While organizations spend considerable money and resources seeking to prevent external threats to their data security, some of the most dangerous threats actually come from within: that is, current or former employees who, for whatever reason have decided to commit fraud or cause damage to your IT infrastructure or data.

A recent report showed that current employees of an organization were a bigger cause of security breaches than all other actors, including hackers, combined. To perform insider threat detection an organization has to be able to identify potential insider threats and prevent them from causing irreparable harm.

An ‘insider’ is defined as any current or former employee that has legitimate (or other) access to your IT systems and uses that access to cause harm. This harm need not be intentional, sometimes it is accidental where the employee does not realize the consequences of their otherwise innocent actions.

Malicious insiders, however, are most often the cause of serious insider threats. They might be motivated in their actions by personal gain, to steal your intellectual property or sabotage your IT infrastructure as an act of revenge.

Accidental insiders are often employees that have been fooled by outside actors to unwittingly hand over system access or to provide copies of valuable data. This can occur when the employee is the subject of a phishing attack which aims to get the employee to give up access details to an apparently trusted source (such as fake help desk staff, for example).

To detect and prevent an insider threat an organization must implement specific policies, software and practices.

Preventing insider threats begins with carefully screening employees when they are hired to ensure they don’t pose a potential threat. This can include conducting extensive background checks and checking with former employers.

Robust user access management is essential for insider threat detection. Administrators should ensure that users only have the minimum access to perform their role (referred to as the ‘least privilege model’) and no more.

Conducting regular security awareness training is another practice that can ensure your honest employees do not inadvertently give up access and can also to help them identify potential malicious employees. This can include asking them to report any abnormal behaviour by an employee.

Finally, implement a software solution that tracks user behaviour as they perform their job and that will identify any unusual access attempts or departures from normal use of the computer system.