Insider Threat Management in 2023: A Comprehensive Guide

Companies face data breaches regularly, and the costs of data breaches have increased by 15%¹ in the last three years. However, it’s not just hackers from the outside we need to watch. Internal threats can be even more damaging. While a typical outside attack might expose 200 million² records, insiders have leaked nearly 1 billion.

To limit these internal risks, organizations should implement a program for assessing, detecting, and mitigating unwanted actions committed by authorized individuals who can access the organization’s sensitive data.

What is an insider threat?

Cyber and Infrastructure Security Agency (CISA)³ defines insider threat as the potential for an insider to use their authorized access to cause harm to that organization. An insider threat occurs when a current or former employee, contractor, or business partner has or had authorized access to an organization’s sensitive information or network infrastructure and uses that access to harm the security, integrity, or accessibility of those networks, whether or not maliciously.

Insider threats have two different types:

Direct insider threats: Direct indicators are often inappropriate user behavior that departs from routine job activity.

Indirect insider threats: Indirect indicators are patterns of human behavior that must indicate suspicious activity.

Source: McKinsey

Figure 1. The markers of a risky persona

Common insider threats may include:

• Actions to break safety procedures
• Poor performance on the job
• Unnecessary requests for permission or supervisory access
• Careless use of social media
• Keeping sensitive data accessible after notice of termination
• Using unapproved external storage systems
• A drop in productivity at work

Types of insider threats

1. Malicious insiders

Malicious insiders are former employees, business associates, or contractors who consciously violate company protocols and collect data for their own benefit. They may steal sensitive data, commit fraud, or disrupt computer networks. Most businesses use active data monitoring technologies and security teams to target them. 

For instance, Apple engineers⁴ who recorded the photos of autonomous vehicles for a Chinese business are malicious insiders.

• Collaborator: Collaborators work together with competitors to launch a cyberattack. They use their privileges to steal sensitive information to disrupt corporate structures for monetary or personal benefit.
• Goofs: Goofs are self-serving users who feel exempted from the organization’s security standards. They try to break the security rules. They consciously construct a threat to allow cyber criminals to have access to the organization’s data.

2. Negligent insiders

Research shows that 44% of insider threats result from negligence or co-opting (see Figure 2). Negligent insiders may not consciously create damage, but they may put the organization in danger as a result of negligence. A vulnerability (such as phishing attacks) is an unconscious action conducted by an employee that can be subsequently utilized by cybercriminals. 

For example, a data analyst who took a hard disk with sensitive information from 26.5 million⁵ US service veterans without authorization is a negligent insider.

• Lone wolf: The lone wolf is a malicious insider who behaves independently and has privileged control and access over the network and organization’s infrastructure.
• Pawn: Pawns are legitimate users manipulated into accidentally acting maliciously, frequently using social engineering tactics like phishing. These unintentional behaviors include installing spyware on their machine.

3. Third-party insiders

• Mole: A mole is a third-party outsider who has obtained unauthorized access, they may attempt to connect to the organization’s network via a virtual private network (VPN). They may misrepresent themselves as a partner, freelancer, or user to get privileged access that they are not eligible for.

According to McKinsey, as the spectrum and amount of cyber threats grow, so will cybersecurity spending (see Figure 3).

Source: McKinsey

Figure 3. Overall enterprise cybersecurity trends

• The amount spent overall on cybersecurity technology scaled to 71.1 billion US dollars in 2022⁶, the highest amount ever noted.
• The average global cost of a data breach was 4.45 million USD⁷ in 2023, an increase of 15% over the previous three years.

What motives an insider threat: 4 causes

Source: Created on Canva

Figure 4. Common insider threat vectors

1. Financial or personal gain: Employees experiencing financial difficulties or believing they are not adequately rewarded for their work efforts may seek monetary or personal benefit.
2. Personal offense: Employees might become threats when their emotions are elevated, such as feeling angry over a poor performance assessment.
3. Espionage: Corporate espionage occurs when an organization’s intellectual property is stolen and transferred to a rival, such as employees who desire to gain money or align themselves with another company for a career.
4. Ignorance: Carelessness behavior makes up 56%⁸ of all insider threat cases—ignorant or negligent employees who consciously disregard security rules out of comfort.

Top 3 benefits of insider threat management?

Organizations that heavily rely on AI/ML saved ~1.8 million USD⁹ from data breach attacks in 2023.

1. Quick response for data breaches: Enables a quick response for breach discovery and mitigation with AI/ML models that provide a 7/24 fast response. Organizations that use automation detected and managed a data breach 108 days¹⁰ quicker than organizations that did not.
2. Identifying high-risk profiles: Helps to build surveillance to create a comprehensive picture of a single individual based on their actions and personal characteristics. 
3. Controlling organizational structure: Managing cyber threats allows businesses to discover how to react to an attack and follow set safety guidelines. This builds trust and defensibility through solid compliance procedures between management, legal, and IT security functions.

How does insider threat management work?

Source: EY

Figure 5. Insider threat management full-spectrum approach

Most businesses utilize continuous AI/ML evaluation models to monitor partners, suppliers, and employees based on security and governance policies. In general, they look for deviations from what is regarded as “normal” behavior and a security team looks into anomalies that the software detects.

The features of insider threat management software are as follows:

• Data-driven: Provides a data-centric method to collect, analyze, and report private data.
• Multi-factor authentication: Monitors and controls online data or file management systems, USB ports, and portable hard drives, which guarantees that data accessibility is restricted and prevented.
• Regular updates: Updates software (works universally with macOS, Linux, and Windows platforms) regularly to guarantee they are protected against risks. 
• Quick response: Identifies sensitive data saved on machines, takes corrective action, and provides immediate data insights.

What are the challenges of insider threat management?

Only 33%¹¹ of organizations detected the breach themselves. It can be challenging to distinguish between negligent or malicious insider threats.

Typical challenges occur for four reasons:

1. Delayed detection: Negative actions already appear before the breach becomes apparent, and organizations struggle to investigate the breach immediately.
2. Invisibility: Monitoring the difference from routine behavior is complex and takes time, which leads the investigation team to strive and generate inaccurate results.
3. Coverage: Serial malicious behavior may be evaluated within the norm of “normal” activity, and malicious insiders may not be detected.
4. Privacy: Collecting data to leverage user behavior tracking requires access to employee personal information, which raises privacy challenges.

4 best practices for insider threat management

1. IT Security Training

According to the IBM Cost of Data Breach Report 2023¹², user training reduced the average cost of a data breach at organizations by ~5% less than the total average cost of a breach. Both traditional and AI-powered techniques and insider risk management solutions can be used to better detect threats, and prevent insider risk, 

IT security user training may include:

• Cybersecurity policies: Password protection, managing information adequately, and reporting lost hardware.
• Cyber-attack detection: Phishing scams, internet fraud, intellectual property infringements, or identity theft.

2. User Activity Monitoring

Source: EY

Figure 6. Advanced risk ranking data analytics system to detect insider threats

User behavior analytics (UBA) uses advanced data analytics and AI to leverage insider threat detection, predict user patterns, and discover a suspicious activity that might suggest potential or existing cyber threats, including insider threats. (A closely similar technology, user and entity behavior analytics (UEBA), enhances the ability to identify unusual actions in endpoint devices such as IoT devices).

Enterprises frequently use security information and event management (SIEM) solutions together with UBA to glean and analyze security-related data to assess insider threats.

3. Reduce risk by employee categorization

Employees can be categorized into two groups according to their authorization level: privileged and standard.

Privileged: Employees with access to sensitive data are considered to have privileged accounts. 40% of insider cyber attacks involve privileged users, these users are the most vulnerable to insider threats and should be supplied with security tools such as privileged access management (PAM) services.

Standard: The remainder of the employees who require less control can be categorized as “standard” and do not necessarily need to use PAM services.

4. Enhance transparency

Set up controls for tracking and handling shadow IT risks, create secure practices, and monitor user behavior and file movement by leveraging file transfer and end-to-end data encryption tools.

Find the Right Vendors

External links

1. “Cost of a data breach 2023”. [Source]. IBM. Retrieved September 21, 2023.
2. “2023 Data Breach Investigations report”. [Source]. Verizon Business. Retrieved September 21, 2023.
3. “Defining insider threats”. [Source]. Cybersecurity and Infrastructure Security Agency CISA. Retrieved September 21, 2023.
4. Mehrotra K, Gurman M. (June 30, 2019). “Apple worker charged with secrets theft for China robocar firm.” [Source]. Bloomberg.com.  Retrieved September 21, 2023.
5. Stout D. (May 22, 2006). “Personal data of 26.5 million veterans stolen.” [Source]. The New York Times. Retrieved September 21, 2023.
6. “Global cybersecurity spending 2017-2022”. [Source]. Statista. August 8, 2023. Retrieved September 21, 2023.
7. “Cost of a data breach 2023”. [Source]. IBM. Retrieved September 21, 2023.
8. “2022 Cost of Insider Threats Global Report”. (PDF) Ponemon Institute. 2022. Retrieved September 21, 2023.
9. “Cost of a data breach 2023”. [Source]. IBM. Retrieved September 21, 2023.
10. “IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs”. [Source]. IBM. Retrieved September 21, 2023.
11. “Cost of a data breach 2023”. [Source]. IBM. Retrieved September 21, 2023.
12. “Cost of a data breach 2023”. [Source]. IBM. Retrieved September 21, 2023.