The age-old risk of insider threats is making headlines. Insider threats are threats that arise from access to vital company information, goods, and/or networks. Insider threats are not limited to employees but could also arise from contractors, partners and anyone else who has vital access to goods, data, or networks.
Consider some of the following true events:
- A disaffected system administrator destroyed manufacturing information (including backups) and ended up costing his company $10 million. As a result, 80 employees lost their jobs.
- A labor dispute led to sabotage of a city’s entire traffic light system (due to the fact that two employees had designed the system and still had access during the strike).
- A former Citigroup employee stole almost $750,000 from vulnerable customers like the elderly, those with Parkinson’s Disease and even her own family members.
- In recent years, the most famous story of an insider threat is Edward Snowden, a Government contractor who stole government secrets and threatened national security.
There are also plenty of cases where insiders have inadvertently put their company at risk due to phishing or social engineering.
Carnegie Mellon University’s CERT Division of the Software Engineering Institute (SEI) runs an Insider Threat Center. According to their Common Sense Guide to Mitigating Insider Threats, preventing insider threats is possible but challenging. It requires a multi-layered strategy involving policy and procedures, company culture as well as technical controls.
Collecting and analyzing over 700 case studies, CERT identified four types of malicious insider threats, including the following:
- IT sabotage includes all situations where an insider uses IT to directly harm the company and/or specific individuals or groups of individuals.
- theft of IP refers to an insider’s use of IT to steal assets from a company.
- fraud happens when an insider uses IT illegally for gain or for access to information that results in identity crimes.
- miscellaneous—CERT includes a final category for those insider cases that do not specifically focus on any of the above issues.