Demystifying Insider Threat

Security practitioners are increasingly aware of insider threat as a critical area of concern, but many teams accustomed to combatting external threats still struggle to defend from within. In addition to inadequate training and resources for combating insider threat, defense efforts are often hindered by the following misconceptions:

Myth #1: Insider-threat activity is always intentional and harmful.

Conversations surrounding insider threat tend to sensationalize the notion of a rogue employee carrying out deliberate, malicious actions against their organization for financial, political, or personal gain. While it’s true that insider threats carried out with malicious intent tend to be the most damaging and headline-grabbing, they do not comprise all insider threats. Many insider threats arise unintentionally, often as the result of carelessness or poor adherence to organizational protocol, not malicious intent. Furthermore, an action may constitute an insider threat even if no harm occurs as a result.

For example, if an employee accidentally emails a highly sensitive internal document to the wrong recipient, this action would be considered an insider threat due to the user’s failure to properly safeguard internal information. As another example, suppose an employee is unable to log into their network account, so they use a colleague’s credentials. Even if the employee’s only intention in using someone else’s credentials is to perform work-related tasks, this type of situation would be considered an insider threat. Though the employee in question did not have malicious intent, they did subvert their organization’s ability to enforce identity and access management (IAM) and other security controls, thereby obtaining access to unauthorized information and privileges.

Myth #2: Insider-threat resource = insider-threat program.

The term insider threat program (ITP) is often misused to refer to standalone resources or an improvised combination of tools thrown together to address insider threat. The pervasiveness of this misconception has been exacerbated by an increasing number of tools being marketed as comprehensive silver bullets for dealing with insider threat.

No singular solution can stand in as an effective substitute for an ITP, even for smaller organizations. To qualify as a full-fledged ITP, a program must have a specific combination of tools, datasets, expertise, personnel, and cross-functional collaboration, as well as integrated programmatic and investigative functions. There are no shortcuts for developing and implementing an effective ITP; when done right, it is often a lengthy and complex endeavor requiring external support.

Myth #3: Insider threats can’t be prevented without an ITP.

No matter how sophisticated and comprehensive an ITP may be, it cannot deliver value to an organization unless it is supported by the foundation of an equally robust information-security program. The primary objective of an ITP is not to prevent insider threats, but rather to detect and respond to them. Meanwhile, insider-threat prevention largely falls within the hands of information-security teams, leveraging robust IAM processes alongside other security best practices and controls. As such, before an organization even considers developing an ITP, it must first establish and maintain a rigorous information-security function.

Closing thoughts

The examples detailed above are far from comprehensive and are simply meant to clear the air of some common misconceptions regarding insider threat. As security professionals, we must not only recognize insider threats as a critical area of concern, we must also acknowledge they will continue to evolve and consciously avoid resting on our laurels. By continuously reassessing our understanding of the intricate, often-confusing nature of insider threat, we can further refine out strategies for combating them effectively.