Key Cybersecurity Insider Threat Indicators to Pay Attention To

Spotting insider threats isn’t easy. There are a number of behavioral indicators that can help you see where a potential threat is coming from, but this is only half the battle. Efficient insider threat detection also requires comprehensive tools that allow you to monitor suspicious users’ sessions and track their activities. 

In this article, we describe what insider threat indicators are to help you spot potential malicious actors. We also offer effective insider threat management solutions that you can leverage to deter, detect, and disrupt insider threats.

Who is an insider?

First things first: we need to define who insiders are.

An insider is an employee or third-party contractor with legitimate access to your critical data and systems. However, not every insider has the same level of access, and thus not every insider poses the same level of threat. Verizon outlines the five most common types of insider threats:

• Disgruntled employees — A lot of things can make employees dissatisfied: getting turned down for a promotion or raise, poor relations with colleagues and managers, etc. Disgruntled insiders may use their position to take revenge on and cause severe harm to your company.
• Malicious insiders — These are employees who misuse or abuse their access to steal, leak, or delete valuable corporate data out of malicious intent. The main difference between malicious insiders and disgruntled employees lies in their motivation. Disgruntled employees abuse data as an emotional response, whereas malicious insiders typically commit cybercrimes for financial gain or espionage.
• Careless employees — Insiders can leak data or compromise your corporate infrastructure inadvertently. According to the 2023 Cost of Insider Threats Global Report by the Ponemon Institute, negligent insiders prevail, making up 55% of all insider threats. 
• Outsmarted employees — When employees or contractors don’t follow best practices in cybersecurity, it’s very easy to outmaneuver them with an attack or adversary. In 2023, 20% of incidents involved outsmarted insiders according to the same report.
• Third-party vendors and contractors — Usually, you have little control over cybersecurity on the side of third-party users. While you may audit their security controls as part of your selection process, this still does not guarantee the complete safety of your sensitive data.

As you can see, not every dangerous insider is a malicious one. There is also a big risk of inadvertent mistakes, which are most often committed by employees and subcontractors. Any company can fall victim to these mistakes, and trying to eliminate human error is extremely hard.

Your best bet is to improve insider threat awareness among your employees regarding best security practices and put cybersecurity policies in place that will limit the possibility of human error and help mitigate the damage in case of a mistake.

Now, let’s take a more detailed look at the most common motives behind insider threats.

Goals of insider attacks

Insiders can target a variety of assets depending on their motivation. Usually, they focus on data that can be either easily sold on the black market (like personal information of clients or employees) or that can be crucial to company operations (such as marketing data, financial information, or intellectual property). The most common targets of insider attacks include:

• Databases
• File servers
• Endpoints
• Specific applications
• Mobile devices
• Networks
• Cloud storage.

According to The Rule of 3 for Proactive Insider Risk Management by Paul Furtado and Jonathan Care (Gartner subscription required), the most common insider threat activities can be categorized into one of three schemes deemed to be a policy violation or illegal by law: fraud, data theft, and system sabotage. 

The landscape of insider threats extends beyond mere statistics. In the book Beyond Fear, famous security expert Bruce Schneier delves into a comprehensive exploration of malicious insiders, shedding light on distinct categories and the motivations that drive their actions:

• Opportunists — These insiders don’t plan out malicious actions in advance but decide to attack when an opportunity presents itself. Financial difficulties and a history of previous problematic behavior can be warning signs of such an attack.
• Calculated attackers — These insiders are usually much harder to deter. They plan their actions beforehand and often target very specific data. It can be extremely hard to detect such attacks even after they’ve happened.
• Emotional attackers — These are employees whose main motivation for an attack is emotions and feelings like fear, greed, or anger. Instead of waiting for an opportunity, they attack spontaneously, without a detailed plan. Sometimes, they even want to get caught in order to bring attention to their issues. A common example of an emotional attacker is the disgruntled employee.
• Terrorists and digital activists — These insiders usually plan their attacks and often, instead of stealing data, simply try to do as much damage as possible —- for example, by compromising corporate network infrastructure and taking it out from within. 

Apart from the four categories above, Bruce Schneier also mentions friends and relations as another group of malicious insiders that can commit fraud or data theft by accessing the computers of their friends or family. This group of insiders is worth considering when dealing with subcontractors and remote workers.

The good news is that an insider attack (whether planned or spontaneous) has some indicators. Detecting them allows you to prevent the attack or at least get an early warning. Let’s explore the most common indicators of insider threats you need to pay attention to.

The main behavioral indicators of malicious insiders

Detecting a malicious insider attack can be extremely difficult, particularly when you’re dealing with a calculated attacker or a disgruntled former employee who knows the ins and outs of your company. One way to detect such an attack is to pay attention to various indicators of insider threat behavior.

Malicious insiders might behave differently depending on their personality, motivation, and goals. However, there are certain common signs of insider threats you need to watch out for:

1. Disgruntlement

As mentioned above, when employees are not satisfied with their job or perceive wrongdoing on the part of the organization, they are much more likely to carry out an insider attack.

There are many signs of disgruntled employees. The most obvious are:

• Frequent conflicts with workers and supervisors
• Declining performance and general tardiness (arriving late and leaving early, making more mistakes than usual, constantly missing deadlines, etc.)
• Unjustified absences
• Systematic violation of organizational policies
• Seeking out alternative employment opportunities

This indicator is best spotted by the employee’s team lead, colleagues, or HR. Of course, unhappiness with work doesn’t necessarily lead to an insider attack, but it can serve as an additional motivation. A timely conversation can mitigate this threat and improve the employee’s productivity.

Employees who have received notice of termination also pose risks and should be monitored regardless of their behavior up until they leave the workplace, at which point their access to corporate infrastructure should be immediately revoked.

2. Unusual enthusiasm

Sometimes, an employee may express unusual enthusiasm over additional work. This may include:

• Staying late at work without any specific requests
• Repeatedly volunteering for extra work
• Working at odd hours
• Trying to perform work outside the scope of their normal duties
• Working from home without a valid reason

All of these actions should be viewed as an attempt by the employee to expand their access to sensitive data. While not necessarily malicious, such actions require you to keep an eye on the employee and make sure they aren’t copying or otherwise tampering with sensitive data.

3. Frequent trips and vacations

We might think of espionage as something straight out of a James Bond movie, but statistics tell us it’s a real threat today. While the majority of breaches are still motivated by financial considerations, espionage stands as the second leading cause of data breaches. According to the 2023 Data Breach Investigations Report by Verizon, espionage reaches up to 30-32% in some industries like public administration or natural resources and mining.

Recurring trips to other cities or even countries may be good indicators of espionage. An employee may work for a competing company — or even a government agency — and transfer your sensitive data to them.

Another early indicator of a potential insider threat is when an employee expresses questionable national loyalty. This may not only mean that they’re working with government agents or companies in other nations but that they are more likely to take an opportunity to steal or compromise data when it presents itself.

Apart from that, frequent trips can also indicate a change in financial circumstances, which is in and of itself a good indicator of a potential insider threat.

4. Unexplained changes in financial circumstances

If an employee unexpectedly pays off their debts or makes expensive purchases without having any obvious additional income sources, it can be an indicator that they may be profiting from your sensitive data on the side.

There are several scenarios for this:

• An employee may be approached by a competitor and coerced into conducting industrial espionage.
• An employee may copy and sell your data for profit.
• An employee may start a competing business and use your data, such as client lists, in order to take away your market share.

Overall, any unexpected and quick changes in financial circumstances are a cause for concern and should be taken as a serious indicator for close monitoring. If you want to learn more about behavioral indicators related to insider threats, refer to our article on the portrait of malicious insiders.

But money isn’t the only way to coerce employees — even loyal ones — into industrial espionage. Competing companies and foreign states can sometimes use damaging information to blackmail or threaten your employees.

For example, information about previous drug addiction or problems with the law can be used effectively against an employee if it falls into the wrong hands. One way to limit this is to use background checks to make sure employees have no undisclosed history that could be used for blackmail.

5. Unexpected desire to leave a company

When an employee suddenly decides to leave your organization without providing notice or an explanation, it could indicate an insider threat. Moreover, if a departing employee downloads large amounts of sensitive data before departure, this should raise red flags.

You should also keep in mind that there might be an increased risk of malicious actions if an employee is leaving the company under negative circumstances, such as a dispute or termination. Taking this into account, you should look at past network activities of departing employees and ensure they haven’t done anything unusual or accessed data they shouldn’t have. It’s worth looking back at their activity for the past 90 days at least.  

It’s also essential to ensure a proper offboarding process — be sure to immediately revoke access permissions of departing employees, deactivate their accounts, and delete them from email groups and distribution lists.

Digital insider threat indicators to pay attention to

Besides behavior threat indicators, there are some digital threat indicators you can spot. The key digital cyber threat indicators include:

• Unusual login times — if employees or vendors log into your system at abnormal times, this may be a sign that they are trying to access your sensitive information without being detected.
• Accessing data that users don’t require to perform their responsibilities — when users seek access to sensitive data beyond the scope of their job roles, this is also a malicious insider threat red flag. 
• Search for sensitive data — legitimate users with increased system searches may also be potential indicators of insider threats as they could be trying to find and exfiltrate confidential data. 
• Large data downloads and transfers — if you detect surges in the volume of your network traffic, this can signal that a large number of corporate files are being copied or emailed outside your organization for malicious purposes.
• Using unauthorized USB devices — one of the key indicators of an insider threat is when a user runs queries and downloads critical data to unauthorized devices.
• Creation of new vendor accounts and purchase order approvals — when users create new vendor accounts, purchase orders, or requisitions, their actions need to be investigated as they may be generating “ghost” accounts or orders for financial gain.
• Disabling antiviruses or firewalls — insiders might disable security controls to avoid detection while conducting unauthorized activities.
• Installing unsanctioned software — malicious actors may attempt to bypass security controls and exfiltrate sensitive data using third-party tools.   

You need to take these actions seriously and consider them potential threats. An essential step to tackling insider threats is to create a comprehensive strategy.

Insider threat prevention strategy

To take a holistic approach to insider threat prevention, you’ll need a comprehensive strategy that consists of the following key steps: 

Enforce cybersecurity policies

Everyone who works with your critical data should know the dos and don’ts for keeping things secure. More specifically, you should define guidelines for using corporate systems, steps to take in the event of a cybersecurity incident, and how to spot a potential malicious actor. All this information should be documented in your cybersecurity policy.

This will help you enhance general cybersecurity awareness and minimize the number of both unintentional and intentional insider threats.

Increase the protection of your critical assets

Identify your organization’s critical assets, prioritize them, and determine the current state of their protection. Prioritize the protection of your sensitive assets according to their level of impact on your organization. Then, you may limit the attack surface by minimizing access to your most valuable assets only to the bare minimum of people and only for a specific time they need to perform their duties. 

It’s also an effective practice to divide critical tasks and the corresponding access rights among multiple users to reduce the risk of privilege abuse. 

Create a baseline for normal user behavior

With the ability to distinguish normal behavior from suspicious behavior, you can spot potentially risky user activity before a cybersecurity incident occurs. Consider implementing user and entity behavior analytics (UEBA) solutions to track user behavior. UEBA first collects user activity data (common log-in and log-off times, keystroke dynamics, etc.), analyzes it, and creates a baseline of normal behavior for each user within your network. Once a deviation from this baseline is detected, you’ll get a notification to further investigate the incident.

Gain visibility into user activity 

You may increase visibility into how users handle your sensitive data by deploying monitoring software. With user activity monitoring tools, you can get a clear view of what applications your employees launch, what websites they visit, what USB devices they insert, what they type, etc. You can leverage such information to detect suspicious activity and reduce the chance of a data breach and other cybersecurity incidents. 

Create an insider threat program

Start an insider threat program if you don’t have one. A comprehensive insider threat program helps you not only detect insider threats but also prevent them and mitigate their consequences. For the best results, back your program with insider threat management software.

Protect yourself against insider threats with Ekran System

Ekran System is a dedicated cybersecurity platform that offers comprehensive functionality for insider threat prevention:

Identity management — verify user identities accessing your sensitive assets with two-factor authentication. Distinguish between users of shared and built-in accounts thanks to the secondary authentication feature. 

Privileged access management — implement granular access control, send one-time passwords, and provide users with temporary credentials when they need to access your sensitive data.

User activity monitoring — record on-screen user activity backed with context-rich text metadata including names of active applications and windows, websites visited, keystrokes typed, commands executed, USB devices connected, etc.

Alerting and incident response — create rules-based alerts and monitor suspicious user sessions in real time to promptly detect insider threat indicators. Display a warning message to users or block them completely when they behave maliciously.

Auditing and reporting — get comprehensive reports to establish the context of user activity. You can also export reports in an encrypted format for forensic investigation.

Conclusion

Every organization is vulnerable to insider threats, and detecting them can be rather tough. To make insider threat detection work, you need to be aware of insider threat warning signs — suspicious behavior and digital activity of your employees and third parties. In addition, deploying an effective insider threat protection solution will help you spot unusual activity within your network.

Ekran System is a full-cycle insider risk management platform that combines identity and access management, user activity monitoring, incident response functionality, and many other valuable features. By leveraging Ekran System, you can excel in detecting, deterring, and disrupting insider threats.