Insider threat is a malicious threat to a company that stems from people who have legitimate access to company assets, such as current and former employees, as well as contractors and partners, in which they cause harm to the business, either intentionally or unintentionally. It can involve theft of information, fraudulent transactions, or sabotage of systems. The consequences for a company can be devastating, as it often leads to both reputational damage and regulatory fines. Digital Forensics plays a key role in identifying who was involved in an insider threat matter, and how it occurred. Through analysis of digital devices and data, as well as user’s digital footprint, a Digital Forensic investigator can establish the root cause, subsequent events and their consequences.
According to Ponemon Institute’s 2020 Cost of Insider Threats study, between 2018 and 2020 insider threats increased by 47% and the cost to companies rose by 31%. It was also found that if an insider threat took more than 90 days to contain, as opposed to under 30 days, there was a 92.6% increase in annual costs to companies. Such statistics demonstrate how insider threat is becoming the biggest threat to companies, and how there is an increasing need for businesses to become more aware of what it involves, and how to appropriately manage it.
Who is Involved?
The three types of person to commit insider threat are:
What Data is Taken?
The preparator’s motives and intentions normally determines what data they take from their company. However, there are very common themes when it comes to insider threat in which the most common types of data to be taken are:
Where Does it Occur?
Insider threat is not something which can only occur whilst the perpetrator is in the company’s premises, it can also occur remotely, such as at the perpetrator’s home.
When Does it Occur?
There is no set time frame for when insider threat can occur, with various instances taking place inside and outside of office hours, including weekends.
How Does it Occur?
Similar to why insider threats occur, there are many ways in which it occurs, such as one or more of the following:
There are various consequences of insider threat with each of them having their own severity of impact. In some cases, companies have failed to recover from the aftermath of an insider threat and subsequently ceased to exist. However, more commonly, the following consequences will occur:
There are a few measures which can be put in place by a company to prepare, prevent or manage insider threat, such as:
About the Author
Callum Hogan is a Digital Forensic Investigator at Hawkins. He is a Professional Member of the British Computer Society and a member of the UK Register of Expert Witnesses. He holds a Bachelor of Science (Hons) degree in Forensic Computing and multiple accreditations for Digital Forensic tools. This means he can acquire, analyse, identify, and report on electronically stored information (ESI) from various digital devices such as servers, desktop computers, laptops, tablets, mobile phones, CCTV units, Sat Navs and USB storage devices. Callum’s extensive knowledge and experience has seen him instructed on several high-profile criminal and civil litigations, investigations and matters.