Cybersecurity and IT teams spend a great deal of time building digital defenses against outside threats. From anticipating targeted infrastructure attacks to educating your employees on phishing schemes, security leads everywhere focus heavily on external threats.
Don’t get us wrong— we know you need to watch out for outside threats. But what you can’t do is spend so much time worrying about external threats that you forget about insider threats.
Insider threats are employees or partners who misuse their authorized access and pose a security risk from within your organization.
While there are measures CISOs and security managers can take to prevent and detect insider threats, it’s not a job you should (or really can) do alone. There’s no antivirus scanner that detects insider threats or an algorithm to rate how likely a team member is to steal your data!
Luckily, your entire organization can also look out for and report insider threats— if you enable them.
Let’s look at how to recognize insider threats to pass off these tips to your team:
Know Who’s a Threat
While technically anyone within your organization could pose as an insider threat, certain users fit the bill more than others.
- High-permission users. Who has access to the juiciest data? High-value, sensitive, proprietary data could be shared with competitors or interest groups for profit by those who have more access than they really need. Even those who do need access may not respect its privacy.
- Contractors or temporary workers. Have you hired anyone from outside of your organization for a special project? Without proper screening or restricted permissions, these outsiders could access information they shouldn’t.
- Service providers. Is your security team or your company at large working with an agency for training, marketing, SEO, etc.? Outside help is often granted access to internal access and trusted with valuable data.
- Partners of service providers. It’s important to note that insider threat actors don’t always have malicious intent. For instance, if a service provider has access to your data and is hacked, the bad actor can vicariously breach your system. While your service provider wasn’t the one who stole your data, it was compromised none-the-less.
- New employees. Did someone come on board just to steal your information? While you want to welcome newcomers, they could also be insider threats in disguise intent on getting access to information.
- Inappropriately offboarded ex-employees. Someone who previously worked for your corporation may have the motivation to share access or proprietary knowledge for revenge or financial gain.
Look for Warning Signs
With knowledge of these digital and behavioral concerns, you and your team may be able to catch an insider threat before it escalates.
- Sharing permissions with outsiders, especially if it’s not related to their job or function. If you’re sent a document from a contractor and see a user you don’t recognize with shared access permissions, question it. Who is this mystery user? Enforce restrictions on who can access your databases and individual files.
- Making use of unauthorized storage devices. Is an employee using an external hard drive or their desktop to store sensitive files? Your data should always be behind a secure and protected database and written into policy.
- Unauthorized storage of logins and passwords. If you use a password management system that encrypts hashes, that’s great. But if team members don’t use it and have lists of logins on a note on their phone, stored in an unsecured Google Doc or a physical notebook, this information could be used for ill-will.
- Attempts to skirt past security. You have your security measures in place for a reason, and if a user keeps defying your policies and making up their own rules, they are someone to look out for.
- Shift in attitude. If someone is frequently showing a bad attitude towards work, being aggressive towards coworkers or suddenly seeming apathetic about performance, they may be unhappy with the job. These are the clear warning signs an employee may be getting ready to leave and has motivation to violate security protocol.
- Activity off-hours. If an employee or partner is suddenly logging on or interacting with a company database outside of working hours, it’s reason for suspicion. Are they actually working or accessing the information for other reasons?
Establish Policies for Reporting Insider Threats
In order for your employees to help advocate your internal threat detection, they not only need to know what to look out for but also how to react to it.
Should a team member suspect questionable activity or intent from an employee, is there an anonymous way they can report? Consider an online form or an in-office concerns box. You must remember that not all employees will feel comfortable “outing” a fellow employee for fear of retaliation.
It may also be written into new hires contracts that HR has the right to report suspicious employee behavior to IT— say, if an employee is carrying a feud with management— or that individual team managers do the same.
Your whole company should be behind your cybersecurity initiative and vow to report threats as they arise. Create a document with tips from the top of this article in your company’s intranet or as an insert when onboarding new clients to give your team the resources they need to champion insider threat awareness.
Put Your Team’s Insider Threat Knowledge to the Test
While sending an email about your insider threat policy will create awareness around your security, your team may need more tangible training to spot and support your cause.
Teach your team how to spot internal threats by enrolling them in an immersive, engaging security program, engineered by our team at Living Security.
Our interactive video series and real-life examples help give your team a deep sense of what to do when faced with insider threats and empowers them to advocate for better security, right by your side.