Insider Threats: What to Look For and How to Respond

September 22, 2020
Vectra AI Security Research team
Insider Threats: What to Look For and How to Respond

Whether intentional or by misuse, insiders were responsible for almost half of all data breaches last year, according to a survey by Forrester Research. Of those surveyed, 46% suffered incidents involving employees or third-party business partners.

As part of National Insider Threat Awareness Month, we have defined malicious vs. negligent insiders, and the difference between an insider threat and a whistleblower. What you’ll notice is in all cases the differentiating factor is intent. And while this helps to delineate between the types of insider threats, the outcomes from these can be devastating.

Accenture and the Ponemon Institute released a joint study that shows a steady rise in the cost of insider threats, now at $1,621,075 per incident, with some topping $8.76 million a year, according to a 2018 study by the Ponemon Institute.

Risk factors from insider threats

Why are insider threats rising? One reason is frequent job-hopping. The days when employees spent their entire careers at one company are over. A lack of loyalty to employers and higher churn rates increase the risk of intellectual property and confidential information theft. A sizable majority of all office workers will take data with them when they switch jobs. In addition to the higher likelihood of data exfiltration, the actual theft of data has also become much easier. Due to COVID-19, today’s employees work remotely from home and can access company data wherever they happen to be.

The spike in remote working due to COVID-19 aimed to keep employees safe and maintain productivity turned out to be a cybersecurity threat. Besides infecting the company network with malware, the use of personal devices for business facilitates the copying of company data. When an employee decides to quit, copies of company data often stay on external drives and devices, which means data loss often happens unintentionally, and without detectable exfiltration.

The Michael Mitchell case provides an excellent example. The former DuPont engineer kept numerous DuPont computer files containing sensitive and proprietary information on his home computer during his tenure with the company. After his termination, these files remained on his home computer without being detected. As Mitchell entered into consulting agreements with a Korean competitor, he supplied them with the data, resulting in millions of dollars in losses to DuPont. Many cases, including the Mitchell case, could have been prevented or at least limited with faster detection and response times and up-to-date company policies.

How to respond to insider threats

The first step of an appropriate response to an insider threat is to raise awareness of the problem. While some cases become Hollywood blockbuster movies such as Breach based on Robert P. Hanssen, insider threats occur everywhere. The responsibilities for detection, intervention and prevention of insider threats are often shared among the information security, legal and human resources (HR) departments. A clear definition of action items and accountabilities is crucial to the implementation of an effective insidder threat program.

An important question to answer is “if an insider wanted to harm your company, what would be targeted and what damage could be done?” Define the critical assets that must be protected, as well as your organization’s tolerance for loss or damage if they are leaked.

Then, in order to prevent such a threat, ask yourself what kind of behavioral precursors could be detected and stopped across company departments before critical assets are stolen or damaged.

What behaviors should you look for?

Examples of precursors include:

  • misuse of computing resources, such as a high volume of downloads or printouts
  • HR reports of hostile workplace behaviors
  • information about ongoing legal investigations against employees

Most importantly, be sure you are able to connect the dots by correlating precursors from different departments to gain insights into trends regarding the highest risks to your organization.

Vectra Cognito is a network detection and response platform that uses artificial intelligence to detect attacker behaviors across the kill chain, including the phases where an insider will typically be detected: Command & Control, and reconnaissance. If you want to see how, schedule a demo here.