Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Angriffsmethoden Glossary

Insider Threat

Security risks posed by individuals with legitimate system access—employees, contractors, or partners. Unlike social engineering, which relies on external deception, the threat posed by insider threats stems from the access itself: whether malicious (sabotage, data theft) or negligent (phishing victims, misconfiguration).

Insider threats are security risks posed by individuals who have—or had—legitimate access to a company’s network, systems, or data. Unlike external attackers, insiders do not need to bypass access controls.

Categories

Malicious Insiders

Employees who intentionally cause harm:

  • Sabotage: Damaging IT systems (before termination, out of revenge)
  • Data theft: Stealing IP and passing it on to competitors or buyers
  • Fraud: Financial fraud through privileged system access
  • Espionage: An agency or competitor gains access through an infiltrated employee

Negligent Insiders

Employees without malicious intent, but with risky behaviors:

  • Clicking on a phishing link → malware installed
  • Copying company data to a personal USB drive
  • Writing a password on a Post-it note or sharing it with colleagues
  • Using a company laptop for personal activities (pirated software → malware)
  • Sending unencrypted emails containing customer data

Statistics: According to the Ponemon Institute, 56% of insider threat incidents result from negligence—only 26% are malicious.

Compromised Insiders

External attackers exploit compromised employee accounts:

  • Stealer logs → Credentials stolen → Attacker acts as an "insider"
  • Phishing → Account taken over → Lateral movement within the network

Detection Approaches

User and Entity Behavior Analytics (UEBA):

  • Baseline: Hans logs in daily from 8:00 AM to 6:00 PM, accessing ERP and email
  • Anomaly: Hans logs in at 3:00 AM on Saturday, downloads 500 files from SharePoint
  • Result: SIEM alert: "Unusual Mass Download Activity"

DLP - Data Loss Prevention:

  • Monitoring of data transfers (USB, email, cloud upload)
  • Blocking of sensitive data outside of approved channels

Privileged Access Monitoring:

  • Record all admin sessions (PAM session recording)
  • Alerts for unusual admin actions (nighttime account access)

Countermeasures

Technical:

  • Least privilege principle: Only necessary access rights
  • Regular access reviews: Revoke unnecessary privileges
  • PAM solution for admin accounts
  • DLP for sensitive data
  • Offboarding process: Immediately deactivate accounts upon termination

Organizational:

  • Corporate culture: Employees report security concerns without fear
  • Anomaly reporting channels: "Speak Up" program
  • Separation of duties: Dual-control principle for critical actions
  • Background checks for privileged positions

Compliance: ISO 27001 A.6.1 (Security policy for HR), A.6.3 (Disciplinary procedures), A.5.10 (Acceptable use).

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation