All organisations are vulnerable to insider threats, just as they are vulnerable to cyber attacks. Security incidents can expose personal and corporate data, affecting the organisation’s reputation and damaging affected individuals’ quality of life.
Find out how insider threats work and the types of incident you should look out for in this blog.
What is an insider threat?
As the name suggests, an insider threat is an employee, contractor or business partner who compromises their employer’s systems.
Although insiders might use many of the same techniques as criminal hackers – such as planting malware or exploiting an unprotected database – they are defined by how they access systems.
In all cases, an insider threat has been given authorised access to networks, systems or data. They bypass security measures through legitimate means, making it hard for organisations to identify or prevent threats.
Types of insider threats
Insider threats can be broadly broken into two categories: negligent and malicious.
Negligent insiders are employees who compromise sensitive information by mistake. In some cases, they are directly responsible for the data breach.
For example, they might have sent an email containing sensitive personal information to the wrong person, or have forgotten to shred records before throwing them out.
In other cases, the negligent employee commits an error that makes it possible for a cyber criminal to launch an attack. This would be the case, for instance, if an employee fell for a phishing scam and inadvertently handed their login credentials to a scammer.
By contrast, malicious insiders knowingly compromise their employer’s systems. They usually do so in an act of revenge or for financial gain.
Revenge attacks are most likely when an employee has been fired or has resigned. This kind of insider is particularly dangerous if they can log in to their work account remotely and the organisation doesn’t remove their access rights as soon as their employment ends.
Employees can also act out vengefully if they are unhappy at work. This could be the case if they were passed up for a promotion or don’t like the way the business is being run.
Meanwhile, financially motivated insiders breach sensitive information with the intention of selling it to a third party. This usually means uploading the data to the dark web, where criminals purchase sensitive personal information to conduct scams.
Real-life examples of insider threats
1. Airline employee misconfigures Cloud bucket
Pegasus Airline accidentally left 23 million files containing personal data exposed online after an employee improperly configured a database. The incident was reported in June 2022 after the Turkish airline discovered the error.
Organisations often use third-party services to store sensitive information, because it saves them money and resources. With a Cloud service provider, the data is stored on a central server that can be accessed online.
Because the information is stored online, organisations must adopt appropriate controls to ensure that only authorised people can access the information.
In this case, an employee misconfigured the security settings, exposing valuable information such as fight charts, navigation materials and information data of flight crew.
The database also contained up to 400 files with plaintext passwords and secret keys, as well as the source code for the software.
2. NHS staff caught out by phishing scams
Phishing is perhaps the biggest cyber security risk that organisations face, with organisations of all sizes and in all sectors being at risk.
The NHS learned that to its cost this year, after more than 130 email accounts were compromised in a prolonged phishing campaign.
The Cloud security firm Inky found that scammers sent 1,157 phishing emails originating from NHS mail between October 2021 and March 2022.
The emails contained a link that directed to a bogus Microsoft 365 login page, asking them to provide their login details.
Inky reported that at least 139 NHS emails were compromised in the attack, but the true scope of the campaign was likely much larger, because the organisation only analysed phishing attacks made against its own customers.
3. Fired system administrator sabotages his employer
A system administrator who lost his job at a paper mill served 34 months in prison after tampering with the control systems of his former employer and causing $1.1 million (about £900,000) in damages.
Brian Johnson, who had been made redundant by the paper manufacturer Georgia-Pacific after 15 years’ service, was able to use login credentials that remained valid. He accessed servers via a VPN in his home, installing his own software and altering the industrial control systems.
In a two-week-long attack on the firm’s factory in Port Hudson, Louisiana, Johnson created a series of delays that cost his former employer huge sums in missed deadlines.
4. Fast food employee steals people’s payment card details
In June 2022, a Taco Bell employee was caught stealing customers’ credit card details and using the numbers to buy items for herself.
Police were called after a victim reported that someone had tried to use their credit card at a nearby Pizza Hut.
The investigation soon led to 36-year-old Laquawanda Hawkins, who worked in Taco Bell’s drive-thru. CCTV footage revealed that she had taken photographs of customers bank cards and used the information to make a series of purchases locally and online.
5. General Electric employee caught stealing trade secrets
The US multinational company General Electric learned in July 2022 that an employee had stolen more than 8,000 sensitive files in a breach that spanned more than eight years.
An engineer at the firm, Jean Patrice Delia, had persuaded an IT administrator to grant him access to sensitive information, which he siphoned off with the intention of starting a rival company.
The FBI investigated the incident and learned that Delia emailed commercially sensitive information to a co-conspirator. He eventually pleaded guilty to the charges and was sentenced to up to 87 months in prison.
How to handle a data breach
Organisations can’t always prevent data breaches, but they can minimise the damage by responding quickly and in line with regulatory requirements.
The majority of the damage from a data breach comes after the initial incident, with a Ponemon Institute report finding that organisations that can contain a breach within 30 days save more than $1million (about £826,000) compared to those who take longer.
Getting the right advice early is crucial. With our Retained Data Breach Management Service you will get all the guidance you need.
Our specialist data breach consultants will help you identify the best way to mitigate the damage and how best to proceed.
This includes guidance on whether you need to report the incident under the GDPR or other data protection laws, how to decide if you need to inform the affected data subjects and how to minimise further damage to them and to your organisation.
We also offer an Emergency Cyber Incident Response Service for organisations that have come under attack and need immediate support.
Our experts will review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.