Jul 5, 2016 by Gaby Friedlander

There is a lot to keep in mind when protecting your business from insider threats. Between trying to understand what to look for and whom to watch, staying on top of security threats requires a smart approach. To help on that end, here are five key considerations to further understand insider threats:

Consideration #1: Every Business Function is a Potential Source of Risk

It’s easy to assume that vital financial and legal documents are the only things at risk from insider threats. But in reality, everything is at risk. Every business function can be manipulated from the inside. You may think important data is safeguarded, but a breach from an area that’s not protected can serve as a red-carpeted gateway into what you’re trying to protect.

Customer support, perhaps surprisingly, is the area of biggest risk, according to a Ponemon Institute survey. Out of the many business functions – including finance, legal, sales force operations – respondents believed customer support was their greatest area of concern. Think about it: For customer support employees to successfully assist customers, they need access to a lot of company data, some of it sensitive. With a treasure trove of data at their fingertips, it probably shouldn’t be a surprise that low-level employees, particularly those working in customer support, often are behind the theft of data. Many companies outsource customer service, but they may not be fully aware of how those employees are vetted and whether or not they can be trusted. Information may also be at risk during data transfers to a third-party customer support agency, increasing the chance that hackers could get their hands on your data.

It’s also worth considering that some insiders could care less about financial gain. Rather, they’re motivated to seek revenge against employers, or they simply want to disrupt or destroy company systems. Others want to steal or destroy data to gain a competitive advantage or harm a company’s reputation. As a result, they’re satisfied with accessing files and programs that aren’t monitored as regularly or carefully as ones that are deemed vital.

Consideration #2: Applications Improve Work but Also Pose Risk

Cloud applications have greatly strengthened the ability to do work on- or off-site. Employees can share files amongst themselves and clients, communicate almost effortlessly, and perform a slew of tasks that previously were limited to costly, on-site programs. With cloud apps, your business can work from anywhere, at any time, and with anyone.

But cloud apps also present an enormous security gap that on premise programs didn’t have: They can’t easily be monitored for insider threats.

Today, tracking activities on the many apps that employees use daily is far more difficult and resource intensive. Significant staff time is needed to correlate and review access and usage logs, but that’s only if those records are even available. Apps track user actions differently, and some applications don’t produce logs at all.

Companies are understandably worried about this lack of oversight. A recent Ponemon Institute survey found that 71 percent of more than 600 IT and security practitioners saw deficiencies in their monitoring of application usage, but only eight percent of them had turned to commercial auditing and monitoring solutions to keep track of employees.

The Ponemon Institute survey also uncovered the applications that were the top sources of risk for insider threat:

  • Ecommerce: While an ecommerce app undoubtedly makes transactions with customers easier, it’s not only a target for outside attacks but perhaps more so for employees and privileged users who have almost unfettered access to account information. An ecommerce app is a direct pipeline to customers’ personal identifiable information (PII) and financial account details.
  • Financial: Some finance apps centralize business actions, allowing many of your employees to have access to data they probably shouldn’t. Most employees typically need only small chunks of data to do their jobs rather than having authorized access to view large amounts. These apps also open the door to administrative misdeeds, as accounts can be modified or deleted. Not to mention, an administrator can create a new account and use it to steal information.
  • CRM: Many businesses favor using CRM solutions to centralize massive amounts of customer information. A CRM app makes serving customers easier than having employees rely on various siloed systems. But centralization means the data is accessible to all levels of employees and third parties and prone to risk. The Ponemon Institute survey indicated that a sizeable share of IT professionals worry about a CRM system’s lack of proper access and governance.

Those are just three types of apps that call for monitoring inside threats. Your business undoubtedly relies on many others that increase productivity but may also have weak spots. It’s wise to also monitor applications geared for workforce productivity and management, enterprise resource management, the call center, customer relationship management and human resources.

Consideration #3: It’s Not the Breach; it’s the Time to Discovery

While a breach can damage a company’s reputation and bottom line, the time it takes to discover a breach can be just as harmful. Time is of the utmost importance when it comes to data breaches. The time it takes to discover a breach could be the difference between a minor incident and a major theft. As long as malicious insiders can stay hidden, they have the opportunity to carry out long-range plans that cause damage and cost money.

Companies typically have difficulty tracking insider activity during off-hours. The ability to work in the cloud has empowered employees to get tasks done from home and on the road, but the flip side is that off-premise apps can bypass your company’s firewall and thus expose data. Twenty-eight percent of IT professionals surveyed by the Ponemon Institute said employees working afterhours in the office or working remotely were two of the most difficult environments in which to monitor computer use.

Ponemon Institute also released a discernable measurement of cost for undetected data breaches. Malicious attacks cost $170 to resolve per record, and they take an average of 256 days to identify. On the other hand, human error or negligence costs $137 per record and an average of 158 days to identify.

Consideration #4: All Monitoring Methods Are Not Created Equal

Auditing user logs is time intensive for many reasons, but even with proper attention paid, these records still won’t provide enough detail to determine an employee’s actions.

A log of an employee’s use of a financial app, for example, may bring you to a dead end if the user, particularly a privileged user who has full access, covered his tracks and deleted steps. Also, logs typically contain thousands of discrete events in obscure, hard-to-digest technical language. Companies relying on logs from apps and devices often can’t crack this language and just about find it impossible to learn what users are doing.

But major advancements continue to be made in data security technology. Companies now have a wide array of tools to help defend data by providing insight into how it’s accessed, including activity monitoring solutions that let you see, in the moment, when and how insiders are genuine threats. A monitoring solution can use contextual information to give a fuller picture of how insiders access company data. By monitoring what employees and third-party users do on their computers, you can view in real time or later what they accessed, when they did, and whether they manipulated or used programs and data in an unauthorized manner.

Consideration #5: What to Look for, Who to Look at, and How to Monitor Insider Threats

As noted earlier, not everyone has bad intentions. Not all insiders seek to steal or destroy data, but many do unwittingly perform unauthorized actions that open the door to potential theft and damage by malicious outsiders. That’s why consistently reminding your employees and third-party users about computer protocol and establishing clear and understandable guidelines will go a long way toward curbing negligent behavior. Still, it’s easy to forget the rules, especially as employees and other insiders fly through their workdays and don’t always follow procedure.

Here are some insider activities to monitor to get a bead on potential threats:

  • As with any other cloud app, public file-sharing services don’t give IT departments insight into what files an employee is storing and who else has access to sensitive information.
  • Network security approaches typically provide users with broad access to network resources. A user may have credentials to a few systems, but has visibility to entire network segments. Hackers can exploit that visibility to gain access to unauthorized resources.
  • Shadow IT systems can spark innovation and progress, but they also pose a great risk because they are unauthorized and not under a company’s control. Legacy security management systems are of no use.
  • Thumb drives are quick and easy to use, but employees can just as quickly and easily overlook that they can be Trojan horses for malware.
  • Emailing sensitive and confidential information seems like an easy one to prevent, but insiders often forget they shouldn’t do it, or they willfully overlook this expectation.
  • Insiders can view, copy or print data from private folders and applications.


If your company still relies on system logs that list thousands of events in obscure language, you’ll never have the visibility necessary to properly monitor insiders and put your organization in the best position to minimize data theft. A user activity monitoring solution, however, makes sense of all those actions and presents insider usage in clear, in-the-moment snapshots. It will detect and alert you to insider risks that are becoming insider threats.

A monitoring solution scrapes all activity and indexes the textual information on the screen, so you’ll know what’s happening in all applications, even in ones that do not generate logs. You’ll have a clear view, literally, of all user actions across your entire enterprise including web apps, legacy applications, and custom or homegrown applications.

For signs of heightened insider threat you can establish alerts and generate reports to detect abnormal behavior with how users are interacting with important data as well as have a visual playback of exactly what each user did. This provides the early warning system needed to reduce risk and strengthen your security.