A Definition of Insider Threat

An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.

Contractors, business associates, and other individuals or third-party entities who have knowledge of an organization’s security practices, confidential information, or access to protected networks or databases also fall under the umbrella of insider threat. An insider threat may also be described as a threat that cannot be prevented by traditional security measures that focus on preventing access to unauthorized networks from outside the organization or defending against traditional hacking methods.

Types of Insider Threats

Insider threats occur for a variety of reasons. In some cases, individuals use their access to sensitive information for personal or financial gain. In others, insiders have aligned themselves with third parties, such as other organizations or hacking groups, and operate on their behalf to gain access from within the network of trust and share proprietary or sensitive information.

Another type of insider threat is often referred to as a Logic Bomb. In this instance, malicious software is left running on computer systems by former employees, which can cause problems ranging from a mild annoyance to complete disaster.

Insider threats can be intentional or unintentional, and the term can also refer to an individual who gains insider access using false credentials but who is not a true employee or officer of the organization.

Insider Threats are Tricky to Detect

Insider threats are often more difficult to identify and block than outside attacks. For instance, a former employee using an authorized login won’t raise the same security flags as an outside attempt to gain access to a company’s network. For this reason, insider threats are not always detected before access is granted or damage is done.

Insider threats often begin with an individual or entity being given authorized access to sensitive data or areas of a company’s network. This access is granted in order to enable the individual to perform specific job duties or fulfill a contractual obligation. But when an individual makes the decision to use this access in ways other than intended – abusing privileges with malicious intent towards the organization – that individual becomes an insider threat.

There are many more factors that make insider threats more difficult to detect. For one, many individuals with authorized access are also aware of certain security measures which they must circumvent in order to avoid detection. Insider threats also don’t have to get around firewalls or other network-based security measures since they are already operating from within the network. Finally, many organizations simply lack the visibility into user access and data activity that is required to sufficiently detect and defend against insider threats.