Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Mark Wojtasiak
Mark Wojtasiak
Connect Directly
E-Mail vvv

Over-Sharer or Troublemaker? How to Identify Insider-Risk Personas

It's past time to begin charting insider risk indicators that identify risky behavior and stop it in its tracks.

You've heard that Twitter was hacked. And the CIA. And that a malicious Desjardins employee caused the largest ever data breach in the Canadian financial services sector. And how about the automobile insurance company that inadvertently gave up the driver license information for 27 million policyholders in Texas?

The thing these high-profile breaches have in common is that they were all undertaken by insiders. Whether committed on purpose for financial gain or as a a result of human error, insider risk took a hit on these powerful organizations' revenue and reputations.

Related Content:

US State Dept. Shares Insider Tips to Fight Insider Threats

How Data Breaches Affect the Enterprise

Loyal Employee...or Cybercriminal Accomplice?

Despite the growing risk, data security events caused by insiders are not being taken seriously. New research in the Code42 Data Exposure Report notes that more than half (54%) of IT security leaders spend less than 20% of their budget on insider risk, and 66% of IT security leaders say their budget for insider risk is insufficient. This is a major problem for organizations around the world as users, applications, and data continue to move outside the hardened data center and corporate perimeter as part of digital transformation policies. And, unfortunately, it's going to get worse before it gets better. In their most recent predictions, Forrester says that insider incidents will be the cause of 33% of data breaches in 2021, up from 25% in 2020.

Learn to Recognize the Personas that Pose the Greatest Insider Risk
Organizations need to lock down insider risk to data without inhibiting the user experience or creating roadblocks. This requires building a culture of trust where employees are given the benefit of the doubt and trusted to act professionally with the best interests of the organization in mind. Then, instead of monitoring every activity by every user, organizations should look at insider risk indicators (IRIs) to identify risky behavior and create actionable information to stop it in its tracks.

Here are three personas that you need to watch out for when determining insider risk across your organization:

The Over-Sharer
We all have some of these in our lives — the people from the office who are always quick to email a document to a wide distribution. Or they upload a file to a cloud service, or post sensitive information in an unauthorized application. They think they're helping by giving people quick access to valuable information, and they aren't afraid to cut corners to get the job done. Behind the scenes, you just know they are saving files to their personal devices and cloud accounts with little consideration for privacy and security protocols. These people are not malicious, just victims of poor judgment or human error. But their actions result in the same vulnerabilities from malicious actors that keep security professionals up at night.

The Guy with One Foot Out the Door
Their exact motivations could vary, but make no mistake; people who have made the decision to leave the company and take critical information with them are only looking out for themselves. This could be projects they've worked on that they'd like to save in their portfolio. A database of customers they could win over to a competitor. Or just a report with a great format that they'd like to duplicate in their new job. Regardless, the information they take with them can negatively impact your organization's ability to do business, compete fairly against competitors, and protect customer privacy. When you read about court cases involving IP theft, you can often link them to the guy with one foot out the door. 

The Troublemaker
While rare, this is among the most disruptive in the bunch. There are a few varieties of troublemakers, including a mole or insider for hire. Troublemakers are likely out to make a buck by selling corporate information. They may be engaging in some corporate espionage. Maybe they have political motivations to be disruptive or engage in sabotage. We most often see this kind of troublemaker in sectors with lucrative R&D programs – think tech, telecom, biotech or big pharma. The US government's case against Huawei is a prime example from the telecom space.

Infrequently, tech-savvy individuals, who often don't intend to do harm, want to find out how things work and may conduct their own unsponsored "security testing." Whether out of curiosity, boredom, or arrogance, they take it upon themselves to see if security controls actually work, which is likely at odds with acceptable use policies, can erroneously be seen as an attempt to test monitoring capabilities for a later exfiltration, and is a distraction for security teams. While we don’t want to dampen a curious spirit, this may not be the best outlet for their tinkering because the end result creates insider risk nonetheless.

You Don't Have to Compromise
Insider risk management doesn't have to come at the expense of productivity, innovation or collaboration. Identifying abnormal behavior and top IRIs is key to protecting the organization from both malicious and unintentional harm without disrupting operations. From the Over-Sharer to the Troublemaker, it's important that you know the personas that are putting your data and your organization at risk. 


Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.