When you think of cybercrime, you might picture anonymous hackers attempting to break into your company’s systems and steal sensitive data through phishing and malware attacks.
In reality, threats to your business’s security can also come from within. In this blog post, we will discuss what insider threats are, their common types, and highlight the Cybersecurity and Infrastructure Security Agency (CISA)’s new framework to mitigate the risk of such threats. We’ll also demonstrate how Techmedics’ managed security services can fortify your defenses against future incidents.
Insider threats (also known as internal threats) are security risks caused by individuals with authorized access to a company’s IT systems, resources, or data. These may include current and former employees, consultants, contractors, trusted third parties, or business partners.
According to research by cybersecurity software company Securonix, 76% of organizations in 2024 reported insider attacks, a significant increase from 66% back in 2019.
Insider threats mainly fall into the following categories:
These are insiders deliberately misusing their access privileges to harm an organization for financial gain, coercion, or revenge. For example, they may steal intellectual property or confidential data. They may also sell information to competitors or foreign actors.
Such insiders involuntarily cause harm to an organization due to lack of training, carelessness, or manipulation. These could be those that fall for phishing emails, use weak passwords or insecure devices, or accidentally click on links that install malware onto your systems.
If insiders get their login credentials stolen by external threat actors through phishing attacks or data breaches, they become compromised insiders. According to a report by research firm Ponemon, these are the most expensive type of insider threats, costing victims more than $800,000 to address.
In 2021, a former employee of the city of Dallas accidentally deleted a large volume of data, such as police files and photos, administrative records, and case notes. The ex-employee had been tasked with moving files from an online storage platform to a physical drive. However, they “failed to follow established procedure” and deleted the files instead.
And in 2023, electric vehicle manufacturer Tesla suffered a major data breach orchestrated by two former employees who leaked sensitive information of more than 75,000 people to a foreign media outlet. Although legal actions were taken against the perpetrators, their actions caused reputational damage to the company and exposed vulnerabilities in Tesla’s cybersecurity strategies.
CISA, the agency responsible for protecting the United States’ cyber and physical infrastructure, understands the dangers that insider threats pose to organizational resilience and security.
To address this, the agency recently released the Plan, Organize, Execute, and Maintain (POEM) framework. POEM is designed to help state, local, tribal, and territorial governments and critical infrastructure organizations like hospitals, utilities, and financial institutions prevent, detect, and mitigate insider threats. This keeps them ahead of evolving organizational vulnerabilities.
Let’s explore the framework more closely:
This stage gives organizations an opportunity to structure and scope the role of their threat management team. For starters, they must identify critical assets (e.g., customer data, trade secrets, critical applications) that need protection and define the team’s priorities based on their risk tolerance.
Next, they need to decide on a team structure that fits their reporting pipelines, systems, and organizational structure. Finally, consider integrating specialized roles, such as behavioral analysts and human resources personnel. Doing so helps better understand employee behavior and make insider threat programs more trustworthy while respecting legal boundaries and workplace culture.
In this phase, the team should promote employee awareness, foster a culture of reporting, and provide necessary support to relevant departments while identifying potential insider threat activity.
They must also ensure compliance with policies and procedures and handle sensitive data with strict confidentiality. Most importantly, there must be consistent training and enhanced vetting of the threat management team’s personnel to mitigate the risk of an insider threat arising from within the team itself.
Once the threat management team is formed, its members must assist the workforce in detecting and assessing potential threats.
To start, a company should equip team members for threat mitigation through mandatory training. It must also leverage organizational assets, such as personnel security files, travel records, and financial disclosure filings. These sources give the insider threat team a holistic view of employee risk factors, not just technical activity on a device.
If necessary, the team must seek guidance from the organization’s legal counsel to ensure compliance with local, state, and federal laws and regulations.
The insider threat mitigation process doesn’t end after implementing initial safeguards. It’s also essential to maintain and develop the threat management team to ensure the organization can defend against future insider threats.
For example, the organization should conduct regular trainings and exercises to re-evaluate and build the threat management team’s capabilities. Furthermore, it should incorporate insider threat mitigation strategies into any new organizational priorities or product/service areas. This ensures regulatory compliance and reduces the risk of creating new vulnerabilities. The team can even ask employees for feedback to address any challenges and improve the company’s insider threat mitigation strategy.
“Organizations with mature insider threat programs are more resilient to disruptions, should they occur,” said CISA Executive Assistant Director for Infrastructure Security Steve Casapulla. “People are the first and best line of defense against malicious insider threats and organizations should act now to safeguard their people and assets.”
It can take security teams an average of 85 days to detect and contain an insider threat. Worse yet, some insider threats go undetected for years. As such, it’s crucial for businesses to learn to defend themselves from insider threats before it’s too late. Some best practices include:
IAM is an authentication practice that ensures only the right people can access an organization’s system, data, and resources.
One key IAM function is identity lifecycle management. It involves immediately decommissioning accounts of users who have exited the company or limiting the permissions of a departing disgruntled staffer. This way, you can significantly reduce the risk of insider threats.
Unintentional insider threats cannot be completely eliminated because unlike machines, humans are subject to fatigue, distraction, stress, and misinterpretation. However, their risk can be significantly reduced by regularly conducting cybersecurity awareness training.
This must cover topics like using strong passwords, identifying and addressing suspicious emails and phishing scams, proper handling of sensitive data, and reporting lost devices. It should also include keeping software updated, reporting security incidents, and clean desk policies.
UEBA is a cybersecurity approach that uses behavioral analytics, machine learning, and artificial intelligence to analyze the behavior of devices, users, and applications. This allows it to identify anomalies that may indicate compromised accounts or insider threats.
UEBA scores anomalous behavior based on the risk it represents. For instance, a single failed login attempt during office hours could indicate a malicious insider threat and would generate a low score. Meanwhile, a user moving sensitive company data to another storage system after hours would get a higher-risk score.
With UEBA, security teams can prioritize the biggest threats but also document and monitor low-level alerts that could eventually become serious threats.
DLP solutions use contextual analysis and behavioral analytics to monitor data and user activity. They classify and tag confidential information, then enforce policies to prevent sensitive data from being exfiltrated through USB drives, email, or cloud storage.
As you can see, insider threats are a real danger to any organization. As such, you must find ways to protect your business’s IT systems from them. Fortunately, a reliable managed security services provider like Techmedics can help. We offer the following solutions:
Techmedics serves businesses across all industries and business sizes in Dallas, Las Vegas, Los Angeles, and Phoenix. The best part? We employ local engineers in each area, helping you benefit from faster response times, personalized solutions, and regulatory familiarity. Talk to us today for a FREE consultation.
Experience the power of optimized IT solutions tailored to your business needs. Our team is ready to assess your current setup and provide valuable insights to propel your business forward. Don't miss out on this opportunity to revolutionize your IT infrastructure. Fill out the form to get started.
