Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Mark Wojtasiak
Mark Wojtasiak
Connect Directly
E-Mail vvv

Over-Sharer or Troublemaker? How to Identify Insider-Risk Personas

It's past time to begin charting insider risk indicators that identify risky behavior and stop it in its tracks.

You've heard that Twitter was hacked. And the CIA. And that a malicious Desjardins employee caused the largest ever data breach in the Canadian financial services sector. And how about the automobile insurance company that inadvertently gave up the driver license information for 27 million policyholders in Texas?

The thing these high-profile breaches have in common is that they were all undertaken by insiders. Whether committed on purpose for financial gain or as a a result of human error, insider risk took a hit on these powerful organizations' revenue and reputations.

Related Content:

US State Dept. Shares Insider Tips to Fight Insider Threats

How Data Breaches Affect the Enterprise

Loyal Employee...or Cybercriminal Accomplice?

Despite the growing risk, data security events caused by insiders are not being taken seriously. New research in the Code42 Data Exposure Report notes that more than half (54%) of IT security leaders spend less than 20% of their budget on insider risk, and 66% of IT security leaders say their budget for insider risk is insufficient. This is a major problem for organizations around the world as users, applications, and data continue to move outside the hardened data center and corporate perimeter as part of digital transformation policies. And, unfortunately, it's going to get worse before it gets better. In their most recent predictions, Forrester says that insider incidents will be the cause of 33% of data breaches in 2021, up from 25% in 2020.

Learn to Recognize the Personas that Pose the Greatest Insider Risk
Organizations need to lock down insider risk to data without inhibiting the user experience or creating roadblocks. This requires building a culture of trust where employees are given the benefit of the doubt and trusted to act professionally with the best interests of the organization in mind. Then, instead of monitoring every activity by every user, organizations should look at insider risk indicators (IRIs) to identify risky behavior and create actionable information to stop it in its tracks.

Here are three personas that you need to watch out for when determining insider risk across your organization:

The Over-Sharer
We all have some of these in our lives — the people from the office who are always quick to email a document to a wide distribution. Or they upload a file to a cloud service, or post sensitive information in an unauthorized application. They think they're helping by giving people quick access to valuable information, and they aren't afraid to cut corners to get the job done. Behind the scenes, you just know they are saving files to their personal devices and cloud accounts with little consideration for privacy and security protocols. These people are not malicious, just victims of poor judgment or human error. But their actions result in the same vulnerabilities from malicious actors that keep security professionals up at night.

The Guy with One Foot Out the Door
Their exact motivations could vary, but make no mistake; people who have made the decision to leave the company and take critical information with them are only looking out for themselves. This could be projects they've worked on that they'd like to save in their portfolio. A database of customers they could win over to a competitor. Or just a report with a great format that they'd like to duplicate in their new job. Regardless, the information they take with them can negatively impact your organization's ability to do business, compete fairly against competitors, and protect customer privacy. When you read about court cases involving IP theft, you can often link them to the guy with one foot out the door. 

The Troublemaker
While rare, this is among the most disruptive in the bunch. There are a few varieties of troublemakers, including a mole or insider for hire. Troublemakers are likely out to make a buck by selling corporate information. They may be engaging in some corporate espionage. Maybe they have political motivations to be disruptive or engage in sabotage. We most often see this kind of troublemaker in sectors with lucrative R&D programs – think tech, telecom, biotech or big pharma. The US government's case against Huawei is a prime example from the telecom space.

Infrequently, tech-savvy individuals, who often don't intend to do harm, want to find out how things work and may conduct their own unsponsored "security testing." Whether out of curiosity, boredom, or arrogance, they take it upon themselves to see if security controls actually work, which is likely at odds with acceptable use policies, can erroneously be seen as an attempt to test monitoring capabilities for a later exfiltration, and is a distraction for security teams. While we don’t want to dampen a curious spirit, this may not be the best outlet for their tinkering because the end result creates insider risk nonetheless.

You Don't Have to Compromise
Insider risk management doesn't have to come at the expense of productivity, innovation or collaboration. Identifying abnormal behavior and top IRIs is key to protecting the organization from both malicious and unintentional harm without disrupting operations. From the Over-Sharer to the Troublemaker, it's important that you know the personas that are putting your data and your organization at risk. 


Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1's API fail to filter POST request parameters. Remote attackers can inject SQL syntax and execute commands without privilege.
PUBLISHED: 2021-01-22
Hyweb HyCMS-J1 backend editing function does not filter special characters. Users after log-in can inject JavaScript syntax to perform a stored XSS (Stored Cross-site scripting) attack.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...