Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Finding the Devil Inside: The Psychology of the Insider Threat

A story about hackers utilizing complicated exploits to infiltrate a computer network is sure to generate headlines. But sometimes it’s the devil you know that can do the most damage.

A story about hackers utilizing complicated exploits to infiltrate a computer network is sure to generate headlines. But sometimes it’s the devil you know that can do the most damage.

Identifying a potential malicious insider before he or she is able to walk away with intellectual property can be the difference between a good night’s sleep and several weeks’ worth of public relations fallout. According to psychologists Dr. Eric Shaw and Harley Stock, there are warning signs organizations can heed if they know what to look for.

Detecting Employee Data TheftIn a new report commissioned by Symantec, “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall,” Shaw and Stock analyzed insider breaches to get a sense of not only how insiders steal data, but who does it and why. Among their findings:

• Roughly 65% of insiders who steal intellectual property had already accepted positions with a competing company – or started their own – at the time of the theft.

• People typically steal information they are authorized to access. According to their data, 75% of insiders stole material they were authorized to see.

• The average insider IP theft is committed by a male employee about 37 years old who serves in a technical position such as an engineer, scientist or programmer. In addition, the majority of IP thieves had signed IP agreements, indicating that policies alone are often ineffective.

• IP theft by insiders is often precipitated by professional setbacks. With many IP thieves, there is a sense of disgruntlement with the organization.

Organizations need to take a multi-disciplinary approach to dealing with insider threats that involves creating a team that includes not only IT security, but human resources and physical security as well, Shaw said. Silos in an organization can make it difficult to understand whether or not they are at risk, he added.

“I ran into a common problem at a large defense contractor where we did an insider risk audit,” he explained. “We discovered that HR had scheduled mass lay-offs but IT security was unaware of these exits from the firm on a particular day. So what the company faced was hundreds of disgruntled workers leaving a high-tech manufacturing facility who retained remote access to the firm’s network. This could be a nightmare scenario for IT theft. Only communication between the groups can head-off such challenges.”

Advertisement. Scroll to continue reading.

In addition, there can be signs an employee is exhibiting troublesome behavior that may be invisible to IT. For example, conflict with supervisors, misreporting of expenses or a disagreement with the company over the ownership of IP, Shaw said.

Still, Shaw and Stock note in their report that being disgruntled does not always translate into theft.

“We do not yet have controlled research on observable differences between employees with intentions versus volition and action,” they wrote. “However, employees who go on to commit IP theft appear to display a propensity for action through concerning behaviors in the work environment…concerning behaviors include violations of policy or practice, manifestations of disgruntlement or signs of theft preparation that are potentially visible to others in the work environment.”

Dawn Cappelli is technical manager of CERT’s Insider Threat Center program and Vulnerability Management team at Carnegie Mellon University, and no stranger to the topic of insider threats. According to Cappelli, most malicious insiders set up their attack before termination and carry it out after leaving, typically within 30 days of resignation. This is particularly true for those after IP, she said, while those who steal personally identifiable information or credit card data tend to steal small amounts and try to lay low.

“They do not want to get caught – they want to lie low so they can continue to carry out their crime over a long period of time,” she said.

Strong pre-employment screening – such as criminal background checks and the contacting of references – and training for employees about an organization’s security policies are also important, Stock and Shaw wrote in their report.

Even though many IP thieves steal data they already have access to, there remains a role for technology to play in all this as well. According to Tim Matthews, senior director of product marketing at Symantec, data loss prevention (DLP) technology can help when it comes to pinpointing malicious behavior.

“One thing we’ve noticed on the technology side is that people think data loss prevention technology only spots individual pieces of sensitive data, but what they don’t understand is that DLP can also identify behaviors that differ from an individual user’s norm such as a dramatic increase in the frequency of copying or downloading data,” he said. “This can serve as an indicator of a potential insider issue, but it needs to be evaluated in context with other concerning behaviors and personal predispositions that IT can’t spot.”

 

RelatedCMU Researchers Release Insider Threat Security Reference Architecture

RelatedFinding the Devil Inside: The Psychology of the Insider Threat

 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...