The Top 5 Insider Threat Behaviors You Need to Monitor

Have you overlooked insider threats in your organization? It’s probably time to take a hard look at this area. Believe it or not, insider threats often pose a greater threat to the organization compared to external threat actors. Your employees, contractors, and business partners often have direct access to your systems, network, and data. These insiders are working daily with highly sensitive organizational systems and can easily steal confidential and proprietary data without being detected.

Here are five of the most critical insider threat behaviors your organization should be monitoring.

Privileged Account Abuse

Insiders within your organization that have “super user” or administrative privileges can be a significant risk for your organization. These users hold the highest level of access rights and privileges within the organization, and they can access valuable information and data whenever they want. These users usually have access to company IP, financial and payroll details, HR records, and other sensitive data records.

Your organization should be monitoring and getting alerts all users for privileged account abuse. Your security team should be getting alerts on privileged users that violate security policies. Mainly, because privileged account users are often big targets for external threat actors. An attacker can leverage this insider threat to obtain deep access into all the sensitive information of the organization.

Abnormal access to sensitive information

Similar to having privileged account access, insider threat behavior that should regularly be monitored is irregular access to confidential information.

If a privileged account is authorized for use, the activity and behavior of these users should be monitored consistently. Your organization might find that a privileged account is accessing data they don’t usually access (i.e., accessing HR system data when the user is in finance) or the user allows unauthorized third-parties to obtain sensitive information that wouldn’t otherwise be approved.

Your security team should be monitoring for these scenarios and requires a bit of human intervention and analysis to determine what’s normal or abnormal activity.

Unusual Login Durations & Times

Another behavior your team should be monitoring is unusual login durations and times. You might find that some insiders are logging in and out while on vacation or a former employee is attempting to log in to systems they formally had access to while employed.

You might also find that an authorized third-party is logging in after business hours or from a new location. This is something your security team would want to monitor and receive automated alerts for this behavior.

Inappropriately Sharing Passwords

Every information security professional knows that employees typically have poor password management practices. Perhaps, your employees keep and share their passwords on post-it notes on their computer, or they’re held in the cloud or in SaaS-based collaboration tools. Both are big mistakes! Just look at the vulnerability found with Trello boards that exposed both enterprise and personal passwords.

Sharing passwords is one of the most significant security flaws in any business. Threat actors will go to great lengths, think dumpster diving and shoulder surfing, to obtain unauthorized access to systems and data. Not to mention that younger generations are accustomed to sharing login credentials with friends or their significant other. But, sharing passwords can often end up as a costly mistake.

Exfiltrating Data Via Cloud Applications

Cloud computing has no doubt revolutionized business but also comes with a responsibility to architect secure cloud environments. Insider threats in the cloud add yet another layer of complexity for the security team.


Malicious insiders often exfiltrate confidential documents and data from the company directly to personal cloud storage applications like Google Drive, Box, or other applications. Consider when a salesperson leaves an organization and takes the company’s customer and lead lists and drops it into their personal cloud storage account. This results in data leakage for the organization that can only be mitigated by a Data Loss Prevention (DLP) tool and specific policies set up to lessen data exfiltration. A security team can use DLP tools to monitor user behavior such as devices, locations, and activity to block data leakage in real-time.

Insider threats can pose a significant risk to your organization. Your security team should obtain as much information related to behavior and activity as possible to identify insider risks. Once your security team can see the how users are operating on your network, you’ll be in a much better place to handle insider threats. Investing in the right security tools and processes to support better visibility will aid in detecting malicious insider activity.


*** This is a Security Bloggers Network syndicated blog from Cipher Cyber Security Blog authored by Cipher. Read the original post at: