Next DLP Blog

Insider Risk v. Insider Threat | Next DLP blog

Written by Angela Stringfellow | Mar 22, 2023 5:01:36 PM

Understanding the Difference Between Insider Risks and Insider Threats

As wave after wave of layoffs are announced, organizations are rightfully concerned about their intellectual property leaving with former employees. They feel this way for good reasons. One study found that 85 percent of employees admitted to taking company documents and information when they left. However, while all insiders present risk, not all insiders are threats. 

What is an Insider? 

An insider is an individual with access to an organization’s data. While this can include individuals with access to physical copies of data left on printers or in unsecured file cabinets, from a Data Loss Prevention perspective the focus is on credentialed users who can access sensitive electronic data.

This can include:

  • Engineering staff working with design documents or source code
  • Financial professionals with access to sales and profitability statements
  • Sales teams working with customer and prospect lists
  • Product management teams developing product roadmaps and strategic plans

Insiders can also include non-employees including partners and vendors who may require access to internal systems to provide their services. 

What is an Insider Risk? 

Every individual that can access sensitive data presents a risk of data loss. Insider risk does not require malicious intent. It is inherent with being a user. It can be caused by negligence; a careless user may mistype an email address and send confidential information to an unauthorized person.

It can also be from a lack of knowledge of good security practices, such as when a user uploads a document to a personal cloud drive when the file is too large to email. 

  • Poor training was cited when a Dallas, Texas IT worker accidentally deleted over 20 terabytes of the city’s data, including over 13 terabytes of 
  • Dallas police files, while trying to move them from online storage. A report found the technician “appears to have been attempting to carry out the data migration consistent with his sincerely-held understanding, although flawed, of the Commvault software.”
  • Non-employees, too, can make mistakes with data, often with good intent. A service provider experiencing trouble solving a problem may forward it to colleagues who are not authorized to view the material for assistance. 

What is an Insider Threat? 

An insider changes from a risk to a threat when malicious intent is present. Insider threats have an objective of compromising data security. Common insider threats include: 

Departing employees: As noted, an employee leaving their role often takes information they believe will be helpful to their new job. This can include material they have created or information that would demonstrate a “quick win” to their new employer. 

  • Credit Suisse reported that an employee copied data on other personnel to an external device – including salary information and banking details – prior to quitting.  

Malicious insiders: The motivations of an insider threat can include personal gain, including industrial espionage for a competitor or providing criminals with access to Personally Identifiable Information on consumers. 

  • A former Amazon Web Services engineer allegedly created an application to detect which AWS customers had misconfigured firewalls, then extract privileged account credentials. She used this to steal sensitive data from Capital One’s systems, including “106 million credit card applications, which included names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers.”
  • An employee in China stole sensitive information from Dutch chip equipment maker ASML Holding. There are reports that the employee had ties to a “Beijing-backed spy ring.” In addition to losing IP to a potential competitor, ASML reported that the loss may also have violated export control regulations.  

Disgruntled insiders: Another insider threat motivation is sabotage. The individual may seek to release sensitive information and publicize a breach to prompt regulatory penalties or damage an organization’s reputation. 

  • After being fired via a text message, a former employee of Penn South Cooperative Federal Credit Union in New York deleted more than 20,433 files and 3,478 directories from the credit union’s IT system.

How to Address Insider Risk and Threats 

Stopping insider risks requires better security hygiene. Employees who understand when data is at risk and self-correct contribute to a security-positive culture and provide organizations with a “human firewall.”  

Annual training events simply don’t work. A better approach is contextual training as data is put at risk. Reveal provides users with incident-based training as they interact with data. If an action puts data at risk, Reveal automatically provides policy reminders and safe alternatives. It can even require acknowledgement of company policies before proceeding. 

Stopping malicious threats requires visibility to sensitive data and contextual intelligence on the user’s actions. Next Reveal agent delivers continuous protection with Machine Learning on the endpoint.

Next DLP’s smart agent identifies and categorizes data as it is exposed to risk. It begins baselining activity at installation and multiple behavioral analytics algorithms monitor user, entity, and network behavior, to model and define typical and anomalous behavior. Because the behavioral analysis works autonomously on the endpoint, protecting data does not rely on a connection to a separate analysis engine and all personal data remains on the device.

Frequently asked questions

What is the difference between insider risk and insider threat?

An insider risk is the potential harm to an organization caused by an employee, contractor, or business partner. Insider risks can be either intentional or unintentional and encompass a broad range of activities, from negligence to malicious behavior. 

An insider threat is a type of insider risk where an insider acts maliciously. Threats include intentional acts like data theft, sabotage, or fraud for financial gain or revenge. 

How can organizations identify insider risks?

The best ways to identify insider risks include: 

  • Conducting risk assessments: Regularly assess potential risks associated with insider activities and access to sensitive information.
  • Behavioral monitoring: Implement tools to monitor and analyze employee behavior for signs of unusual or risky activities.
  • Access reviews: Periodically review and audit user access to critical systems and data to ensure appropriate access levels.
  • Feedback mechanisms: Encourage employees to report suspicious activities or behaviors through anonymous reporting systems.
  • Security awareness training: Train employees to recognize and report potential risks associated with insider activities.

What are common indicators of insider threats?

Unusual access patterns, including frequent access to sensitive data outside normal working hours, are a classic sign of an insider threat. Organizations should also look for red flags like data exfiltration, sudden behavioral changes, communication with suspicious contacts, or repeated policy violations. 

How can businesses mitigate insider risks and threats?

Implement strong access controls so employees can only access the minimum data required for their roles. Advanced monitoring tools are also necessary for detecting anomalies quickly, alerting your team that a threat is active. Regular audits and creating incident response plans will equip you to address insider incidents ASAP. 

How do insider risks affect data security?

Insider risks increase your vulnerability to data breaches and loss. If they have access to sensitive data, insiders can do a lot of damage, which could result in financial losses, reputational damage, and even legal consequences for your company.