How to assess and prioritize insider threat risk
What is an insider threat?
Many times, the human threat is referred to as the insider threat. What comes to mind when you see the words “insider threat?” Chances are, you’re picturing Edward Snowden. He introduced the Snowden effect, becoming the poster child for anyone selling insider threat products for years. The story was simple: If a rogue insider could cause immense damage to the NSA, what chance would a normal organization stand against their own Snowdens?
But insider threats are nothing new. During the height of the Cold War, many spies defected to opposing sides, taking with them national secrets and expertise right from under the noses of their spy bosses. As a result, many counter techniques were developed and deployed to keep an eye on insiders with valuable knowledge or skills to prevent would-be defectors from escaping or passing over information.
But many organizations don’t hold state secrets and don’t have one country to where their employees would defect. So, for non-state departments, let’s try defining an insider threat.
First, let’s define an insider. One way of defining it could be any individual with legitimate access within the corporate perimeter — be it physical or virtual — including permanent and temporary employees and third-party contractors, as well as third-party support companies and outsourced service providers.
Next, let’s define what we mean Therefore, we can summarize the insider threat as someone who misuses the legitimate access granted to them for the purposes of self-interest that could potentially harm the organization.
However, this definition hasn’t taken into consideration motive or intent. Differentiating malicious insider behavior from user error, or even legitimate activity, can be a challenge.
For example, a user is seen downloading several files onto their personal device. It could be they are about to resign and want to take some information with them to their next job. Alternatively, it could be a hardworking and loyal employee who wants to catch up with some work over the weekend. Or worse still, it could be that the user’s account has been compromised and is under the control of an attacker masquerading as an insider.