Insider threats are the underappreciated threat. They fly under the radar as stories about hackers get top billing. Insider attacks are more insidious because they betray the trust the company has in its employees, partners and systems. Insider threats are the hardest to detect and take longer to discover than any other threats, according to the most recent Verizon Data Breach Report. Insider threats range across types and include: intentional data theft as in the Morgan Stanley breach; possible insider trading, like that recently seen in the LinkedIn acquisition; garden variety employee mistakes, such as the Google insider data breach; and ex-employees accused of taking trade secrets, as alleged in an IBM lawsuit. And then there are the active efforts by criminals to recruit insiders on the Dark Web or nation-state espionage that takes the form of phishing emails or bribed insiders.
The insider threat is not really a cybersecurity problem or a data analytics issue; it’s a human risk problem that can only be solved by understanding how people think and behave. In this slideshow, RedOwl has applied the science of risk assessment to employee behavior and come up with six persona types of employees who represent insider threat risks.
Identifying Insider Risk Types
Click through for six employee persona types that may present an insider risk threat to organizations, as identified by RedOwl.
The Disgruntled Departing Employee (Saboteur)
This employee can be introverted and extremely detail-oriented. She may feel underappreciated and overlooked by management, causing her to become frustrated and careless about her work. You might notice her openly searching for a new job during work hours. As a result, she may have a huge fight with her boss and quit, leaving a “time bomb” program that will go off months after her departure, wiping important records and replacing them with important transactions.
Indicators: Seeks access to servers outside normal business hours. Analysis of communications often reveals dissatisfaction with rules. Minor rules violations may be indicative of greater problems.
The Malicious Insider (Intellectual Property Thief)
Focused on climbing the corporate ladder, this leader has little time for those beneath his position, yet typically feels undervalued. These types of people are often calculated when they resign, planning to go to a key competitor and taking valuable intellectual property with them. Unfortunately, these employees are often senior team members with a high level of access to sensitive information like client files, studies, strategies, and business plans.
Indicators: Unusual number of inbound emails from external contacts, frequent communications outside normal channels, spikes of documents to an external email.
The Absent Minded Manager (Negligent Employee)
The HR manager receives a request to email employees’ personally identifiable information (PII) to a new accounting firm. The email address turns out to be fraudulent. This employee rarely takes the time to set up passwords and regularly emails himself/herself sensitive information.
Indicators: Sloppiness and inattentiveness, sharing passwords and sensitive information via email.
The Compromised Consultant (Code and Intellectual Property Thief)
Your trusted consultant gets into financial trouble after losing a large amount of money. This consultant is targeted by an organized crime network because of his technical position of trust, which is publicly accessible via their LinkedIn profile. The blackmailer may pose as a technical recruiter and convince that person to steal sensitive PII information that can be sold through the black market. After your consultant finds vulnerable information to exploit, he will become more confident and aggressive about stealing information. Eventually he will become sloppy and prepare to resign to avoid being caught.
Indicators: May exhibit signs of financial instability (i.e., gambling) outside of work environment, abnormally high level of downloads or copies of documents not associated with role or department.
The Activist (Media Leaker)
A top performer, this insider will become privy to some internal communications of corporate executives about compensation. Through chats and emails that were mistakenly shared, she learns about helicopter rides and extravagant dinners on the company dime, sees conversations about whether to fire mid-level managers who didn’t seem smart enough, and even disparaging and sexist remarks about a female admin assistant. This employee gets frustrated and decides she’s had enough. She shifts her hours so she can surreptitiously document her colleague’s comments over a period of weeks or months. When she’s ready to quit, she’ll take the dirt and send it straight to a national media publication.
Indicators: May appear to be stressed or depressed. Seeks access to sensitive company information, is active on servers at unusual hours, and shows a spike in downloading activity.
The Planted Insider (Intellectual Property Thief)
This employee quickly made VP and was well-respected across the company. One day at a conference, he was approached and struck up a conversation with an individual from another country who’d recently moved to London and noticed his name tag. They began having coffee on a fairly regular basis. With your employee’s help, this foreigner lands an entry-level position on the equities trading floor. The two kept in touch and then your employee began to have doubts about him.
Indicators: Communicates primarily with external contacts, clearly motivated by money and willing to skirt the rules to get ahead.