Insider threats are users with legitimate access to company assets who use that access, whether maliciously or unintentionally, to cause harm to the business. Insider threats aren’t necessarily current employees, they can also be former employees, contractors, or partners who have access to an organization’s systems or data.
Malicious insiders have a distinct advantage in that they already have authorized access to your company's network, information, and assets. They may have accounts that give them access to critical systems or data, making it easy for them to locate it, circumvent security controls and send it outside of the organization.
Inside attackers come from within your organization - they can be insiders in your company with bad intentions, or cyberspies impersonating contractors, third parties, or remote workers. They can work both autonomously or as part of nation-states, crime rings, or competing organizations. While they might also be remote third-party suppliers or contractors located all over the world, they have some level of legitimate access to your systems and data.
Detecting insider threats is no easy task for security teams. The insider already has legitimate access to the organization’s information and assets and distinguishing between a user’s normal activity and potentially malicious activity is a challenge. Insiders typically know where the sensitive data lives within the organization and often have elevated levels of access, they don’t act maliciously most of the time; that’s why it’s harder to detect their harmful activities than it is to detect external attacks. As a result, a data breach caused by an insider is significantly more costly for organizations than one caused by an external attacker.
-
Publicly available information helps foreign intelligence entities identify people with placement and access.
-
Contract information (bid, proposal, award, or strategies).
-
Company website with technical and program information.
-
Connections (partnerships, key suppliers, joint ventures, etc.) with other cleared or non-cleared companies.
-
Employee association with companies or technologies made public through scientific journals, academia, public speaking engagements, social networking sites, etc.
-
Company unclassified networks (internal and extranets), partner and community portals, and commonly accessed websites.
-
Proprietary information (business strategy, financial, human resource, email, and product data).
-
Export-controlled technology.
-
Administrative and user credentials (usernames, passwords, tokens, etc.).
-
Foreign intelligence entities seek the aggregate of unclassified or proprietary documents which could paint a classified picture.