Insider risks are threats that already have access to an organization’s sensitive information. They are people who have physical access to the organization’s buildings and credentials to sign-on to the network. But maybe more importantly, they’re familiar with the organization’s processes, they speak the company lingo, and they know where the important assets reside. Whether they have self-serving intentions or accidental, organizations need to better adapt to the risks that insiders pose to their organizations—because the problem has been on an upward trend for some time.
The two flavors of insider threats
There are two types of risky insiders. Some are malicious while others are non-malicious. Non-malicious insiders are the average employee, contractor, or vendor who has good intentions, but something goes wrong. For example, an analyst at one of my former companies would copy customer data onto a USB drive so they could take it home and work on it. They weren’t trying to cause a data breach, but even without malice, this could have had devastating impacts—since it was very confidential data taken outside the company on an unsecured device.
A malicious insider, however, actually intends to harm or exploit the organization. A different company I once worked for actually hired someone who was tied to organized crime. They were brought onboard as a credit analyst—but what they were really there for was to change credit records. This person started the job with the explicit intention of committing fraud from day one.
Hybrid work creates opportunities for risky business
While hybrid work has improved productivity for many companies, it comes at a cost. According to a recent Verizon report, 79% of organizations agree that changes to their work practices have adversely affected their cybersecurity. This also impacts the mental health of workers—many are struggling to unplug during off-hours, which leads to burnout. As a result, some employees have become more careless and more disgruntled.
The Great Resignation has become another factor. People are changing jobs with greater frequency. When someone leaves a company, it’s natural to pack up the tools they consider to be theirs—and it’s often with an innocent intent. For salespeople, it’s often making a copy of their contact lists. Or someone in IT might want to take code they’ve written. But unless it’s explicitly agreed to in advance, this kind of material typically belongs to the company—and any duplication represents a data breach. Organizations saw 20% of users upload more data than usual to personal apps and instances during their final days of employment, allowing them to maintain access to the data even after they leave the organization.