Five Common Insider Threat Profiles
By Dr. Christine Izuakor - May 16, 2019
Insider Threats come in many different shapes and forms and can be a frustrating problem to diagnose. Adding to the problem is the fact that even the most reliable and seemingly harmless employees can change in an instant and pose a threat. Protecting your company against these sometimes-unpredictable actors requires an understanding of the various profiles that exist and their motivations. To help, here is a quick look at five of the most common Insider Threat actors that companies may face, and some quick tips on how you can protect your organization from each of them.
- Disgruntled Debbie
The disgruntled employee is often the first profile that comes to mind when most people think of Insider Threats. Disgruntled Debbie is the employee who didn’t get the performance rating or the raise she wanted and decided to retaliate. While Debbie is a fictional character, this threat is very real. For example, this became a harsh reality for Tesla one summer. An angry employee stole some of the company’s proprietary information and began to share it with 3rd parties, compromising the company’s most sensitive business assets.
- Oblivious Oliver
Oblivious Oliver is the employee who has no clue that he is introducing risks to the organization. A large percentage of cyber security incidents start with human error, and Insider Threats are not always malicious in nature. Often, these threats stem from everyday employees who don’t know about cyber risk and, equally important, how to protect against them.
We saw a prime example of this in the RSA breach. RSA has been known as a trusted security technology provider for quite a while now, and their compromise was a stark reminder that even large security companies and their employees are not immune to attacks on the unsuspecting or oblivious employee. In this case, a simple click on a phishing email by a gullible employee led to the compromise of approximately 40 million records. The phishing attacks, like most today, were targeted and mimicked trusted contacts.
Curious employees also fall into this category. These are the employees who just want to know “What could happen if..?”, “How far might I be able to get with accessing something I shouldn’t have access to?”, “What might actually happen if I clicked on this suspicious email?”. Deep down inside, some employees are just curious kids inside, wondering what the button does.
The best solution for Oblivious Olivers is training and awareness. By helping Oliver understand the risks of clicking on malicious links and encouraging him to approach all emails with caution, attempted phishing attacks against the Oblivious Olivers of this world are less likely to succeed.
- 3rd Party Patrick
Someone doesn’t have to be a full-time employee in your organization to be considered an Insider Threat. Third party contractors and vendors often have the same or very similar access privileges even though they arent directly employed by the company. Their introduction of risks to the company can be intentionally or unintentionally malicious depending on the circumstance.
The list of breaches stemming from third-party errors is unending. A few examples from last year alone include Saks Fifth Ave, Lord and Taylor, Best Buy, Kmart, Delta, Target, Sears, My Fitness Pal, and many, many more. In each of these cases, the company realized significant losses as a result of their partner's actions, or lack thereof. This makes having a strong third-party security program that includes both technology controls and legal controls against a third-party breach imperative to stopping 3rd Party Patrick dead in his tracks.
- Terminated Tony
Noticing activity from the account of someone who’s been recently terminated? As Terminated Tony leaves, he creates back doors and tries to retain access to systems and data for future use. This is an unfortunate and costly mishap that occurs quite frequently. In one real world example, an ex-employee of Allen & Hoshall continued to access the companies files for two years after he left the company. He was able to export intellectual property worth almost half a million dollars – an action that landed him in jail for a year and a half.
Ensuring that after an employee is terminated, access to systems throughout the company and network are promptly terminated is an important step to ensuring that Terminated Tony doesn’t wreak havoc on your company after he’s gone.
- Malicious Marvin
Unfortunately, some insiders are just downright criminals. Driven by financial hardship, gambling problems, greed, substance abuse and more - employees steal from their employers for numerous reasons. These employees are deliberately looking to breach the company’s security and take advantage. One example of this occurred when an employee from Anthem Health caused a breach that resulted in unauthorized disclosure of personal data for 18,000 patients. The file, which contained social security numbers, full names, medical information and more, was sent to the employee's personal email address for access outside of work. It appears that the employee was intentionally stealing and misusing the data, and after the discovery of the breach, was investigated for numerous counts of suspicious activity.
Malicious Marvin is a very real threat. Life happens, and unfortunately, even the best employees make poor choices. It’s important to apply the concept of least privileged access and only grant access to users on a need to know basis. Furthermore, having insight into user activity through logging and monitoring, implementing a robust data loss prevention program, and having strong detection and response capabilities can help keep Malicious Marvin at arm’s length within your organization.
Protecting your organization against Insider Threats requires that you first understand what those potential threats might be. Disgruntled Debbie, Oblivious Oliver, 3rd Party Patrick, Terminated Tina, and Malicious Marvin can cost your company millions of dollars if gone unchecked. This list provides insight into some of the most common profiles but remember that there are no limits to the motivations and profiles of Insider Threats. Anyone from business colleagues to your cyber security team could potentially pose a threat. This makes having a robust cyber security program based on the principle of “defense in depth” essential to stopping the insider threat.