5 Insider Threat Indicators and How to Mitigate the Risk

Whether you manage a small company or a massive corporation, you’ll likely encounter email communications being used as an avenue for malicious (or even unintentional) activities throughout the life of your business. Unfortunately, people inside your organization can also become cybersecurity risks, so it’s crucial to watch out for insider threat indicators that could foretell potential incidents.

What should you look for to prevent threats from within your organization? This guide will break down the basics of internal threats—who “insiders” are, the types of threats they can present, and some common motivators for malicious activity. Additionally, we’ll explore five indicators to monitor and mitigate risk.

What Is an Insider Threat?

Before we dive into the specifics of insider threat indicators, let’s break down the concept of an insider threat. Learning more about these risks is the first step in making a defense plan.

Who Are Insiders?

An insider is an individual who either:

• Has authorized access to company resources
• Has intimate knowledge or privileged information about company resources

Some insiders have both, while others only have one. But which assets encompass company resources? Insiders could have access to or information about your business’s:

• Physical facilities
• Employees
• Data and information
• Computer systems and IT networks (including both hardware and software)
• Equipment and infrastructure

Let’s explore two examples of insiders, one of which may surprise you:

1. A mid-tier, in-house accounting employee with legitimate access to:
   • Bank statements and account numbers
   • Online banking login information
   • Bookkeeping software
   • Financial records
   • Balances, sales records, and other critical data
2. A subcontracted representative from your uniform supplier, who:
   • Has a key to your warehouse to collect and replace dirty uniforms each week
   • Knows when staff are generally on- or off-site at your physical facility
   • Recognizes your in-house employees’ faces or knows their names

While the first example might seem like an obvious insider, the second one may not. But the subcontracted representative from your uniform supplier has both:

1. Access to your physical facilities (a key to pick up and drop off uniforms after hours)
2. Information about those facilities and the employees who work there

When an insider with privileged access poses risks to your business (intentionally or otherwise), these activities are considered insider threats.

What Are the Types of Insider Threats?

Numerous types of business contacts can be considered insiders, creating a variety of threats:

• Unintentional threats caused by negligence or an accident could expose your organization to risk even if insiders didn’t act maliciously.
• Intentional threats are purposeful and motivated by many possible factors. Collusive threats are when one or more insiders work with an external actor to threaten an organization.
• Vendors or individuals typically create third-party threats outside of an organization.

For instance, the uniform company representative described in the previous section could cause a third-party threat.

Third-party threats include:

• Direct threats, when third-party actors are responsible for exposing a business to risk (intentionally or otherwise)
• Indirect threats, when systemic flaws or shortcomings expose a business to threat actors

What Are Some Common Motivators for Insider Actors?

Why would an insider expose a company to risks? Motivators for purposeful insider threats can generally be grouped into two categories:

1. Potential personal or group benefit for the actors
2. Revenge for a grievance held by an individual insider or a group

What could these look like in real-time?

• An individual poses as a trusted vendor via email and requests that funds be sent to a new account via wire transfer (leading to a Vendor Email Compromise attack).
• An employee with access to protected/personal health information (PHI) leaks data to a third party who pays the employee for the exposure of sensitive PHI data.
• A former employee feels they were wrongfully terminated and takes advantage of their access to sensitive or confidential data, putting the company at risk.

Insiders can also unintentionally expose a company to risks. Examples of accidental exposure include:

• Emails sent to the wrong address (sending confidential client information to Ben in Marketing instead of Ben in Finance)
• Sharing PHI details without malicious intent (unintentionally including confidential patient PHI details in a reply all email cc’ing third parties)

Malicious insider threats happen for a variety of reasons. In the following section, we’ll discuss warning signs that could indicate brewing intentions to expose your organization to risk.

5 Insider Threat Indicators to Watch For

Now that you’re more familiar with what an insider threat might look like, let’s explore five potential threat indicators.

1. Personal Indicators

Personal indicators describe personality factors or stressors that impact an insider—whether they’re work-related or personal circumstances.

• An employee having trouble at home might be too preoccupied to perform their typical security measures, skipping a crucial step that leads to risk exposure.
• A third-party subcontractor with a key to your warehouse (like the uniform vendor described above) might run late for a personal appointment and forget to lock up after they’re done.

Note: Personal stressors or traits don’t always produce intentional threats. However, whether they forecast malicious actions or not, personal indicators must be mitigated via:

• Manual vigilance – Check-ins with staff whose personal troubles affect the workplace
• Written policy – Detailed SOPs (standard operating procedures) of all security protocols and operations
• Software tools – Built-in checks and backups to prevent human error

2. Background Indicators

Background indicators describe events or circumstances impacting employees, vendors, or other insiders before an organization hires them. These background indicators could lead to insider threats once an organization grants access to sensitive information or systems.

Mitigating background indicators can be difficult to detect without a complete picture of an employee’s history:

• In a manual vigilance effort, employers could conduct more robust background and reference checks before hiring new staff with access to sensitive data.
• A written policy may not be able to unearth all of a new hire’s background information completely. Still, it could create a standard procedure and a set of safeguards for other staff to report suspicious activity.
• Email security tools should have built-in safeguards to prevent suspicious data sharing—even for users with proper access. Armorblox’s Advanced Data Loss Prevention for email analyzes thousands of signals to identify your organization’s risk exposure and protect your human layer from compromise.

3. Behavioral Indicators

Behavioral indicators are observable patterns of speech, writing, or actions that can help establish a behavioral baseline for staff. If an employee deviates from their established set of behaviors, it could be a sign of a threat.

In terms of manual vigilance, organizations should encourage company leadership to pay close attention to employee behavior and report any suspicious actions, written material, or conversations via the appropriate channels.

Written policies should:

• Protect staff who report suspicious activity
• Ensure fair treatment for employees who show behavioral indicator risks
• Stipulate the investigations process for internal investigations

And while you might think that only other humans can establish behavioral baselines or identify deviations, email security tools that harness Natural Language Understanding (NLU) understand the content and context of language-based communications. Automate risk mitigation with email DLP solutions that establish behavior baselines for all employees and communications to mitigate insider risks quickly.

4. Technical Indicators

Technical indicators are malfunctions specific to network, host, or system activity. They can only be detected by IT tools and systems that alert users to suspicious activity.

Many advanced tools still require some manual vigilance. But data loss protection software is arguably the most important mitigation method for detecting technical indicators. Email is still the #1 attack vector for threats, and safeguarding email communications is the first step to protecting your organization’s sensitive information. Armorblox Advanced Data Loss Prevention has out-of-the-box and custom data loss policies that automatically protect and prevent the accidental or malicious exposure of sensitive PII, PCI, and PHI data.

5. Organizational and Environmental Indicators

Organizational practices and workplace culture elements can:

• Influence employee behavior
• Contribute to (or decrease) staff stressors
• Create security vulnerabilities—opportunities for third parties to create risks

If your staff is unsatisfied with workplace culture, they could convert from trusted users to insider threat actors. Here are some ways to reduce the likelihood of negative environmental influence and associated risks:

• Conduct regular surveys regarding workplace satisfaction and address one-on-one employee concerns when they arise.
• Audit your written policies and implement employee suggestions for improvements to prevent dissatisfaction with operations.
• Implement software tools with significant safeguards—both automated and manual—against suspicious activity.

Mitigate Insider Threat Risks with Armorblox Email DLP

Insider threat indicators aren’t always easy to spot, but advanced email security software tools help protect your company’s sensitive information and provide that additional security layer that proactively mitigates threats to reduce organizations’ risk of data loss.

Armorblox is an industry-leading email security platform that uses language-based ML models and AI to stop the most sophisticated email threats. Armorblox connects in less than 5 minutes via API to your company’s email platform to stop targeted attacks and prevent data loss over email –– saving security teams time, reducing false positive alerts, and preventing accidental and malicious data exposure.

Take a five-minute product tour to see how Armorblox automates risk mitigation to protect your organization from accidental or malicious exposure.