The Different Flavors of the Insider Threat

Insider threats are a serious issue for any organization. In a survey conducted by Osterman Research in February 2015, we found that during the previous 12 months 26% of organizations have had sensitive or confidential information accidentally or maliciously leaked through email, 8% had experienced data leakage through a cloud-based tool, and 5% had experienced it through social media. Adding to the problem of data exfiltration are issues like phishing and malware installed from simple activities like Web surfing or accessing email: the same survey found that 67% of organizations were victims of malware infiltration from a successful email-based phishing attack, while 63% were victims of malware infiltration through employee Web surfing.


The term “insider threat” conjures up all sorts of images of employees acting nefariously to steal their employers’ intellectual property, confidential financial data, upcoming marketing plans, and other types of sensitive or confidential information. In the vast majority of cases, however, data leakage from employee behavior is the result of employees trying to do the right thing: make their work more efficient, gain access to data so that they can work while traveling or after hours, or solve customer problems in the most efficient way possible.


There are a number of ways that insider threats can occur. The most obvious way, but one that is not as common as many decision makers think, is for employees to simply steal sensitive or confidential corporate data by downloading it to a flash drive, emailing it to themselves at a personal email address, or walking off with a DVD full of data. However, insider threats occur much more commonly in ways that seem innocuous. For example:

  • Consumer-focused file sync and share tools – A key insider threat vector is the growing array of consumer-focused file sync and share tools used by employees in organizations of all sizes. While Dropbox is the leading player in this crowded and growing market, there are a large number of vendors that offer free or low cost tools that will sync corporate data to a variety of platforms, many of them unprotected by IT and without even the most basic of security protections. For example, a file sync and share tool can make corporate data accessible via a user’s home computer, their corporate laptop, or their personally owned smartphones and tablets where it is vulnerable to interception or loss.
  • Use of personal Webmail accounts – Many users employ personal Webmail accounts when the corporate email system goes down and they need to continue to send emails, or when IT-imposed file size limits prevent sending very large files through the corporate email system. Content sent using a personal account is vulnerable to interception or malware infection because it bypasses corporate filtering and scanning systems.
  • Phishing attacks – While not typically considered an “insider threat” per se, a phishing attack that installs a keystroke logger or other malware can result in a significant loss of sensitive or confidential information, or can drain corporate financial accounts. Because these phishing attacks are often successful because of users’ gullibility, their hurriedness to meet a deadline, a lack of training about how to recognize phishing, or simple carelessness, they must be considered as insider threats when an organization plans its defensive strategy for protecting crucial data and financial assets. For example, if an organization simply trains and tests its users about how to recognize and deal with phishing attempts, this can go a long way toward protecting key assets.
  • User mistakes – Insider threats can also occur because of simple user mistakes: users sending sensitive or confidential data to the wrong recipient, or replying-all to an email that contains sensitive information, for example.
  • BYOD, BYOC and BYOA – The growing trend toward users employing their own mobile device, personally managed cloud applications, or mobile applications has created an enormous insider threat. As just one example, when corporate data is accessed using a smartphone, a malicious mobile app or a malware infection can make that data accessible to cybercriminals.
  • Social media – One of the more serious insider threats is social media. For example, malware can be installed on a PC from a malicious advertisement on Facebook or a short URL delivered via Twitter. Moreover, many users tend to overshare when using social media and can reveal information that can cause harm to their employer.
  • Geolocation data – A subtler insider threat can be generated from the publication of geolocation data in venues like social media or mobile apps. For example, a senior executive who makes frequent trips to Redmond, Washington or Bentonville, Arkansas and automatically posts their travels on social media through a tool like Foursquare might be revealing an impending deal between their company and Microsoft or Wal-Mart, respectively.


While recommendations for dealing with the insider threat will vary by organization and the industry it serves, we offer a few recommendations that decision makers should consider:

  • Establish detailed and thorough acceptable use policies about all of the tools that are provided by IT or that might be used by employees. This includes corporate email, personal use of corporate email, social media, personal Webmail, mobile devices, file sync and share tools, etc. Osterman Research has found that many organizations’ policies are not sufficiently granular or are non-existent.
  • Train users about how to spot phishing attacks and test them to determine the effectiveness of that training. While training alone will not prevent all attacks against an organization, users should be considered as the first line of defense in any security infrastructure.
  • Provide robust and usable alternatives to the growing number of employee-deployed tools in use today. For example, provide an enterprise-grade file sync and share tool as a replacement for the variety of consumer-focused tools in use today, or offer an easy-to-use file-sharing tool for large files that cannot be sent through the corporate email system.
  • Maintain robust business continuity capabilities for email and other essential communication and collaboration tools so that users will not resort to personal Webmail or other tools to continue working when the corporate systems go down.
  • Monitor employee communication channels – email, social media, instant messaging and the like – to ensure that corporate policies are being followed.
  • Finally, implement technology that can maintain situational awareness by establishing a baseline for normal corporate behavior. For example, it’s common for the CFO to be accessing corporate financial accounts from the headquarters location at 10:00am on a Tuesday morning; if she’s accessing these accounts from a Starbucks at 6:00am on a Sunday morning, systems should be in place to detect and block that activity, or at least raise the level of authentication required for access.

The bottom line is this: organizations will never be able to completely eliminate the insider threat, but there is much that they can do – and often are not doing today – to minimize it.

Leave a Reply