Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:30 AM
Bob Hansmann
Bob Hansmann

7 Profiles Of Highly Risky Insiders

To understand who these insiders are and why they pose a risk, start by looking at the root of the problem.

There are plenty of articles with scary numbers about the size and scope of the Insider Threat. This isn’t one of them – you already know it’s a huge concern and that few organizations maintain a reasonable level of control over it. So where do you get started? By looking at the root of the problem to understand who these insiders are, and why they pose a risk.

You may be tempted to match these insiders to specific jobs or roles. But it’s best to resist such an impulse, because insider traits emerge throughout an organization, regardless of a threat’s position. To lend clarity, here are seven profiles of common high-risk insiders.

Convenience Seekers like to ignore protocol. The "official" way to do things is too long, difficult, or complicated. Or they may prefer their own methods, such as opting for their preferred file-sharing service instead of a corporate one. They’ll also frequently use personal email to get around performance or attachment size limitations.

Accidental Victims make mistakes, perhaps because of a lack of training (or learning) of proper processes and systems. Accidental Victims will hit the wrong button, send a document to the wrong "Bob" or otherwise make an honest mistake. Most likely, our Accidental Victims are tired, stressed or distracted when they do these things. They’re especially vulnerable because external threats often "create" fear and panic as part of a phishing scheme or phone scam, so their targets won’t realize that they’re being set up.

Know-It-Alls want to "contribute," "show value," and be visible whenever possible. Unfortunately, they may over-share information in an email response. They might respond to a request when someone more qualified should. Or they could initiate communications about topics with less than the required tact or subtlety. They’ll post on social media before they think about sensitive topics such as unannounced quarterly results. Some Know-It-Alls will intentionally seek to steal or manipulate sensitive information for fun, out of curiosity – or to prove they can.

Untouchables do not believe that any of the "scary stories" could happen to them. They’ve earned privileged access, and they’re copping a cavalier attitude about it. IT personnel may constantly take advantage of their super-user credentials out of convenience, for example, only to cause malware infection of a mission-critical server when they open a highly targeted phishing email. Auditors, financial execs, developers, and others with privileges could retain too much information locally, then lose their laptop, or leave it out in the open for a thief to swipe.

Entitled Ones are convinced that they have a right to certain types of data, or to do things their own way. They ignore process or policy. They’ve concluded that they "own" data, including customer lists, source codes, scientific research, and process documentation/templates. And while we normally associate the C-suite with those who do not feel the rules apply to them, anyone can develop this attitude at any level of the company.

Traitors are malicious employees. Sometimes, they’re hatching a plot at the time of being hired. More often, however, they harbor good intentions on the first day of work, but lose their moral compass after falling into debt or growing disgruntled over a lack of upward mobility and/or a salary increase. Or they internalize destructive discontent due to differences with colleagues, bosses, or the organization itself.

Secret Insiders aren’t supposed to be inside at all. But that’s where they are, having effectively executed the first stage of an external attack: gaining a foothold inside the network. (While we’ve focused on "defenses" against such attacks for the last few decades, the reality is that a breach will be successful at some point.) At this stage, Secret Insiders have network access, and security requires that measures be in place to "detect" such a breach. But, unlike the six aforementioned high risk profiles, they are professional hackers. They’re motivated, knowledgeable – and now command all of the access and privileges of an insider.

For better or worse, security options have evolved from early login IDs/passwords, firewalls, and desktop anti-virus (AV) products to dozens of solutions that work in concert to protect the network, users, and data. An Insider Threat program will implement many of these, such as access controls and data loss prevention (DLP) tools, along with well-defined (and enforced) processes and newer technologies, like User Behavior Analytics (UBA).  

Bottom line: user education is not new. But it is frequently overlooked as a potential solution due to mindsets developed when most of us didn’t know how to change the clocks on our VCRs, and never bothered to learn. (Congratulations if you did not need to Google "VCR" to understand that sentence). Yet, today’s employees were raised with Nintendo, the Internet, and smartphones. They take pride in knowing about the latest apps, and every feature of their mobile devices. This means organizations can appeal to this generation’s "tech pride," educating them about how recommended "professional habits" can elevate them to positions of trust.

In other words, users are more capable of recognizing risks – and the value of preventative measures and processes – if we simply involve them. 

Related Content:


Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Bob Hansmann is director of security technologies at Forcepoint. Over his more than 30 year security career, Mr. Hansmann has been responsible for monitoring the trends and directions of malware and the security industry as well as the utility and risks of emerging ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/11/2016 | 3:05:34 PM
Well, that about covers it.
So, pretty much everyone then, yes?  ;)
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.