Defining and Addressing the Growing Cyber Insider Threat

April 5, 2017  |  Chuck Brooks

The Cyber Insider Threat is one of the most difficult challenges for companies, organizations, and countries. It is often difficult to discover, defend and remediate because such threats can involve a combination of human behavioral elements and hardware and software technologies. Many of the threat actors are tech-savvy and are becoming increasingly sophisticated in their methods of infiltration. What Is Insider Threat – read more

The recent “Vault 7” WikiLeaks download of thousands of pages of sensitive CIA hacking tools and techniques is the latest episode of high profile insider breaches. Other noted examples include Army Pfc Chelsea Manning - 400,000 documents - Iraq War logs, 91,000 documents- Afghanistan database, Edward Snowden - 50,000 to 200,000 NSA documents, Harold Thomas Martin III NSA Contractor- 50,000 gigabytes, about 500 million documents, Home Depot data breach - 56 million credit cards, Yahoo - 1 billion accounts, and Twitter - 32 million accounts. Healthcare – 4 million patient records. Average cost of a data breach in 2016 was $4 million dollars/company (Ponemon). Global business loss in 2014 – $1.7 trillion dollars with 23% annual growth. 2016 losses could be higher than $3 trillion dollars globally (stats courtesy of Mr. Thomas Kupiec – Chief Information Security Officer – SMS and former CISO of the National Geospatial Intelligence Agency)

There are voluminous lists of breaches (see infographic), not all of them are insider breaches, but many of them can be attributed to actions from someone on the inside. These data breaches touch every vertical of society; security, healthcare, financial, transportation, and commerce.

For Chief Information Security Officers (CISOs), defending against insider threats is a biggest challenge. In fact, according to a recent SANS Survey on Insider Threats, 74% of CISOs expressed concern about employees stealing sensitive company information. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all cyber- attacks were carried out by insiders. The Verizon 2016 DBIR Report [KB2] disclosed that that 77 percent of internal breaches were deemed to be by employees, 11 percent by external actors only, 3 percent were from partners and 8 percent involved internal-external collusion which makes them hard to categorize. And according to Accenture HfS Research 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months.


To understand vulnerabilities to insider threats, it is important to be able to define and categorize the types. The Information Security Forum (ISF) provides a good framework for describing insider breaches:

  • Malicious: Malicious insider behavior combines a motive to harm with a decision to act inappropriately. For example, keeping and turning over sensitive proprietary information to a competitor after being terminated.
  • Negligent: Negligent behavior can occur when people look for ways to avoid policies they feel impede their work. While most have a general awareness of security risks and recognize the importance of compliance, their workarounds can be risky.
  • Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones.

Malicious insider intrusions can involve theft of IP, social engineering; spear-phishing attacks, malware, ransomware, and in some cases sabotage. The actions can be the result of a disgruntled employee or someone compromised and blackmailed by an outside interest. Often the risk is associated with the level of access.

Negligent and accidental can also fit into a category described in a recent study: Unintentional Insider Threats: A Foundational Study by The CERT® Insider Threat team, part of Carnegie Mellon University’s Software Engineering Institute. Their definition:

“An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network, system, or data and who, (3) through action or inaction without malicious intent,2 (4) causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.”

Negligent behavior is often the result of lack of security awareness due to poor security protocols and updates of patches, and especially compliance, and training, but anyone can be a victim of a spoof or phishing attack. Accidental insider threats can result from a multitude of causes including inadvertent disclosure of sensitive information, lost records, or a portable memory device. Also, employees who bring their own devices (BYOD) to work increase the risk of accidental cross pollination to company networks of malware and viruses from their smartphones.

Insider threats can impact a company’s operational capabilities, cause significant financial damages, and harm a reputation. While there are no complete total solutions to eliminating vulnerabilities from insider threats, Risk management is a prudent mechanism to reduce the likelihood of breaches. Risk management should determine how authorized access is maintained and monitored.

Comprehensive risk management should include cyber-hygiene best practices; education/training, use policies and permissions, configuring network access, device management, application controls, and regular network audits. Also, encryption tools, new network mapping, automated rapid detection technologies and behavioral analytic software tools have also been developed that help mitigate the insider threat landscape of morphing digital and physical threats.

To address current and future insider threats, The Department of Homeland Security Science & Technology R&D solutions suggests capabilities to address six areas:

  1. Collect and Analyze (monitoring)
  2. Detect (provide incentives and data)
  3. Deter (prevention)
  4. Protect (maintain operations and economics)
  5. Predict (anticipate threats and attacks
  6. React (reduce opportunity, capability, and motivation and morale for the insider)

Government Policy Initiatives:

Prior to the 2014/15 OPM breach that resulted in the loss of over 18 million personnel records (the likely result of a phishing attack), the federal government was aware the growing threat to agencies and networks. In 2012, the Obama Administration issued Executive Order 13587 -- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. That order served as the initial policy effort to control insider threats in government and for critical infrastructure protection.

Congress has just introduced The Department of Homeland Security Insider Threat and Mitigation Act of 2017, or HR 666, approved Jan. 31, 2017 that would establish an insider threat program within the department to:

  • Provide training and education for DHS personnel on how to identify, prevent, mitigate and respond to insider threat risks to the department's critical assets;
  • Furnish investigative support regarding potential insider threats that may pose a risk to the DHS's critical assets; and
  • Conduct risk mitigation activities for insider threats.

The Department of Homeland Security (DHS) is the primary agency responsible for monitoring and protecting the civilian side of government. The legislation still has to be approved by the Senate but reflects the focus on government of the unresolved risks associated with insider threats.

Whether it be companies, organizations or countries, the most effective security approach for cyber insider threats is incorporate risk management that includes continually monitoring & evaluating people, processes, and technologies. Often overlooked and underestimated, the insider cyber threat is becoming more prevalent and costly and both the public and private sectors need to take heed of the implications.

About the Author

Chuck Brooks is Vice President of Government Relations & Marketing for Sutherland Government Solutions. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 450 million members. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, and as a member of The AFCEA Cybersecurity Committee. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. In academia, Chuck was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.

Share this with others

Get price Free trial