An insider threat is a security risk posed by an employee, former employee, contractor, or vendor. Insider threats can result in fines, reputational damage, and loss of intellectual property.
After reading this article you will be able to:
Related Content
Data loss prevention (DLP)
Access control
Role-based access control (RBAC)
Browser isolation
What is SASE?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
An insider threat is a risk to an organization's security stemming from someone associated with the organization, such as an employee, former employee, contractor, consultant, board member, or vendor.
These threats can be malicious or accidental. For example, a Verizon analysis of 3,950 data breaches revealed that 30% "involved internal actors."
Insiders can cause damage in multiple ways:
Malicious insiders may have any number of reasons for compromising an organization’s data, including the desire to sell the data, revenge, boredom, ideology, and political allegiance.
When an insider inadvertently creates a security risk or causes a breach, there is no motive. The insider may make a mistake that causes the problem, lose a piece of company equipment, or be tricked into a data breach through social engineering, such as phishing.
Changes in behavior can be a sign of trouble. A malicious insider may be:
These signs are not bad in and of themselves. Many have completely reasonable explanations, especially for IT professionals.
A fundamental aspect of protecting against insider threats is access control, or sets of rules and policies that decide who gets access to restricted locations, information, and systems. One approach is role-based access control, where each person’s permissions depend on their department and work responsibilities.
The principle of least-privilege access in network security means giving employees and other insiders access to only what they need to carry out their responsibilities — nothing more. For example, a human resources professional may need to view employee salary information and a programmer may need to alter the codebase, but neither needs access to the other’s files.
This is part of what makes zero trust security an effective IT security model. It involves requiring strict identity verification for every person and device seeking access to a corporate resource, even if they are already inside the network. Through limitations on user and device access, the potential fallout for all types of insider threats decreases — just as losing one credit card and losing an entire wallet differ greatly in terms of damage.
When fine-tuning an insider threat program, it is essential to be mindful of motivations and how they shape the threat landscape. For both malicious and accidental insiders, strict adherence to access control best practices can greatly help with data loss prevention.
Strategies include:
In addition to using access management to protect data and systems, the IT department can set limits on company-owned or managed devices, such as locking down options for data transfer and requiring permission to download new software.
With logging and analytics capabilities, it is possible to set alerts for behaviors common to insider threats to catch potential problems early. Alert types include:
Learn how Cloudflare Zero Trust simplifies the process of setting up role-based access controls and speeds up remote access.