The narcissistic co-worker who requires constant attention and validation could well be a high-performing, trustworthy, valuable member of an organization. The non-social co-worker who avoids contact could be just a highly skilled, but introverted employee. Or they could each represent a hidden threat – the insider who may deliberately or inadvertently cause damage to the entire organization.

Insiders have a unique ability to cause harm because an organization’s internal security measures – if they exist at all – are generally easier to circumvent than their hardened perimeter defenses. From their positions within an organization’s offices and networks, insiders not only have enhanced access to their targets, they also have the ability to identify any lapses in technological protections and policy enforcement, and thus increased opportunity to discover where the critical information assets are located and how to get to them without risking detection. Insider Threats may also include well-intentioned employees who unwittingly cause or contribute to a security incident.

Regardless of whether the employee is an unintentional or intentional threat, the Software Engineering Institute at Carnegie Mellon* discovered that approximately 85% of insider compromises were performed by employees of the victim organization after reviewing more than 800 insider threat cases. Contractors, subcontractors and trusted business partners made up the other 15%. In fact, the author Brian Contos emphasized the fact that most threats are conducted by those we trust the most by calling the insider threat “The Enemy at the Water Cooler.”⁷

Looking for threats from the inside may be one of the hardest things for an organization to do, since most do not want to admit that a trusted employee could or would intentionally or unintentionally cause harm. Most organizations focus too much attention towards attacks originating from the outside and less towards those that may come from the inside. Therefore, the insider threat quickly becomes a hidden threat.

Research into the insider threat problem has been complicated by the lack of a precise definition of an insider, which leaves researchers subject to their own definition of situation, biases, and assumptions. The challenge is made more complex by the assumption that the boundary or perimeter can be clearly defined, so that anyone inside the security boundary is consequently an insider. The idea of a distinct perimeter has been blurred even more today through the increase in mobile computing, teleworking, outsourcing, and contracting. Moreover, today’s discussions about insider threat tend to focus on the network perimeter and fail to fully consider physical boundaries. Despite the difficulty of defining a boundary, definitions of insider threat are still largely focused on a perimeter-based definition of who should be considered an insider. For example, take a look at this definition of an insider: an “individual who has, or previously had been, authorized to use the information systems they employed to perpetrate harm.”⁸

One of the research bodies examining insider threat, CMU SEI, has evolved perhaps the most comprehensive yet simple definition – one that isn’t bound by the definition of a perimeter: The person who has the potential to harm an organization for which they have inside knowledge or access.⁹

One common thread runs through all of the definitions – access. So, let’s look at another definition from the National Infrastructure Advisory Council (NIAC) that broadens the digital lens: An insider threat is one or more individuals with the access and/or insider knowledge of a company, an organization or an enterprise, that would allow them the opportunity to exploit weaknesses in that organization’s facilities, security, systems, products, or services, with the intent to cause harm or to obtain an unauthorized advantage.¹⁰

Insiders are not just employees: by focusing on the concept of access, the group can be expanded to include contractors, business partners, auditors – even an alumnus with a valid email address. Insider knowledge allows the potential insider threat group to be expanded to include former members who may lack access in the present, but who have historical knowledge of organizational security practices and weaknesses.

And not all insider attacks are malicious; the perpetrators may be unknowing pawns of a malevolent colleague, users of a poorly-tested system, or simply the careless initiator of unintended consequences. But one thing is clear: Insider threats are a costly problem, bedeviling organizations that lack the resources to monitor actions, prevent bad outcomes, or avoid harm when data leakages occur. In a 2001 paper, Maglaras and Furnell¹¹ provided a visual categorization of intentional versus unintentional threat (Figure 1).

The lack of a comprehensive definition of the insider threat leads organizations to think that insider threat can be prevented through the use of a policy, or by creating a defensible network perimeter, but both have inherent limitations: some policies cannot be fully or even partially implemented, leaving an organization vulnerable to security lapses. Additionally, most users of information systems tend to have move privileges than are essential to completing their assigned tasks. Finally, the creation of a hardened network perimeter does nothing to prevent an insider from doing damage.

One thing is beyond doubt: an insider can cause significant damage to the organization, regardless of whether the attack is a low level theft of proprietary information or a technically sophisticated act of sabotage. Insiders are a hidden threat because they may be able to elude detection as they bypass the physical and technical security measures intended to prevent unauthorizedaccess. Any insider attack has the potential to weaken or destroy public trust, share value, or financial solvency – they can slowly erode or quickly destroy the foundations of an organization. The standard perimeter defenses, such as electronic physical access systems, firewalls, and intrusion detection systems exist primarily to defend against the external threat. The insider is not only aware of the organization’s security policies and procedures, they are also very cognizant of any exploitable vulnerabilities – such as poorly enforced policies and procedures or exploitable technical flaws in the network.

Although some of the most publicized insider threat events have taken place in the US, the problem of insider threat is also global in scale. In 2013, a German telecommunications provider announced that the data of two million of its customers was compromised by an insider. A UK-based supermarket chain was attacked by another insider in 2013, who posted personal details of the employees’ bank accounts. These are just two of numerous examples of insider threat worldwide.

Recent news events lead us to think that the insider threat has only one form – the theft of data – but in reality, the insider has many ways of striking at an organization: sabotage, fraud, intellectual property (IP) theft, and government and industrial data leaks or breaches. Some cases of malicious activity fall into multiple categories. For example, the Insider Threat Study conducted jointly by the US Secret Service and the Computer Emergency Response Team (CERT) saw several cases where an employee committed an act of sabotage against their employer’s systems, and then offered to assist them in the recovery efforts for a sum of money – extortion. One case involved three categories of insider activity: the insider quit his job after an argument, but was offered no severance package. He made an unauthorized copy of an application he was developing, deleted the application code from the library, and stole all of the backup tapes. He then offered to restore the content to the application library for $50,000. He was charged and convicted of the crime, but the company never recovered all of the application code – a major setback for the organization.¹²

When discussing insider threat, most of us immediately look at banking, financial services, government, healthcare, or manufacturing as the activities with the most probability of an insider attack, but other organizations and businesses may also be affected. According to a 2014 survey by SpectorSoft, 37% of data attacks in real estate were from insiders, in the public sector 24%, in administrative organizations 27%, and in mining 25%. The inescapable conclusion is that every type of organization can be vulnerable to some type of insider abuse, error, or malicious attack that can impact reputation, operations and profitability, expose data, harm the o...