Insider Threats: What to Look For and How to Respond

Insider Threats: What to Look For and How to Respond

Insider Threats: What to Look For and How to Respond

Insider Threats:

What to Look For

and How to Respond

Insider Threats:

What to Look For

and How to Respond

Joe Malenfant
September 22, 2020

Whether intentional or by misuse, insiders were responsible for almost half of all data breaches last year, according to a survey by Forrester Research. Of those surveyed, 46% suffered incidents involving employees or third-party business partners.

As part of National Insider Threat Awareness Month, we have defined malicious vs. negligent insiders, and the difference between an insider threat and a whistleblower. What you’ll notice is in all cases the differentiating factor is intent. And while this helps to delineate between the types of insider threats, the outcomes from these can be devastating.

Accenture and the Ponemon Institute released a joint study that shows a steady rise in the cost of insider threats, now at $1,621,075 per incident, with some topping $8.76 million a year, according to a 2018 study by the Ponemon Institute.

Risk factors from insider threats

Why are insider threats rising? One reason is frequent job-hopping. The days when employees spent their entire careers at one company are over. A lack of loyalty to employers and higher churn rates increase the risk of intellectual property and confidential information theft. A sizable majority of all office workers will take data with them when they switch jobs. In addition to the higher likelihood of data exfiltration, the actual theft of data has also become much easier. Due to COVID-19, today’s employees work remotely from home and can access company data wherever they happen to be.

The spike in remote working due to COVID-19 aimed to keep employees safe and maintain productivity turned out to be a cybersecurity threat. Besides infecting the company network with malware, the use of personal devices for business facilitates the copying of company data. When an employee decides to quit, copies of company data often stay on external drives and devices, which means data loss often happens unintentionally, and without detectable exfiltration.

The Michael Mitchell case provides an excellent example. The former DuPont engineer kept numerous DuPont computer files containing sensitive and proprietary information on his home computer during his tenure with the company. After his termination, these files remained on his home computer without being detected. As Mitchell entered into consulting agreements with a Korean competitor, he supplied them with the data, resulting in millions of dollars in losses to DuPont. Many cases, including the Mitchell case, could have been prevented or at least limited with faster detection and response times and up-to-date company policies.

How to respond to insider threats

The first step of an appropriate response to an insider threat is to raise awareness of the problem. While some cases become Hollywood blockbuster movies such as Breach based on Robert P. Hanssen, insider threats occur everywhere. The responsibilities for detection, intervention and prevention of insider threats are often shared among the information security, legal and human resources (HR) departments. A clear definition of action items and accountabilities is crucial to the implementation of an effective insider threat program.

An important question to answer is “if an insider wanted to harm your company, what would be targeted and what damage could be done?” Define the critical assets that must be protected, as well as your organization’s tolerance for loss or damage if they are leaked.

Then, in order to prevent such a threat, ask yourself what kind of behavioral precursors could be detected and stopped across company departments before critical assets are stolen or damaged.

What behaviors should you look for?

Examples of precursors include:

  • misuse of computing resources, such as a high volume of downloads or printouts
  • HR reports of hostile workplace behaviors
  • information about ongoing legal investigations against employees

Most importantly, be sure you are able to connect the dots by correlating precursors from different departments to gain insights into trends regarding the highest risks to your organization.

Vectra Cognito is a network detection and response platform that uses artificial intelligence to detect attacker behaviors across the kill chain, including the phases where an insider will typically be detected: Command & Control, and reconnaissance. If you want to see how, schedule a demo here.

About the author

Joe Malenfant

Joe Malenfant is the Vice President of Product Marketing at Vectra. Joe and his team are responsible for creating differentiated position for Vectra’s solutions, providing clarity to prospects, customers, and partners. Joe has spent over 10 years driving innovation in cyber security including endpoint detection and response, industrial control systems (ICS), IoT, and network security. He has launched category defining products from pure play SaaS to hardware solutions for IT, IoT, and ICS environments. He regularly presents at industry conference including RSA, Cisco Live, and IIoT World.

Prior to Vectra, he led marketing for Cisco’s Internet of Things business, a $1B portfolio spanning over 5 product segments including cloud, networking, and security. Prior to joining Cisco in 2014 he led product and solutions marketing Lockheed Martin Commercial cyber security solutions through the acquisition of ICS security company, Industrial Defender. Joe holds an MBA from Johnson & Wales in Providence, RI and an undergraduate degree from Concordia University in Montreal, Canada.

Author profile and blog posts

Most recent blog posts from the same author


5 Things to Know About DarkSide Ransomware | Vectra AI

June 22, 2021
Read blog post
Threat detection

Vectra Introduces Detect for AWS: Threat Detection and Response for IaaS and PaaS | Vectra AI

June 16, 2021
Read blog post

Protecting Cloud Users and Data Across the Entire Network with Expanded Cloud Services

November 18, 2020
Read blog post