From Carelessness to Activism — Why Insiders Do What They Do

Whenever the subject of insider threat arises, the discussion gravitates toward the insider who has acted maliciously in some way. People often think of the executive or staffer who stole confidential information about an impending corporate transaction or intellectual property, such as source code, and intentionally exposed or sold it.

This certainly is understandable, after all such stories permeate the press. Just a few weeks back in late January, Hershey sued one of its former executives for alleged theft of some of its most sensitive trade secrets and confidential business information before going to work for a direct competitor, while Coca-Cola learned of an alleged security breach when a former employee was found with a drive containing the personal information of about 8,000 people. There is also the case of the three former McAfee employees that the company alleges took confidential information to a competitor.

While incidents like these are all too common, they’re not the only types of insider risks that damage the data security at organizations. There are many other reasons, beyond financial gain, why insiders do what they do. In this post, we hope to highlight some of the other common causes behind insider risks, and what they mean for your security and insider threat program.

The careless insider

As our Data Exposure Report  has shown, not all insiders intentionally act maliciously. Many insiders will inadvertently click on a link tucked within a phishing email and their endpoint will get infected. Or they will be careless with their notebook or removable drives and lose them. Drives that are, of course, unencrypted. This is perhaps one of the largest insider threat categories. And it’s not just front-line employees. According to our 2019 Data Exposure Report, 78% of CISOs and 65% CEOs admitted that they’ve clicked on a link that they shouldn’t have.

People want to use the data as they wish

Not only do people want to use data as they wish, they actually view enterprise data as their data. According to our research, over 70% of information security and business decision-makers agreed that the data at work isn’t just corporate data, it’s their work and their ideas. This means there is great risk departing employees will take data with them when they leave for a new employer. Conversely, new staff are likely bringing work from their previous employer into their new companies.

People want to work the way they want to work

Not only do staffers and other insiders want to use data as they wish, they want to work exactly how they want to work. There’s a lot of this Shadow IT underway, especially when it comes to collaboration, cloud storage, and social media. Our research and experience with our customers show that insiders will, rather than use collaborative tools provided by the organization, turn to unauthorized collaborative tools, social media and personal email to share information. Not good.

Political motivations

People today are more politically motivated than at any other time in recent history, and they are more likely to act in accordance with their political beliefs. Whether it’s over environmental issues, party politics, or other social causes, if someone perceives the organization they work for to be on the wrong side of a social cause, it could very likely be a catalyst for someone to lash out at the company by stealing, destroying or exposing data.

The spurned staffer

Sometimes insiders will do something bad with a motivation other than financial, or at least the financial gain is secondary to extracting a reprisal of some sort. These types of insider threat actions can be triggered by resentment for being overlooked for a promotion, a raise that was perceived as inadequate, perceived poor project assignments, scorned office romance, and any number of other potential personal reasons. 

As you see, there are many different reasons and motivations behind insider threats. How should your enterprise protect itself from insider threats with such varying motivations?

Focus on the data, not the motivation

Fortunately, you don’t need a different plan for each motivation. At least not when it comes to protecting your data. What enterprises need is a data security policy that includes data security awareness training and technology to monitor data movements to avoid unwanted data exfiltration.

An effective data security policy will also detail who owns the data and the proper ways to access, use and store that data. It’s also important that staffers be continuously reminded of this policy through periodic security awareness training or login banners. Finally, you’re going to need technical controls in place that will enforce your data security protocols.

One thing we’ve certainly learned is that those technical controls that attempt to block data leaving the organization are not actually effective at stopping unwanted data exfiltration. In fact, by just being in place, these technologies often create a false sense of security. We’ve learned, instead, that capabilities to monitor and audit all data movement are much more effective.

It’s true that the motivations behind the insider threat are varied and the risks they pose are significant. After all, who else better knows where the valuable data resides, why it’s valuable, and how to obtain it than those on the inside. Fortunately, to succeed at minimizing insider threat, you don’t need to focus on every motivation — you just need to focus on the data.