A malicious insider – sometimes referred to as an insider threat – describes any person who uses their authorised access to a company’s systems, resources, or data for malicious purposes.
Unlike the external threats that are posted by cybercriminals or hackers, malicious insiders have access to proprietary business information because they are employed by the company itself.
In some cases, the malicious insider may also be a contractor, business partner, or former employee.
Whatever the title, malicious actors share a common objective: to misuse or abuse their access privileges for personal or financial gain.
In a 2023 survey of more than 300 industry professionals, research firm Cybersecurity Insiders found that 74% believed insider attacks had become more frequent.
Malicious insiders can be motivated by various means and their attacks can take many forms.
Here are a few different types with real-life examples for each.
Malicious insiders may exploit legitimate access privileges to obtain confidential or sensitive information, systems, and resources.
Examples involving unauthorised access are some of the most well-known. One example is Edward Snowden, a former National Security Agency (NSA) contractor who leaked classified information to multiple journalists.
In this type, the malicious actor steals, sells or deletes sensitive data, trade secrets or intellectual property (IP). The intent here is to profit from proprietary information or harm the company by sharing it with competitors.
In 2017, an employee of health company BUPA accessed the company’s CRM system to copy the personal details of more than 500,000 customers.
The employee then deleted the information from the database and attempted to sell the personal records on the dark web.
This occurs when the malicious insider intentionally sabotages systems to cause operational disruptions, reputational damage, and financial loss. This may involve the use of malware or simply the deletion of critical files.
In 2020, an ex-Cisco employee was jailed after deploying malware that deleted more than 16,000 user accounts and caused $2.4 million in damage.
Fraud is a malicious insider technique often motivated by financial gain. Among other forms, it may involve embezzlement, insider trading, or the manipulation of financial records.
In 2008, French bank Société Générale revealed that one of its employees had engaged in fraudulent trading activities. The employee took large, high-risk positions in European indices and concealed the trades via unauthorised and fictitious hedging transactions.
Ultimately, Société Générale lost around $8 billion.
On occasion, malicious insiders may represent external adversaries or competitors and take up employment with a company to steal its sensitive information.
The insider threat may also originate from someone motivated by personal gain. Over eight years, a former General Electric (GE) employee stole over 8,000 files from the company.
The employee, who convinced an IT admin to grant him access to the files, intended to use GE’s trade secrets to start a rival company.
Colleagues who routinely interact with the malicious insider are one of the best defences since they are most likely to notice suspect behaviour.
Potential threat indicators are sometimes easy to spot. For example, the person may publicly hold a grudge against the company or one of their superiors.
In other cases, indicators are less apparent. A malicious insider may:
When detecting malicious behaviour, it is important to assess intent. In other words, were the employee’s actions a deliberate attempt to damage the company or its assets? Or were they accidental?
Some employees are deemed careless or negligent insiders because they unknowingly or unwittingly expose systems to outside threats. But each context is open to interpretation.
The most clear-cut example of a negligent insider is an employee who falls victim to a cybersecurity scam and creates a vulnerability in the company’s systems.
Most companies are well-versed in protecting themselves from external attacks.
But how can they protect themselves against malicious insiders?
An obvious point, but one that bears repeating.
Data security should focus on areas where data lives – whether that be on-premise, in the cloud, or hybrid environments.
In the context of malicious insiders, data leaks via email must be a priority. Some companies offer integrated, cloud-based solutions to prevent intentional leaks of IP and sensitive data.
Machine learning (ML) applications can help organisations monitor the behaviour of their employees and look for anomalies.
Such applications fall within a category of security solutions known as User and Event Behavioral Analytics (UEBA). They establish a baseline for normal data access activity and then alert key personnel if abnormal access is detected.
In addition to email security and ML-based user behaviour analytics, there are various other focus areas for businesses.
These include:
In summary:
References
Source-to-pay (S2P) is an end-to-end process in procurement that encompasses the activities associated with sourcing products from suppliers.
Reading a check may appear straightforward at first glance, but the various elements that comprise a check play a crucial role in …
In finance, internal controls are processes that ensure and maintain the integrity of financial and accounting information. These controls foster accountability, safeguard …
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
