Insider threats are becoming ever-increasing and money-consuming, so it’s essential for companies to be as informed about which employees are prone to such excesses and why, as well as what kind of data they target and how. To that effect, paying attention to unusual behavior is of the utmost importance for keeping your company and all the sensitive data safe. Take a look at the warning signs that an insider might become a threat.
1) Major changes at the organization
While potential insider threats leave many digital clues, there are almost always more obvious physical warning signs before that.
“It’s incredibly rare for someone just to blow up and go and steal everything, stuff all the hard-disks in their pockets and run out of there,” says Dr. Jamie Graves, vice president of product management, security analytics at ZoneFox, a behavioral analytics company acquired by Fortinet earlier this year. “Usually, there is some sort of organizational change or event that precedes an attack. The most common are if, as an organization, you go through great change – you’re going to be acquired or you’re going through redundancies.”
2) Personality and behavioral changes
Personality and behavioral changes will be the first sign of a potential insider threat. Perhaps employees are clearly and vocally unhappy at work or lacking motivation, or talking about money troubles, or openly disagreeing with superiors in the office. Working longer hours, over the weekend, or increasingly from home or remote locations could also be indicators. Moreover, openly speaking ill of the company or talking about hunting for new jobs – whether in the office, in company chat systems, or on social media – should be noted as a warning sign.
3) Employees leaving the company
Those employees who are leaving the company – whether by their own volition or not – are likely thinking about taking data with them. Most IP theft by insiders happens within 30 days of leaving an employee leaving an organization. It’s also worth noting that those with a history of ignoring security protocol need closer monitoring. Another Deloitte study found half of the employees known to have been involved in insider attacks had the previous history of violating IT security policies.
4) Insiders accessing large amounts of data
If the behavioral warning signs are missed, there will be digital clues that someone may be considering a malicious act, as well as clear warnings that an insider is conducting an attack.
“Insiders no longer have to photocopy, photograph, or remove large swaths of physical documents from an office space,” says Tom Tahany, intelligence analyst at Blackstone Consultancy. “Rather, the downloading of several terabytes of data from an online reservoir can be done within minutes from a remote location and distributed rapidly.”
5) Unauthorized insider attempts to access servers and data
Many insiders will go through a reconnaissance stage first, where they explore what data and systems they have access to.
“Warning signs include attempts by authorized users to access servers or data they shouldn’t be, authorized users accessing or requesting access to information that is unrelated to their roles or job duties, and theft of authorized user credentials,” says Carolyn Crandall, chief deception officer at Attivo Networks. “Whether the activity is from an authorized employee just poking around where they shouldn’t be out of curiosity, an authorized employee with malicious intentions accessing servers or data to cause damage or steal information, or an external attacker that has obtained valid credentials of an authorized user, if any of these activities are detected it is cause for alarm,” says Crandall.
6) Authorized but unusual insider access to servers and data
Other clues may include accessing areas of the network or files they have the required permissions for but would never normally access during their day-to-day functions, modifying large numbers of files in a short period of time, staying later or arriving earlier than they have previously or accessing systems remotely at weekends, or repeatedly trying (and failing) to access areas they do not have permission for. Establishing normal behaviors and flagging abnormal is important in these situations.
7) Attempts to move data offsite
Then the final stage is the actual attempts at exfiltrating data. These include any large downloading to external storage such as a USB stick, large uploads to personal cloud apps when your company doesn’t use that service, or large numbers of attachment-heavy emails sent outside the company.
While USBs remain a viable option for removing large data sets and leaving less of a digital footprint, remote late-night downloads are not uncommon. Cisco’s cloud data exfiltration study found 62% of suspicious downloads occurred outside of normal work hours, with 40% taking place on weekends. While gigabytes or terabytes of data are a smoking gun for suspicious activity, it’s worth remembering sensitive information can be contained in a small amount of data.
However, it’s important to remember there should be an element of trust between the business and its employees. One anomalous action does not necessarily make one guilty; an employee may only need to access a certain file or folder once a month or even once a quarter, for example, and regularly accusing employees of malicious actions could impact morale. A deadline for a project may be coming up, causing people to work more hours or over the weekend.
While no single technology is likely to completely protect against insider threats, a combination of technologies such as data loss prevention (DLP), encryption at rest, identity and access management (IAM), behavioral analytics, tailored log and event management, and maybe even honeypot files will reduce the chance of data making it beyond your network.
“It’s essential for organizations to implement robust, well-known reporting procedures for potential insider threats, and parallel human-side defenses with technical ones,” says Justin Sherman, a cybersecurity policy fellow at the US think tank New America. “Employees should be accessing what they need in order to effectively function in their job, and that’s about it.”
Prevention is better than the cure, however, and one of the best ways to prevent data escaping your network is to create risk profiles on the people who may be a risk within your organization. Cooperation, collaboration and communication between departments is key to an effective insider threat management program.