helpful resources

Insider Threats

Cybersecurity is a major concern in the minds of every organization. And while hackers are always looking for exploits to gain unauthorized access to networks and data, there is a much more insidious and dangerous threat to be wary of, insider threats. An insider threat comes from anyone who has legitimate access to your network, either through a login/credentials or an otherwise authorized connection. Since the connection to the network is legitimate, it is much harder to detect nefarious activity through it. Within the last two years, on average, insider attacks have increased by 44% and cost 34% more to solve. In order to best protect yourself from insider threats, you need to understand where they come from and how to best mitigate them.


There are four sources that insider attacks come from. The first and most obvious one is from malicious employees. It is unfortunate, but sometimes an employee gets so angry with their employer, or their greed is greater than their moral, that they choose to exploit their position to steal data or sell their network access to a hacker. Employees are more likely to become malicious if they are fired, so it is important to remove their network access either before or immediately after they are informed of their termination. 

Sometimes an employee causes an insider threat not due to malicious actions but due to careless ones. An employee may use a password that is easy to guess or use it across all their accounts so that when one becomes compromised, they all do. Or an employee may walk away from a device, leaving it logged in to the network for anyone who comes across it to access. The best way to counter this is simply through training; it is vital that you educate employees on proper cybersecurity practices in order to avoid insider attacks occurring due to a simple mistake. 

The third main insider threat is, appropriately enough, third-party access. Be it contractors, freelancers, or vendors, anyone outside your organization with legitimate access to your network constitutes an inherent risk of insider attacks. These are even harder to monitor since they are outside of your organization. 

Then, of course, the final insider threat is compromised credentials. Just like with third-party threats, insider threats do not actually need to come from within your organization; they only need to have a legitimate connection to your network. If a hacker manages to get an employee's login credentials, they can then use them to initiate an insider attack. This type of attack is the leading cause of data breaches across the world.


So now we know what the different threats of insider attacks are, but how do we protect ourselves from them? We mentioned this earlier, but training is vital to ensuring employees know how not to make simple mistakes that could cause data leaks, network breaches, or compromised credentials. You cannot expect the average person to simply stumble into following best cybersecurity practices if they do not know what they are. Another preventative measure you should take is performing thorough background checks on any potential new hire or third-party actors whom you are planning to grant network access. This can help give you some insight into who is trustworthy and who is not, making the decision of whom to grant network access easier. A key aspect of cybersecurity that applies to insider threats as well is endpoint management and protection. Mobile devices tend to make up a significant portion of an organization's endpoints and are a considerable security risk if not properly managed. If a mobile device is used to connect to an organization's secure network or handle its sensitive data, it needs to have some sort of protection in place to ensure it cannot be used maliciously in the event it is lost. Lastly, one of the keys to detecting insider attacks is through network monitoring. Proper network monitoring should enable you to see who is accessing what data, using what device, and from where. If a legitimate login is used, but it is from a device that isn't recognized and an IP address from the other end of the world, there is a good chance it is an insider threat. 


Putting rules in place that limit what devices and IPs are allowed to connect to your network is a great way to block many potential insider attacks. Additionally, having an IT team that can terminate a user's network access at a moment's notice helps keep all your bases covered. Lighthouse IT Solutions can help you with both of these and moreContact us here to get a quote for a secure and managed network and achieve IT Harmony.

Posted by:

Mark Nash
12/15/2022

Check out our partner's blog at Sophos!