Sage Advice - Cybersecurity Blog

Identifying the Malicious Insider Threat

identifying-the-malicious-insider-threat.jpgThe majority of incidents caused by insiders are the result of employee / contractor negligence or just an honest mistake. But some are of malicious intent. For example, this benchmark study, found that 22% of insider-related incidents were caused by a criminal insider. It's still important to be aware of this type of threat though because they are typically very difficult to detect and often take a long time to discover. And the longer it takes to detect a data breach or leak, the more costly it can be for your organization.

The malicious insider threat is hard to detect because we typically trust our employees. And if working with sensitive data is part of someone’s job, it’s very difficult to determine if they are doing anything malicious with it. Even if you suspect malicious intent, it’s easy for employees to claim that they made a mistake and get away with it. It is almost impossible to prove guilt in such cases. It’s also pretty easy for employees, especially tech-savvy ones, to cover their tracks.

Being aware of certain factors and indicators can help you determine if you have a malicious insider threatening your organization. Let’s take a look at a few.

Characteristics of the Malicious Insider

The below list comes from Combating the Insider Threat by the National Cybersecurity and Communications Integration Center. It’s important to keep in mind that everybody may display one or more of the characteristics on this list one time or another. Don’t let it make you paranoid. Instead, use it to determine if you have the right controls in place, so you can tell the good people from the bad people (or the untrained people from the trained people). 

  • Extreme introversion
  • Financial need
  • Vulnerability to blackmail
  • Compulsive / destructive behavior
  • Rebellious, passive aggressive
  • Ethical “flexibility”
  • Reduced loyalty
  • Entitlement – narcissism
  • Intolerance
  • Minimizing mistakes / faults
  • Inability to assume responsibility for actions
  • Self-perceived value exceeds performance
  • Lack of empathy
  • Pattern of frustration and disappointment
  • History of managing crises ineffectively

Factors that Drive Malicious Behavior

The Insider Threat, an introductory guide from the U.S. Federal Bureau of Investigation (FBI), provides the below factors that can help you identify a malicious insider.  

Personal Factors

  • Greed / Need
  • Anger / Revenge
  • Problems at work (i.e. lack of recognition, disagreements, pending layoff)
  • Ideology
  • Divided loyalty
  • Adventure / Thrill
  • Ego / Self-image
  • Ingratiation
  • Compulsive behavior
  • Family problems

Organizational Factors

  • Availability and ease of acquiring information.
  • Mislabeled information or not knowing where all sensitive data is.
  • Lack of physical access controls.
  • Weak logical access controls, i.e., lack of multi-factor for remote access or weak passwords inside.
  • Undefined policies related to “work from home” for sensitive projects.
  • Perception of lax control.
  • Time pressure
  • Lack of training
  • Policies that are not enforced.
  • Leadership that doesn’t follow policies.

Indicators of a Malicious Insider

In the same guide from the FBI, they discuss different indicators that you can look for to identify an insider threat.

Behavioral Indicators

  • Without need or authorization, takes proprietary or other material home.
  • Inappropriately seeks or obtains information not related to their work duties.
  • Interest in matters outside the scope of their duties.
  • Unnecessarily copies material, especially if it is proprietary or classified.
  • Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
  • Disregards company computer policies (i.e., installing personal software or hardware; trying to access restricted websites; conducting unauthorized searches; or downloading confidential information).
  • Works odd hours without authorization; notable enthusiasm for overtime work, weekend work.
  • Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel.
  • Unexplained affluence; buys things that they cannot afford.
  • Engages in suspicious personal contacts.
  • Overwhelmed by life crises or career disappointments.
  • Concern that they are being investigated.

Activity Indicators

  • Data being accessed, copied, or deleted when there is no business justification.
  • Data being transferred out of the organization through file uploads, email, and / or physically on media.
  • Changes to access for file locations or inside of business applications that have no business justification.
  • Disabled or terminated employee accounts active again.
  • Access to unauthorized areas.

Every one of these could be benign, so you need to aggregate. Look at all the factors, the characteristics, and the behaviors. Then see if a pattern emerges. If could be that they are just ambitious. You’ll know the difference. The good news is that ultimately most people won’t cross the line, and actually do something malicious, even if they are under pressure.

Learn more in our post, Cybersecurity and the Insider Threat.

Have you assessed your vendors’ cybersecurity risk? Some of the most publicized data breaches over the past few years have occurred via third parties. Setting up and maintaining an effective cybersecurity review program is essential to protect against this type of insider threat. Sage can assist with the implementation of a program that makes sense for your organization’s business needs and is tailored to the unique conditions that are the byproduct of every third-party business relationship.

Learn More

Topics: Cyber Defense, Cybersecurity Culture


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More