Insider Threats Greatly Impact Business

While former National Security Agency (NSA) contractor Edward Snowden has dominated the news after leaking details of several top-secret surveillance programs, his type of “insider threat” is not the only one businesses should consider when making IT security decisions.

When most hear the term “insider threat”, the typical assumption is that it is an employee who is determined to inflict destruction and harm on his or her employer. Sword & Shield has worked on cases like these and can absolutely confirm that this type of activity does exist and you must be guarded against them. However in those instances, the business impact is typically known soon afterwards and you can begin to recover.

It is important to understand that there is another type of insider that you must protect yourself from: those who steal your business secrets and intellectual property.

Insider threats are impacting businesses so greatly that the information security industry reports are now highlighting the impact these organizations. In a recent Symantec survey, some alarming statistics were uncovered. The Frenemy Within also has an alarming perspective on how your employees value your data. One underlying issue is that many employees  “attribute ownership of IP to the person who created it”, rather than the employer. Below are some additional statistics:

  •  62 percent feel that it is ok to transfer your confidential information to their personal computers, cloud apps and mobile devices. We all know this data will “live” forever.
  • 50 percent of previous employees kept confidential data and 40 percent of them plan to use it in their new position (with your competitors).
  • 56 percent of those that steal confidential data do not feel it is a crime.
  • 42 percent do not feel it is “wrong” to reuse the information.
  • 53 percent feel that stealing the intellectual property and trade secrets of their employer doesn’t “harm the company”.

One of the most respected computer security annual reports published by Verizon, an organization that primarily works financial fraud, indicated that 14 percent of their data breach studies involve insiders. With this data set being heavily skewed toward external threats from China and Russia, the insider angle definitely exists and must be a concern for all organizations.

Although more devastating that many other instances of cyberattacks, insider threat activity does not always appear on most industry reports. A CERT study demonstrated that over a 6-year period, more than 45 percent of organizations experienced an insider threat. This survey also conveyed that 46 percent of the respondents stated that that “damage caused by insider attacks more damaging than outsider attacks”. This makes sense, when outsiders attack you, the damage is either immediately understood or unknown for years.

Another alarming statistic from this study was that 76 percent of these attacks were handled without legal action or law enforcement and only 3 percent led to the filing of a civil lawsuit.  If an employee has taken your sensitive information to a competitor, legal action may be the best route to ensure it is not used against you.

Use this information to understand the impact these insider threats play in your success.

There are two approaches to insider threats of this nature. The first is to proactively build an insider threat program to deter and detect this activity. One of the best proactive references available to combat insider threats is provided by CERT:  Common Sense Guide to Mitigating Insider Threats. The mitigating factors can be implemented solely by you or with the assistance of specialized consulting firms.

The second approach is the reactive approach. Even with a mature insider threat program established, it will be tested. Reactive approach involves competent and experienced computer forensics experts to gather the needed data to quickly thwart their initiatives.

For employees with access to sensitive information of concern, additional steps need to be taken. The challenge in theft of corporate information is that the employee has been given access to this information for their role within the company.

However, proper forensic analysis will determine the detailed activity to demonstrate the access and copying of this information beyond agreed upon usage.

Upon the resignation or removal of key employees, certain steps need to be taken quickly:

  • Collect and retain forensic images of computers used.
  • Collect and retain forensic images of all mobile devices.
  • Collect and retain email and Internet histories for previous 90 days.

At this point, the choice and circumstances are up to you whether you need to immediately analyze this information. Some situations are obvious that the data needs to be inspected, others not so much. Either way, this evidence could prove crucial in assisting you in combating the potential “enemy within”.


  1. Bill,

    I enjoyed the article and couldn’t agree more about the risks associated with insider threats.

    The insider risk that goes unnoticed is IT staffers who take retired computers from their employers. It happens everyday.

    Employee theft of retired computers is one of the most overlooked aspects of data security. IT staff take retired assets before a disposal vendor is ever involved. Employees have access to equipment and knowledge of which equipment will be missed and which won’t.

    If there is anything I can do to be of service to you, please just say the word.