Fri. Jul 10th, 2020

Spotting Insider Threats Before They Happen

When you hear the word cyber-criminal what images come to mind?


We bet a dozen images just flashed through your mind. Maybe it was a general image — a faceless person tapping away at their computer. Or maybe the image was more specific, for instance, WikiLeaks founder Julian Assange.


But of the dozen or so images that came across your mind, was this one of them?


A woman wearing a gray dress, and a smile, as she scans her ID badge breezing through security and into the building. She walks to the elevator, and when the doors open on the sixth floor, she sits down and uses her employee credentials to log in to a computer.


If it wasn’t, don’t be ashamed. When it comes to cybercrime, most people forget that attacks don’t always come from outside — sometimes the attacker is sitting in a cubicle directly across from you.


So, since September is Insider Threat Awareness Month, today’s (and the next three) Tech Tip Tuesday will focus on insider threats.


What the heck is an insider threat, anyway?

The name says it all — an insider threat is a threat that comes from inside of your organization. But, it doesn’t necessarily have to be the person sitting across from you, sometimes the threat can come from third parties such as contractors or business associates.


Indicators of Inside Threats

Now that we’ve taken care of the basics, let’s get down to the nitty-gritty. How do you spot an insider threat? Is it even possible? In some instances, the signs are pretty clear and can be recognized in certain personality and behavioral changes.


One example of a potential threat is a disgruntled employee who openly speaks ill of the company, whether it’s in the office, on social media, or in group chats. Another indicator could be a business associate who is struggling financially or facing legal troubles.


According to Dr. Jamie Graves, vice president of product management, security analytics at ZoneFox, a behavioral analytics company, when it comes to insider threats “usually, there is some sort of organizational change or event that precedes an attack.”


Active Indicators

If by some chance you miss the behavioral warning signs, there are other active clues that someone may be a potential threat.


Below are some examples:

  • Unusual logon times – Logging in early or late and multiple successive logins
  • Abnormal Application Use – Along with logging in at odd times of the day, this person is most likely repeatedly accessing and downloading large amounts of data.
  • Excessive Printing – Sometimes insiders steal sensitive information the old-fashioned way by printing reports from the office.
  • Copying Sensitive Data – Other methods include saving data to a USB drive or taking photos of it.
  • Attempts to access unauthorized data – During the reconnaissance stage, employees sometimes try to access information that’s unrelated to their roles or job duties
  • Authorized but Unusual Access to Sensitive Information – Even if the employee is authorized to access certain data, some warning signs can be accessing projects that haven’t been touched in years or, again, accessing data after hours.



Although the signs above are clear indicators of insider threats, it’s also important to remember that one anomalous action does not necessarily make a person guilty. But when you consistently see these warning signs simultaneously, it can be indicative of a malicious internal actor.