 back to blog

Insider Threats: What to Look For and How to Respond

September 22, 2020
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

Whether intentional or by misuse, insiders were responsible for almost half of all data breaches last year, according to a survey by Forrester Research. Of those surveyed, 46% suffered incidents involving employees or third-party business partners.

As part of National Insider Threat Awareness Month, we have defined malicious vs. negligent insiders, and the difference between an insider threat and a whistleblower. What you’ll notice is in all cases the differentiating factor is intent. And while this helps to delineate between the types of insider threats, the outcomes from these can be devastating.

Accenture and the Ponemon Institute released a joint study that shows a steady rise in the cost of insider threats, now at $1,621,075 per incident, with some topping $8.76 million a year, according to a 2018 study by the Ponemon Institute.

Risk factors from insider threats

Why are insider threats rising? One reason is frequent job-hopping. The days when employees spent their entire careers at one company are over. A lack of loyalty to employers and higher churn rates increase the risk of intellectual property and confidential information theft. A sizable majority of all office workers will take data with them when they switch jobs. In addition to the higher likelihood of data exfiltration, the actual theft of data has also become much easier. Due to COVID-19, today’s employees work remotely from home and can access company data wherever they happen to be.

The spike in remote working due to COVID-19 aimed to keep employees safe and maintain productivity turned out to be a cybersecurity threat. Besides infecting the company network with malware, the use of personal devices for business facilitates the copying of company data. When an employee decides to quit, copies of company data often stay on external drives and devices, which means data loss often happens unintentionally, and without detectable exfiltration.

The Michael Mitchell case provides an excellent example. The former DuPont engineer kept numerous DuPont computer files containing sensitive and proprietary information on his home computer during his tenure with the company. After his termination, these files remained on his home computer without being detected. As Mitchell entered into consulting agreements with a Korean competitor, he supplied them with the data, resulting in millions of dollars in losses to DuPont. Many cases, including the Mitchell case, could have been prevented or at least limited with faster detection and response times and up-to-date company policies.

How to respond to insider threats

The first step of an appropriate response to an insider threat is to raise awareness of the problem. While some cases become Hollywood blockbuster movies such as Breach based on Robert P. Hanssen, insider threats occur everywhere. The responsibilities for detection, intervention and prevention of insider threats are often shared among the information security, legal and human resources (HR) departments. A clear definition of action items and accountabilities is crucial to the implementation of an effective insidder threat program.

An important question to answer is “if an insider wanted to harm your company, what would be targeted and what damage could be done?” Define the critical assets that must be protected, as well as your organization’s tolerance for loss or damage if they are leaked.

Then, in order to prevent such a threat, ask yourself what kind of behavioral precursors could be detected and stopped across company departments before critical assets are stolen or damaged.

What behaviors should you look for?

Examples of precursors include:

  • misuse of computing resources, such as a high volume of downloads or printouts
  • HR reports of hostile workplace behaviors
  • information about ongoing legal investigations against employees

Most importantly, be sure you are able to connect the dots by correlating precursors from different departments to gain insights into trends regarding the highest risks to your organization.

Vectra Cognito is a network detection and response platform that uses artificial intelligence to detect attacker behaviors across the kill chain, including the phases where an insider will typically be detected: Command & Control, and reconnaissance. If you want to see how, schedule a demo here.

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch