We tend to focus so much on external cybersecurity threats that we sometimes forget one of the most damaging types of attacks—the insider threat.
An insider threat is defined as any employee, contractor, or subcontractor who uses their credentials to maliciously access a company’s resources or find a different way to compromise their own organization. In some cases, insider threats might be accidental.
According to Verizon’s 2024 Data Breach Investigation Report (DBIR), 88% of data breach incidents that resulted in lost or stolen assets occurred because of an insider threat. In most cases, the actor’s motivation was financial. In all cases of malicious insider threats, 88% of the actors had a financial motivation, 46% did it for espionage purposes, 6% because of a grudge, and 2% for ideological purposes.
Detecting insider threats is especially challenging because no malware is involved. Insiders are often trusted individuals who are allowed to access the information they’re exfiltrating. However, it’s still possible to minimize the risk of insider threats and even detect an ongoing attack using a combination of behavioral analysis and company policies.
In this guide, we’re going to explain the different types of insider threats, what makes each unique, the challenges of each one, and the best steps to protect yourself from them.
An outsider-to-insider threat occurs when an outsider targets an organization and then finds a way to become an employee of that organization. This type of insider threat is the most sophisticated because it requires premeditated planning and access to advanced fake ID services.
In a highly publicized incident, a North Korean operative infiltrated the well-known KnowBe4 cybersecurity awareness training company. The company suffered zero data loss but shared the incident to drive home that, if it can happen to a cybersecurity company, it can happen to anyone.
This wasn’t an isolated incident. Hundreds of US organizations, including Fortune 500 businesses, have unknowingly hired thousands of North Koreans using fake identities as part of an alleged plot by North Korea to obtain funding from US companies for its weapons program. Here’s how this type of attack is facilitated:
An organized crime organization or nation-state employs a US resident to run a so-called “Laptop Farm” from a US address and/or steal Americans’ identities in exchange for payment.
In the KnowBe4 incident, the outsider used AI to manipulate a stock photo image and then created a fake ID with that photo. According to the blog post, the fake ID was so well made that it evaded detection by the USA’s official I9 e-verify system, which electronically verifies a person’s eligibility to work in the United States.
When the person gets the remote job, the target company sends a laptop to the new employee. The new employee provides the US-based address of the laptop farm, and then remotely accesses the laptop from wherever they are in the world. The employee makes sure they work during US working hours.
The employee then sends a percentage of their pay to the nation-state behind the scam and/or installs malware on the remote laptop for deeper attacks.
Some of the ways to mitigate the effectiveness of this type of attack include:
Financial Motivation is the largest motivation, by far, for insider threats. In one notorious case, a T-Mobile store owner stole credentials from T-Mobile employees to defraud the carrier of $25 million. Using these credentials, the store owner could unlock T-Mobile, AT&T, and Sprint phones, and then sell them on the black market. The store owner used various means to steal T-Mobile employee credentials, including phishing emails and working with foreign-based call centers.
Aside from the mastermind store owner, the T-Mobile employees were unwitting insider threats. An external threat actor compromised their details and then used those details to carry out insider attacks.
Whether executed knowingly or unknowingly, the damage resulting from an insider threat is often the same.
In the case of Bupa Healthcare, a “rogue employee” stole the data of 547,000 customers and then tried to sell it online. Bupa Healthcare received a fine of £175,000 ($228,000 at the time) from the UK’s Information Commissioner’s Office for “technical and organizational failures at Bupa that left 1.5 million records at risk for a long time.”
No public information exists regarding why the Bupa employee carried out the attack, and whether the only motivation was financial.
In some cases, external organizations recruit employees and offer them compensation for infiltrating your company’s systems. In 2021, the Department of Justice (DOJ) arrested a Florida resident for accepting bribes to carry out “SIM swaps”—one of the more damaging personal cyberattacks around. It allows attackers to receive SMS messages intended for another number, which can then lead to further account compromise attacks and data exfiltration.
Knowing that employees can be bribed means that cybercriminal groups might target individuals in specific departments more aggressively than others, offering them profit-sharing motivation or outright payments for the employee’s “services.”
According to Verizon’s 2024 DBIR, the human element is part of more than two-thirds of all data breaches, which includes all types of insider threats—knowing or unknowing. However, the “unknowing” category is far more prevalent.
Human error and emotion are key elements when it comes to insider threats. Phishing attempts often prey on ignorance or urgency, causing employees to unwittingly provide their credentials. Employees might also leave databases exposed or misconfigured accidentally, making a data breach simply the result of a threat actor running some automated searches.
These kinds of accidental or negligence issues can affect even large enterprise organizations that may not have the right infrastructure in place to account for their data and assets. For example, in 2022, several Microsoft employees inadvertently exposed security credentials for GitHub code repositories.
Accidental insider threats are harder to detect and catch, but malicious threat actors are likely to act in a more patterned manner, allowing EDR systems to detect their actions based on behavioral analytics. Employee awareness training is, therefore, crucial to avoid accidental insider threats and to communicate best practices as well as the risk involved with oversights that might seem minor.
Six percent of malicious insider threats occur because of a grudge.
Many insider threats stem from recently terminated—or soon-to-be-terminated—employees. For example, a Louisiana court ordered a former IT employee to 34 months of jail time and $1.1 million in restitution for repeatedly hacking his former employer’s computer network. The man pleaded guilty to intentionally damaging protected computers.
In October 2024, Disney accused a former employee of a computer hacking revenge plot that began shortly after Disney terminated the man’s employment. According to the allegations, the former employee disrupted operations by trying to hack menu creation systems, employee accounts, and secure file transfer systems.
These attacks can be especially damaging because revenge seekers might be reckless and risk-averse, hoping to inflict maximum damage on a company with little regard for their own state of being. If an organization doesn’t have proper safeguards regarding an employee’s termination, the recently terminated may still have access to data and accounts which can lead to a security compromise.
The first step is to understand that cyberattacks can affect all organizations, regardless of size or industry as well as all departments within an organization. It is, therefore, important to make all stakeholders aware of the threat.
We recommend the following five steps to better protect your organization from potential insider threats:
SolCyber is a managed security provider that can help you with all aspects of cybersecurity, from comprehensive tooling to effective awareness training. Our service packages are thorough and easy to understand. You also deal with only a single vendor, even though you receive solutions across all aspects of cybersecurity.
Insider threats are a troubling concern for organizations of all sizes. However, you can do something to significantly reduce the likelihood that you’re the victim of one. Reach out to us today to learn more about SolCyber’s managed security services and how we can help you.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.