In 2020, insider threats were responsible for 60% of data breaches. Insider threats occur when an employee’s privileged access is misused to expose, steal or destroy a company’s sensitive information. This is often a result of negligence on the employee’s behalf with no harm intended, but other times, insider threats can have deliberate, malicious intentions.
This article will take a close look at malicious insider threats: why they emerge, what form they take and how companies can best bolster their data security strategies to mitigate a full-fledged attack.
Malicious insider threat examples
Malicious insiders aim to achieve one of three goals by misusing their credentials to access their company’s sensitive data:
- Sabotage, where the data is rendered no longer usable because it’s been damaged or destroyed. With data as important as it is to many business functions, this could be debilitating.
- Fraud, where data is stolen or modified to be used for deceptive purposes.
- Theft, whereby data is stolen and sold for financial gain or used to give a rival company the competitive edge.
With the goals of malicious insider attacks outlined, it’s important to understand the why—who are these individuals and what’s led them down the path of cybercrime?
Departing employees
Whether they’re leaving on their own terms or not, departing employees are almost always a threat to sensitive data security, solely because of the access and knowledge they possess. Both negligent and malicious insider attacks can occur after an employee leaves a company.
When an employee decides to leave, they’re likely looking for a new role at the same time. To appeal to an existing rival company, or to have a competitive edge when they create their own, they might steal data from their current employer. This could be consumer data for rivals to poach, trade secrets, company research and intellectual property.
When a workplace departure is involuntary, malicious insider threats can emerge in the form of disgruntled ex-employees acting out of retaliation. As a final, rage-fueled goodbye, they use their last moments of authorized access to damage or completely destroy sensitive data, sabotaging company operations. Or, they might download it to sell to rival companies for a large sum of money, diminishing their ex-employer’s market competitiveness.
The former happened to an Atlanta-based medical device packaging company in March 2020. Angered by his COVID-induced layoff, one ex-employee created a fake account to access his employer’s database, edit over 115,000 electronic shipping records and delete another 2,300. He then deleted the fake account so these modifications couldn’t be reversed, sabotaging the delivery of vital PPE equipment to healthcare workers.
Double agents
Double agents in the context of malicious insider threats are individuals who pose as an employee at an unsuspecting company while working with or on behalf of an external group to leak sensitive information. This stolen data is then used for financial gain, to sabotage the company or to commit fraud.
Even corporate giants, with their massive information security budgets, can be victims of malicious insiders, just as Amazon was in October 2020. While the company remained tight-lipped about the attack, it did inform affected customers that their email addresses had been leaked by an employee to a third party. How those emails were used was never disclosed, but this isn’t Amazon’s first double agent attack, and it likely won’t be the last. This is the unfortunate reality for companies that collect and store all sorts of valuable sensitive data in high volumes—malicious insiders are inevitably drawn to them.
Third-party insider threats
A malicious insider doesn’t necessarily need to be an employee of the company they attack, they simply need authorized access to the company’s sensitive information. Contractors, vendors and third-party applications used by the company for day-to-day operations fall into this bucket.
Take, for example, any company using a CRM platform. These are essential for many businesses, but they’re not often created in-house. Instead, companies turn to reputable providers like Salesforce or HubSpot for their CRM needs. If a malicious insider on the software provider’s side steals, damages or misuses the sensitive information companies often upload into CRMs, both parties are equally responsible for the compromised data.
Mitigating the risk of a malicious insider attack
Despite being contrived, well-thought-out and intentionally deceptive, malicious insider attacks can be prevented, or at least their impacts mitigated, with the right tools in your data security arsenal.
- Start with sensitive data discovery, which identifies all the sensitive data an organization possesses, from networks to endpoint devices to the cloud and even employee email accounts. This will give you a clear picture of what must be monitored for suspicious activity—a telltale sign that a malicious insider is at work. In the case that an attack happens, discovery can provide you with a high-level of confidence regarding what was stolen, edited or permanently damaged so you can respond accordingly.
- After all your data has been discovered, it can be classified. Data classification categorizes sensitive information based on a number of criteria, including its level of sensitivity and the data privacy regulation(s) it’s subject to. This in turn allows for the creation of highly specific permission roles that give sensitive data access only to those who need it. Overall, this reduces opportunities for data to be wrongfully downloaded, manipulated, exposed or damaged. If an attack does come to fruition, classification can make it easier to pinpoint the individual responsible.
- A data remediation tool is the final must-have, as it protects sensitive information from unauthorized access when it’s moved. It can also tag data—based on its classification—with the appropriate level of remediation to be applied at any time, including after it’s been manipulated or modified for sabotage by a malicious insider.
Be proactive with Spirion
Spirion’s Sensitive Data Platform discovers, classifies and remediates your sensitive data so it can be appropriately secured, continuously monitored for unusual activity and made less vulnerable to malicious insider threats. In addition, SDP seamlessly integrates with other intelligent data security solutions to deliver the highest level of protection. Learn how Spirion helps enterprises stay ahead where data security is concerned and keeps threats like malicious insiders at bay.