Insider Threat

While addressing human risk and cyber security with organizations, I’m starting to hear the buzzword, “Insider Threat” more and more often. Many people use the term, thinking that they might know what it means. But much like when I hear people use the phrase, “Artificial Intelligence (AI)” people assume it means the same for them as it does for everyone else.

Not exactly the case.  

I’m often asked by organizations to help them develop or review their Insider Threat Training program. Before even getting started, the first thing I always ask them is: What is your definition of Insider Threat?” 

This question almost always throws people off. In many cases, they have not really given much thought about the definition or considered what their company’s definition is of the term. Here is the challenge: When most people use the term “Insider Threat,” there’s often a communication breakdown that exists. They might be thinking of one definition, while their peers or their organization has another understanding of the term. 

To compound the issue, I’m amazed at the realization of how many vendor or government websites drive their dialogue on offering Insider Threat problem solutions, but never actually take time to adequately define the term. Either that, or they make it very hard to find the actual definition. 

Here is a rough definition I find most people rely on of when they think about Insider Threat:

A trusted individual who causes harm on purpose or with malicious intent.

The problem is, many organizations lean on a much broader official definition.  Here are two common examples that include both malicious and accidental/negligent in their definition of insider:

Carnegie Mellon CERT Insider Threat Center

A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. In addition, insider threats can also be unintentional (non-malicious).

Department of Homeland Security

An insider threat is defined as the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.

Even with the government or defense organizations I’ve worked with, they will officially use in their documentation, a broader definition similar to the Department of Homeland Security’s definition, but then focus their attention on just malicious actors.  

To help you better why this confusion can cause such unique problems to organizations, here are a series of scenarios. I’d like for you to ask yourself if you feel each scenario would be considered an Insider Threat or not:

  1. A disgruntled employee takes sensitive information he is working on and sells it to a competitor or another country’s government.
  2. A recently fired IT Admin remotely connects back into their old company using their credentials that were never terminated and purposefully infects the network with a virus, destroying numerous systems including backups.
  3. An employee is romanced by a spy and ends up unwittingly sharing sensitive information, not realizing the individual is a spy.  The employee knew they should have never shared the information but did not realize the individual they shared it with is a spy.
  4. An intern’s work account is taken over due to the fact they used the same password for their work account as they do for their personal accounts, one of which was recently hacked.
  5. A contractor loses their laptop which had gigabytes of confidential information. The contractor’s laptop was not encrypted.
  6. An employee emails a sensitive document to the wrong person due to auto-complete in email.
  7. A Human Resources employee falls victim to an opportunistic phishing attack.
  8. An executive in Accounts Payable falls victim to a highly targeted CEO Fraud attack.
  9. An attacker hacked into the company’s website due to a SQL injection flaw that a software developer accidently left in the website’s code.

Can’t you see how this can generally get a bit messy? When someone tells you, “We need to address the Insider Threat,” what exactly do they mean?  If all nine of these above scenarios fell under your definition, then the term Insider Threat stops having any real value. The term is now so generic that it pretty much represents allorganizational risks and not just an Insider Threat.

This blog is not intended to give you the right or wrong definition of ‘Insider Threat.’ What works for you and your organization is fine.  The concern I generally have is if everyone knows, understands and follows that definition that you recognize. 

Look back at the first two scenarios. For me, I’d consider those first two to be an Insider Threat, I focus on malicious actors.  For most of the other cases, the individuals were negligent (#3-4), accidental (#5-6) or victims (#7-8).  (I threw in #9 just to see how far you can take the term.)

When discussing the Insider Threat with your organization or simply, your executives, you should never feel bad about taking a step back and asking people what the term “Insider Threat” means to them. I’ll help you get your feelers out to how your organization feels and what they understand.

To be honest, this is probably advice you could apply to just about any term we use in cybersecurity. Make sure you communicate wisely.