Hotel cybersecurity training - Insider Threat, from ENISA, FBI, CISA

Insider threat, from ENISA

What is insider threat?

An insider threat is an action that may result in an incident, performed by someone or a group of people affiliated with or working for the potential victim.

There are several patterns associated with threats from the inside. A well-known insider threat pattern (also known as ‘privilege misuse’) occurs when outsiders collaborate with internal actors to gain unapproved access to assets.

Insiders may cause harm unintentionally through carelessness or because of a lack of knowledge. Since these insiders often enjoy trust and privileges, as well as knowledge of the organisational policies, processes and procedures of the organisation, it is difficult to distinguish between legitimate, malicious and erroneous access to applications, data and systems.

The five types of insider threat can be defined according to their rationales and objectives:

a) the careless workers who mishandle data, break use policies and install unauthorised applications;

b) the inside agents who steal information on behalf of outsiders;

c) the disgruntled employees who seek to harm their organisation;

d) the malicious insiders who use existing privileges to steal information for personal gain;

e) the feckless third-parties who compromise security through intelligence, misuse or malicious access to or use of an asset.

All five types of insider threats should be continuously studied, as acknowledging their existence and their modus operandi should define the organisation’s strategy for security and data protection.


- 65% of the impact from insider threats includes damage to the organisation’s reputation and finances.

- 88% of the organisations surveyed recognise that insider threats are a cause for alarm.

- €11,45 million is the average annual cost of cybersecurity incidents caused by an insider to the organisation.

- 40% of the organisations surveyed feel vulnerable to having confidential business information exposed.

Money rules.

Due to the increasing cost of other attack vectors, attackers are willing to offer large amounts of money to insiders. The price of insiders varies, depending on the insider’s position in the company, the company itself, the type and complexity of service that is requested, the type of data that are exfiltrated and the level of security at the company.

Some of the ways attackers recruit insiders include:

(1) simply posting an offer on forums and offering a reward for certain information;

(2) disguising their actions so that employees don’t realize they are acting illegally, disclosing personal information or engaging in insider activity; and

(3) blackmailing.

Rogue actions Urbi et Orbi.

A former software engineer from a cloud service provider took advantage of a misconfigured web application firewall and accessed more than 100 million customers’ accounts and credit card records.

The company has since fixed the vulnerability and stated that ‘no credit card account numbers or log-in credentials were compromised’.

This insider-threat case is particularly interesting because the former employee turned hacker wasn’t worried about hiding the identity.

The hacker shared the hacking method with colleagues from Capital One on a chat service. The hacker also posted the information on GitHub (using the full name) and bragged on social media about it too.

This kind of behaviour is a phenomenon psychologist’s call ‘leakage’ whereby insiders who plot to do damage reveal their plans. Capital One expects the breach to cost up to US $150 million (ca. €127 million).


A recent survey revealed that groups are the most dangerous insider threats within companies and other organisations.

According to cybersecurity experts, phishing (38%) is the biggest vulnerability in the case of unintentional insider threats. In a lower position of the list are spear phishing (21%), the weak or reused passwords (16%), orphaned accounts (10%) and browsing of suspicious sites (7%).

Proposed actions.

- Deploy a deep packet inspection (DPI) technology for anomaly detection which gives industrial users a trusted platform for monitoring the flow of process control command flow and telemetry data, and protect against outside threats. At the same time, it mitigates the risk of ‘advanced’ insider interference from engineers, SCADA operators or other internal staff with direct access to systems.

- Introduce an insider threat countermeasures plan into the overall security strategy and policies. This plan typically includes a risk management framework, business continuity plan (BCP), disaster recovery program (DRP), a financial and accounting management policies and a legal and regulatory management.

- Build a security programme that consists of: conducting threat hunting activities, performing vulnerability scanning and penetration testing, implementing personnel security measures, employing physical security measures, implement network security solutions, employing endpoint security solutions, applying data security measures, employing identity and accessing management measures, establishing incident management capabilities, retaining digital forensics services and utilisation of artificial Intelligence (AI) methods to prevent insider attacks.

- Draw up a security policy on insider threats, based on user awareness, wich is one of the most effective controls for this type of cyberthreat.

- Implement robust technical controls. Traditional security measures tend to focus on external threats, but these are usually not efficient at identifying internal risks emanating from inside the organisation. To protect assets, implement tools such as data loss prevention (DLP) to prevent data exfiltration.

- Reduce the number of users with privileges and access to sensitive information. If an employee doesn’t need to have access to some information to do their work, it is better to restrict what they can see, thus avoid improper access.

- Harden the digital environment, which includes tightening up the security of the network, systems, applications, data and accounts.

Insider threat, FBI

Successful Investigation of ‘Insiders’

- In Detroit, a car company employee copied proprietary documents, including some on sensitive designs, to an external hard drive…shortly before reporting for a new job with a competing firm in China.

- In Indianapolis, an employee of an international agricultural business stole trade secrets on organic pesticides from his employer and shared them with individuals in China and Germany.

- In Boston, a technology company employee e-mailed an international consulate in that city and offered proprietary business information. He later provided pricing and contract data, customer lists, and names of other employees…to what turned out to be a federal undercover agent.

All three subjects pled guilty. But in two of the three cases, the stolen secrets probably ended up in the hands of global businesses that will use them to attempt to gain an unfair competitive edge over the United States.

Why do insiders do it? Lots of reasons, including greed or financial need, unhappiness at work, allegiance to another company or another country, vulnerability to blackmail, the promise of a better job, and/or drug or alcohol abuse.

How to stop them? Obviously, a strong organizational emphasis on personnel and computer security is key, and the FBI conducts outreach efforts with industry partners—like InfraGard—that offer a variety of security and counterintelligence training sessions, awareness seminars, and information.

You can help as well. In our experience, those who purloin trade secrets and other sensitive information from their own companies to sell overseas often exhibit certain behaviors that co-workers could have picked up on ahead of time, possibly preventing the information breaches in the first place. Many co-workers came forward only after the criminal was arrested. Had they reported those suspicions earlier, the company’s secrets may have been kept safe.

Here are some warning signs that could indicate that employees are spying and/or stealing secrets from their company:

- They work odd hours without authorization.

- Without need or authorization, they take proprietary or other information home in hard copy form and/or on thumb drives, computer disks, or e-mail.

- They unnecessarily copy material, especially if it’s proprietary or classified. They disregard company policies about installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential material.

- They take short trips to foreign countries for unexplained reasons.

- They engage in suspicious personal contacts with competitors, business partners, or other unauthorized individuals.

- They buy things they can’t afford.

- They are overwhelmed by life crises or career disappointments.

- They are concerned about being investigated, leaving traps to detect searches of their home or office or looking for listening devices or cameras.

Insider threat, CISA

What is an Insider?

An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.

Examples of an insider may include:

- A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access.

- A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).

- A person to whom the organization has supplied a computer and/or network access.

- A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.

- A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses.

- A person who is knowledgeable about the organization’s business strategy and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people.

- In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.

What Is Insider Threat?

Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities. External stakeholders and customers of DHS may find this generic definition better suited and adaptable for their organization’s use.

The Cyber and Infrastructure Security Agency (CISA) defines insider threat as the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the Department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. This threat can manifest as damage to the Department through the following insider behaviors:

- Espionage

- Terrorism

- Unauthorized disclosure of information

- Corruption, including participation in transnational organized crime

- Sabotage

- Workplace violence

- Intentional or unintentional loss or degradation of departmental resources or capabilities

What Are the Types of Insider Threats?

The insider threat can be either unintentional or intentional.

Unintentional Threat

Negligence – An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization. Examples include allowing someone to “piggyback” through a secure entrance point, misplacing or losing a portable storage device containing sensitive information, and ignoring messages to install new updates and security patches.

Accidental – An insider of this type mistakenly causes an unintended risk to an organization. Organizations can successfully work to minimize accidents, but they will occur; they cannot be completely prevented, but those that occur can be mitigated. Examples include mistyping an email address and accidentally sending a sensitive business document to a competitor, unknowingly or inadvertently clicking on a hyperlink, opening an attachment that contains a virus within a phishing email, or improperly disposing of sensitive documents.

Intentional Threats - Intentional threats are actions taken to harm an organization for personal benefit or to act on a personal grievance. The intentional insider is often synonymously referenced as a “malicious insider.” The motivation is personal gain or harming the organization. For example, many insiders are motivated to “get even” due to unmet expectations related to a lack of recognition (e.g., promotion, bonuses, desirable travel) or even termination. Their actions include leaking sensitive information, harassing associates, sabotaging equipment, or perpetrating violence. Others have stolen proprietary data or intellectual property in the false hope of advancing their careers.

Other Threats

Collusive Threats – A subset of malicious insider threats is collusive threats, where one or more insiders collaborate with an external threat actor to compromise an organization. These incidents frequently involve cybercriminals recruiting an insider or several insiders to enable fraud, intellectual property theft, espionage, or a combination of the three.

Third-Party Threats – Additionally, third-party threats are typically contractors or vendors who are not formal members of an organization, but who have been granted some level of access to facilities, systems, networks, or people to complete their work. These threats may be direct or indirect threats.

Direct threats are individuals who act in a way that compromises the targeted organization. Indirect threats are generally flaws in systems that expose resources to unintentional or malicious threat actors.

How Does an Insider Threat Occur?

Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts. Expressions of insider threat are defined in detail below.

Expressions of Insider Threat

Violence – This action includes the threat of violence, as well as other threatening behaviors that create an intimidating, hostile, or abusive environment.

Workplace/organizational violence is any action or threat of physical violence, harassment, sexual harassment, intimidation, bullying, offensive jokes, or other threatening behavior by a co-worker or associate that occurs in a person’s place of employment or while a person is working.

Terrorism as an insider threat is an unlawful use of or threat of violence by employees, members, or others closely associated with an organization, against that organization. Terrorism’s goal is to promote a political or social objective.

Espionage – Espionage is the covert or illicit practice of spying on a foreign government, organization, entity, or person to obtain confidential information for military, political, strategic, or financial advantage.

Economic Espionage is the covert practice of obtaining trade secrets from a foreign nation (e.g., all forms and types of financial, business, scientific, technical, economic, or engineering information and methods, techniques, processes, procedures, programs, or codes for manufacturing).

Government Espionage is covert intelligence-gathering activities by one government against another to obtain political or military advantage. It can also include government(s) spying on corporate entities such as aeronautics firms, consulting firms, think tanks, or munition companies. Government espionage is also referred to as intelligence gathering.

Criminal Espionage involves a U.S. citizen betraying U.S. government secrets to foreign nations.

Sabotage – Sabotage describes deliberate actions to harm an organization’s physical or virtual infrastructure, including noncompliance with maintenance or IT procedures, contamination of clean spaces, physically damaging facilities, or deleting code to prevent regular operations.

Physical Sabotage is taking deliberate actions aimed at harming an organization’s physical infrastructure (e.g., facilities or equipment).

Virtual Sabotage is taking malicious actions through technical means to disrupt or stop an organization’s normal business operations.

Theft – Theft is the simple act of stealing, whether money or intellectual property.

Financial Crime is the unauthorized taking or illicit use of a person’s, business’, or organization’s money or property with the intent to benefit from it.

Intellectual Property Theft is the theft or robbery of an individual’s or organization’s ideas, inventions, or creative expressions, including trade secrets and proprietary products, even if the concepts or items being stolen originated from the thief.

Cyber - Digital threat includes theft, espionage, violence, and sabotage of anything related to technology, virtual reality, computers, devices, or the internet.

Unintentional Threats are the non-malicious (frequently accidental or inadvertent) exposure of an organization’s IT infrastructure, systems, and data that causes unintended harm to an organization. Examples include phishing emails, rogue software, and “malvertising” (embedding malicious content into legitimate online advertising).

Intentional Threats are malicious actions performed by hostile insiders who use technical means to disrupt or halt an organization’s regular business operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems. This action can involve changing data or inserting malware or other pieces of offensive software to disrupt systems and networks.

Cyber Risk GmbH, some of our clients