Cybersecurity
Insider Threats —
The enemy within.
Insider threats are individuals with legitimate access to the company’s network who use their access, whether maliciously or unintentionally, in a way that causes harm to the organization. Insider threats could be employees, but they can also be former employees, contractors or business partners who also have access to company networks or data.
Types of insider threats in an organization

Insider threats account for 60% of cyber attacks, and they are incredibly difficult to detect. In fact, most cases go unnoticed for months or years.

Time to identify and contain insider threats

It takes an average of more than two months to contain an insider incident, with Ponemon Institute showing more than 77 days to contain each insider threat and IBM Security reporting that time to identify and contain was on average 280 days. Almost a year!

97% of IT leaders acknowledge that insider breach risk is a concern for their organization, with 78% saying that employees have accidentally put data at risk (reckless employees) and 75% claiming that it was intentional (malicious employees). Whether it was intentional or not, one thing is sure: your data is at risk!

IT leaders statistics on insider breach risk
What are the causes and who are those insider threats?

Here is a diagram created by research company Egress, which shows typical causes of insider threats, with sharing data to personal systems and leaking data to competitors being the largest portion. Basically, if we look closely and calculate all of the below, it shows that 93% are employees that are about to leave the company — taking data to a new role, selling it to a competitor, unsatisfied due to a loss of a job, blackmailed by cyber criminals and more.

Causes of insider threats
The “departure risk”

A “departure risk” is an employee who is about to terminate their employment with a company for various reasons. These employees typically show departure risk behavior patterns when their browsing and email behavior indicate they are leaving the company. This is pertinent to insider threats because over 80% of departure risk employees tend to take data with them, anywhere from 2 weeks to 2 months prior to their termination date.

The image below shows how data is exfiltrated and via which channels:

How data is exfiltrated — by channel

Still, the most popular way with almost 44% of all data exfiltrated is forwarding emails to personal email accounts. Sounds amazing, don’t you think?

Some of the other ways include:

  • Aggregating and storing data in specific folders
  • Exfiltrating data to unencrypted USB devices
  • Exfiltrating data to external sites (WeTransfer, Google Cloud, MegaUpload, etc.)
💡 Tip

Make sure you have a system in place that would alert you on all those activities and could block specific transfer actions or encrypt the company’s sensitive data so it couldn’t be used outside. Such a solution is Data Loss Prevention + User Behavior Analytics. We’ve got you covered in one platform!

User Behavior Analytics (UBA)

Operates as an early warning system discovering a potential threat or a precondition for a violation and alerting about possible risks by detecting several abnormal activity episodes outside or inside the corporate network.

Classification of sensitive data is a must!

Devising an effective data loss prevention strategy requires IT leaders to understand what types of data are most vulnerable from which type of internal breach. Top of the list for both accidental and intentional internal breach risk is employee data, including personal identifiers and salary information, closely followed by company intellectual property. Interestingly, customer data including personal identifiable information (PII) was ranked third.

Data classification — most vulnerable data types

So, do you know which data is sensitive? Where does it reside? Who has access rights? These are the major questions you need to answer.

💡 Tip

Implementing a DCAP solution (data-centric audit and protection) for automated file system audit, search for access violations and monitoring changes in critical data.

What can you automatically solve with FileAudit?
  • Classification of vulnerable data: Finds files in a document flow that contain critical information, and assigns a certain type to each file (personal data, trade secret, credit card numbers, etc.)
  • Access rights audit: Facilitates confidential information access control — automatically monitors open resources, files available to a specific user or group, privileged accounts.
  • Critical documents archiving: Makes shadow copies of critical files found on a PC, server or network folders, saves the history of their revisions. Confidential data archive helps in incident investigation and ensures recovery of lost information.
  • User activity monitoring: Audits user operations in a file system. The specialists responsible for risk mitigation always have their information about changes made to a file updated (creating, editing, moving, deleting, etc.).