Why organizational insiders become threats

Nov. 5, 2024
The more the factors behind the creation of insider threats are understood, the closer to inception they can be stopped.

Insider threats have always been lurking. Employees – even executives – and their risky behavior are the main factors driving business data loss, resulting in financial and brand damage that could last for decades.

In recent years, however, numerous factors, from increased cloud reliance to the normalization of remote work and widespread adoption of generative AI tools, have heightened the likelihood of data loss so that insider threats are now the fourth biggest CISO concern behind malware, email fraud, and cloud account compromise.

In the years following the height of the pandemic, insider threats increased by 44%, largely due to accidental behaviors. Insiders remain at the heart of the issue, accounting for over half (56%) of all reported cases and costing businesses an average of $485K per incident.

Malicious insiders are less prevalent yet more costly. Those who intentionally harm organizations cause 26% of insider threat cases, costing an average of $648K per incident.

While careless and malicious insiders are distinct in many ways, they share a common thread. People don’t wake up one day and decide to become a threat. Many factors are at play, from personal and financial problems to dismissal, job changes, and poor security training.

Understanding these factors is vital in identifying those most at risk of posing a threat and implementing protections to stop them when they do.

The Insider Origin Story

There is no simple formula for identifying an insider threat. Incidents result from numerous internal and external factors, often over a prolonged period. That said, some particular factors significantly increase a person’s chances of posing a threat to your business.

Unsurprisingly, the first is dismissal or resignation. According to Proofpoint’s Voice of the CISO Report, over 70% of organizations that have experienced a material loss of sensitive data in the past year believe those leaving their organization contributed to the incident. At the same time, Proofpoint’s Data Loss Landscape Report found that as much as 87% of anomalous file exfiltration among cloud tenants may be caused by departing employees.

Privileged users are more likely to drive insider threats, too. Understandably, almost two-thirds (63%) of security professionals identify employees with access to sensitive data, such as HR and finance staff, as representing the greatest risk of data loss. Many other organizational factors can contribute to insider threats over time. Employees who are overworked and underappreciated may be more prone to mistakes or less inclined to go the distance needed to protect business data. Organizations with a blame culture may also see employees afraid to speak up about their mistakes or draw attention to their security shortcomings, resulting in high-risk or negligent activity.

This leads us to a significant issue – a lack of security, education and awareness. If your people are not trained to understand the risk their behavior can pose to your business, they are unlikely to realize the gravity of an errant click or attachment download. Untrained employees are also more likely to bypass security policies for ease and speed.

External factors also play a large part in creating threats from the inside. Poor work-life balance and financial problems can cause employees to act recklessly. This could mean intentionally stealing data for financial gain or making careless mistakes because they feel distracted or fatigued. State-sponsored espionage, sabotage, and fraud could also occur, as we’ve seen this year with North Korean operatives posing as U.S.-based IT workers to gather intelligence.

Monitoring your workplace for the potential contributory factors above may seem insurmountable. With conflicting methods, motivations, and constantly changing factors, there is no blanket defense against insider threat incidents. With an estimated 1% of users responsible for 88% of data loss events, finding the needles in your haystacks is vital and can be achieved through proper and robust protections.

Battling Against the Balancing Act

A reactive, companywide insider threat management (ITM) approach may provide some protection. However, a deliberate and proactive program allows you to identify risky users better before they cause harm.

Tools and technology are only one piece of the puzzle for successful cyber defense. Comprehensive and ongoing security training is vital, as is a holistic data loss protection program that combines people, processes, and technology. Every person in your organization, from the C-level down, must understand their role in defending against insider threats and the consequences of failing to do so.

With shared responsibility as a baseline, any ITM strategy must be based on the notion that any user is a potential risk. Therefore, while undoubtedly effective, writing policies and implementing protections around specific user groups can only do so much. Through emerging AI-powered behavioral frameworks, organizations will implement adaptive tools and controls to monitor user behavior in real-time. Once risky or unusual activity is detected, a user’s permissions, protection, and monitoring policy can be immediately updated.

Insider threat management is an unavoidable to-do for today’s organizations, especially large enterprises. Threat actors are better than ever at posing as your people; your own people are the greatest risk to your business data.

You can begin closely monitoring everything from unauthorized file transfer and device connections to suspicious web browsing and application use. As a result, security teams will not need to perfect the near-impossible balancing act of managing potential risk factors and identifying every suspicious user ahead of time. Instead, you can match dynamic policies to individual users at the first suggestion of a threat.

The more we understand the factors behind the creation of insider threats, the closer to inception we can stop them in their tracks.

About the Author

Brian Reed | Sr. Director of Cybersecurity Strategy at Proofpoint.

Brian Reed is Sr. Director of Cybersecurity Strategy at Proofpoint. He came to Proofpoint from Gartner, where he focused on cloud security, data security, incident response, insider threats, and security awareness. Since 2015, he has published over 50 thought-leading research notes at Gartner, including Cool Vendors reports, Market Guides for Digital Forensics and Incident Response Services and Security Awareness Training, Risk Management research, as well as the last two Gartner Magic Quadrants for Enterprise DLP. Before Gartner, he spent over 15 years in various business development, product management, sales, and system engineering roles at companies including Sourcefire (acquired by Cisco), HP, McAfee, and Internet Security Systems (acquired by IBM). He is well known in the information security industry and has spoken at numerous Gartner events and other industry events globally. Brian also serves as an advisory board member and holds a BA degree from The University of Georgia and an MBA from Kennesaw State University.