A SOC analyst investigating a a security threat on a laptop

Insider threats in cyber security

Overview

Identify and eliminate insider threats before they damage your business

Whether acting out of malice or negligence, insider threats pose a significant cyber security risk to all organisations. Data from Kroll’s quarterly Threat Landscape reports indicate that the rise in internal threats is showing no signs of slowing down, in many cases exacerbated post-pandemic.

While the dangers posed by insider threats are becoming more widely recognised, not enough resources are being allocated to mitigate the risk they pose. As threat actors become more sophisticated and attacks continue to target employees, the human and technological defences of every organisation need to keep up.

By understanding where and how insiders can facilitate an attack, leading to internal threats, companies can work to preempt, stall or mitigate attacks when employees cross the line from friend to foe.

Insider threats

What is an insider threat?

Insider threats in cyber security are threats posed by individuals from within an organisation, such as current or former employees, contractors and partners. These individuals have the potential to misuse access to networks and assets to wittingly or unwittingly disclose, modify and delete sensitive information.

Information at risk of being compromised could include details about an organisation’s security practices, customer and employee data, login credentials and sensitive financial records. The nature of internal threats means that traditional preventative security measures are often ineffective.

How to detect an insider threat

The best way to detect internal threats is to take proactive steps to protect your organisation.

One essential aspect of defending against insider threats is to closely manage user account privileges, adopting a policy of least privilege. Ensure that you implement a device management policy and application control, particularly in light of the rise in hybrid working.

Proactive network security and endpoint monitoring is vital for helping to identify and respond to internal threats before they cause disruption. It is also important to ensure that your organisation has an effective and comprehensive incident response plan in place.

Types

Types of insider threats

Insider threats in cyber security are either malicious or negligent in nature.

Malicious internal threats result from rogue employees and contractors leaking confidential data or misusing their access to systems for personal gain and/or to inflict damage and disruption. Criminal insiders may work alone or collude with external threat actors such as competitors and hacking groups.

Negligent insider threats result from inadvertent employee errors, such as users falling victim to phishing emails or sharing data on insecure devices and USB sticks. Insider threat examples include:

Second streamers

Second streamers are current employees that misuse confidential information to generate additional income through fraud, external collusion or selling trade secrets. Gartner suggests that these types of internal threats account for 62% of malicious insider threats.

Disgruntled employees

Disgruntled current or former employees that commit deliberate sabotage or steal intellectual property can be among the costliest internal threats to organisations. Gartner’s insider threat statistics suggest 29% of criminal insiders commit theft for financial gain, while 9% are driven by a desire to commit sabotage.

Inadvertent insiders

Employee negligence is one of the most common types of insider threats. Negligent employees include users who exhibit secure and compliant behaviour but make occasional errors. Many negligent employees do not realise their mistakes until it is too late.

Persistent non-responders

Some employees, often senior executives, are unresponsive to security awareness training, consistently exhibiting behaviours that could leave them vulnerable to compromise. These users are more likely to be repeatedly targeted by social engineering scams such as BEC attacks, making them a cause of internal threats.

Collaborators

Collaborators are employees who work with a third party to cause intentional harm to the organisation. Types of third parties they work with include criminal gangs, competitors and nation-states.

Lone wolves

As the name suggests, lone wolves work independently and without the motivation of outside manipulation or influence. Lone wolves present a significant risk as they often have privileged access to many systems.

Pawns

Pawns are employees with authorised access who have been manipulated into acting maliciously - often through social engineering techniques like spear phishing. They become internal threats through unintentionally harmful acts such downloading malware or sharing confidential information with a threat actor.

Moles

A mole is not an employee but an outsider with insider access to a company’s systems. They achieve this by pretending to be an employee, a vendor, a partner, a contractor or an employee in order to gain privileged access to information.

Privileges

Privileges attractive to cybercriminals

Assuming that only high-profile individuals within a business are likely to be approached by cybercriminals would be a mistake. The reality is that a wide range of employees at different levels will be targeted, with access to lucrative information that could potentially be held to ransom.

Employee Role	Potential Value
IT Help Desk	Admin privileges and control over allow/deny lists could be used to install remote admin tools and provide persistence.
Security Analyst	Individuals may know network blind spots, with access to security assessment reports and the ability to turn off security features undetected.
Salesperson	Access to confidential client information, revenue figures and financial targets.
Human Resources	Confidential information on employees, including payroll and health records.
Research & Development	Direct access to proprietary data or trade secrets, as well as areas of company networks outside the monitoring of in-house security teams.

Mitigation

How to mitigate the risk of insider threats

The complexity of detecting and responding to insider threats alongside other cyber security threats means that no single solution can claim to reduce the risk entirely. Instead, organisations should look to adopt layered approach, encompassing a range of security controls and processes. This will help to reduce the risk of internal threats. Organisations should:

Conduct regular risk assessments to understand the potential impact of insider attacks
Provide regular security awareness training for all staff
Closely manage the accounts and privileges of all employees and contractors
Perform penetration testing at least annually to help identify security improvements
Commission a simulated phishing assessment
Implement 24/7 network and endpoint monitoring to detect anomalous behaviour

Kroll Responder MDR

The benefits of Managed Detection and Response

Proactive monitoring of networks, endpoints and users plays a crucial role in helping to identify insider threats. Kroll Responder, our award-winning MDR service can help to identify suspicious activity, such as attempts to access systems and edit and exfiltrate data.

For a cost-effective subscription, Kroll Responder supplies the skilled security experts, cutting-edge technology and up-to-the-minute industry intelligence needed to hunt for and shut down attacks that originate from both the outside and the inside.

Managed Detection and Response

Award-winning support to rapidly detect and respond to the latest threats 24/7

Assessment Services

Specialist engagements to uncover and address hidden cyber security risks

Managed Security Services

Expert help to manage and monitor your choice of security technologies

Get in touch

Complete the form for a prompt response from our team.

Two Redscan team members analysing cyber security intelligence

1000 characters left

I would like to receive invitations, insights and thought leadership content from Kroll

View our privacy policy

From the blog

From the blog Case studies Latest news

26th April 2024

Healthcare cyber security insights revealed in new Kroll report

16th April 2024

The secure email standard: safeguarding data in health and social care

25th March 2024

New Kroll report highlights rise in use of external remote services for initial access

24th March 2024

ChatGPT security risks: defending against chatbots

Hospitality Company

Securing a hospitality company’s continued global expansion

Asset Management Firm

Enhancing security visibility for a leading asset management firm

National Homebuilder

Ensuring threat visibility across a hybrid cloud network

Specialist Bank

Raising the bar by uncovering vulnerabilities across a bank’s estate

22nd April 2024

Quishing attacks increase tenfold

According to new research, quishing attacks, a type of phishing that leverages QR codes, have significantly increased, rising from 0.8% in 2021 to 10.8% in 2024.

15th April 2024

Half of UK businesses affected by cyber-incident in the past year

According to a new report by the UK government, half of UK businesses have reported a cyber incident or data breach in the past 12 months.

8th April 2024

Infostealers prominent in retail cyber-attacks

New research has highlighted that the use of infostealers dominated in cyber-attacks on retailers over the past year.

2nd April 2024

Zero-day vulnerabilities soared by over 50% between 2022 and 2023

In a new report Google has revealed that the volume of zero-day vulnerabilities it detected rose by over 50% from 2022 to 2023, with bugs in third-party components on the increase.