

  • File monitoring to watch out for file changes

  • Removable storage and file copy auditing to track unauthorized file transfers

  • Remote logon monitoring to examine unusual remote logins from privileged users’ accounts

Try all these features and leverage out-of-the box reports to ensure compliance to the GDPR, HIPAA, and other mandates using our fully-functional free trial.

Download free 30-day trial

  1. Anandhi N

    Well written article on how to identify insider threat and resolve them. Kudos to Deepshika kailash