What Is a Trusted Insider Threat?

A trusted insider threat comes from within the organisation and can involve malicious or unintentional behaviour. This article explains the two main types of trusted insiders, why they are difficult to detect, the motivations that drive them and the practical risk factors organisations should consider.

For companies and other organisations, sometimes the greatest threat comes from within. Anyone who understands the inner workings of a certain corporate entity or government organisation can feasibly cause harm. Malicious insiders are those who have privileged access to information, technology or assets, and who deliberately exploit their access in ways that compromise commercial or national interests. Insider threat actors can include current employees, former employees, contractors, service providers or someone working for a business partner.

Essentially, trusted insiders are categorised within two distinct types: malicious, whether self-motivated, meaning individuals whose actions are undertaken of their own volition, or recruited, meaning individuals co-opted by a third party to specifically exploit their potential, current or former privileged access; or unintentional, meaning trusted employees or contractors who inadvertently expose or make vulnerable to loss or exploitation privileged information, assets or premises.

The Federal Government's Managing the insider threat to your business handbook defines the malicious trusted insider threat as the threat posed by unauthorised access, use or disclosure of privileged information, techniques, technology, assets or premises by an individual with legitimate or indirect access, which may cause harm. The motivations of a malicious trusted insider vary, as the Deputy Director-General of ASIO explained at a conference in 2015, when referring to individuals who betray the trust of their employer for motivations such as disgruntlement, revenge, ego, a sense of misguided greater good or loyalties, or financial gain.

Key takeaways

Why Are Insider Threats Difficult to Detect?

Malicious insider threats are often more difficult to identify and block than outside attacks. For instance, a former employee using an authorised login won't raise the same security flags as an outside attempt to gain access to a company's information security network. For this reason, insider threats are not always detected before access is granted or damage is done. Opportunism, compounded by circumstance, may turn an otherwise trustworthy person into someone who seeks to deliberately steal or harm an organisation and/or its assets.

Of note is that trusted insider threats often begin with an individual or entity being given authorised access to sensitive data or areas of a company's network. This access is granted in order to enable the individual to perform specific job duties or facilitate a contractual obligation. When an individual makes the decision to use this access in ways other than intended, abusing privileges with malicious intent towards the entity, that individual becomes an insider threat.

As detailed previously, trusted insiders can also pose an unintentional threat, such as assisting someone to access physical facilities or information systems without realising that what they are passing on may hold significant value and may be used for malicious purposes. This often happens when employees lack security awareness or fail to follow correct security protocols. Trusted insiders present a threat whether acting independently with a specific agenda and intent or acting by assisting external parties; they are not necessarily predisposed to undertakings that go against the policies of an organisation.

Australia is not immune from the current, enduring and emerging threat of trusted insider attacks. Ideology can motivate insider threats. Current employees can also become malicious as a result of some real or perceived grievance, or after being recruited by an external threat actor, such as an issue motivated group or organised crime seeking to gain sensitive information. Also, such insiders could become opposed to some aspect of their employment, or they could intentionally join an organisation that aims to harm it. Reputation damage is a serious risk regarding unlawful distribution of sensitive and private information to unauthorised parties.

The same holds true for financially motivated insiders, far more common than those driven by ideology. There have been many cases of employees trying to sell proprietary information for personal gain or giving that information to a competitor in exchange for a job. Organised crime networks and other nefarious threat actors could benefit greatly by having inside sources embedded long-term within a targeted entity. Australian Security Agencies recently informed a parliamentary inquiry that the organisation requires sweeping new national security laws as the threat posed by foreign espionage is worse than during the cold war; adding that there was a pervasive threat of foreign actors seeking to influence Australian society; such is the risk.

Finally, returning to work full-time as opposed to working from home may also increase anxiety or disgruntled behaviour, potentially exacerbating trusted insider activity. During an ease of lockdown phase, workforce disaffection could be caused by staff feeling disgruntled by enforced changes to their working arrangements, feeling unsupported by an employer while working remotely for a long period if there have been poor communications relating to their role, or uncertainty about their health and safety as they return to work, or even future job insecurity. Disaffection can make people feel that the psychological contract between the individual and the organisation is damaged and begin on a pathway towards harm.

FAQ

What is a trusted insider threat?

It is a threat that comes from within the organisation. The person may have legitimate or indirect access to information, systems, assets or premises and can cause harm either deliberately or by careless exposure.

Why are insider threats hard to detect?

Because the person often already has authorised access. A former employee or trusted contractor may not trigger the same security flags as an outside attacker, so damage can happen before it is noticed.

What helps reduce the risk?

Security awareness, correct protocols, clear limits on access and strong internal controls all help. Organisations also need to understand the motivations and behaviours that can turn legitimate access into a risk.