Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Why do employees choose to become insider threats?

Written by Thycotic Team

June 9th, 2015

A company went out of business. A person was marked as deceased in a large government database. A company’s domain name was added to anti-spam blacklists. All of these are outcomes of insider threat cases documented in The CERT Guide to Insider Threats, and could easily happen to any business today that does not have the proper infrastructure and policies to help detect, prevent, and mitigate insider threats.

What is an insider threat? defines an insider threat as “A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”

Insider threats can be current employees, those who were recently terminated, or even contractors who are given an account on a system just for a few days’ worth of work – as long as the person has a legitimate account and privileges for a job function, he can choose to use them for malicious activities instead of performing his duties. Insiders can steal data, destroy data, or modify it – reasons for doing each will be discussed below.

Why do employees choose to become insider threats?

Employees who choose to become insider threats have a variety of reasons to do so, but most stem from negative feelings toward the employer, supervisor, or co-workers. Employees who have grievances that are not addressed, those who feel ignored or mistreated, and those who feel they have been wronged are more likely to become insider threats than those who do not fit any of those descriptions.

The most obvious case is when an employee is let go or fired. As an example from CERT, a system administrator feared layoffs so he embedded malicious code into scripts on his employer’s servers and set it to execute on his next birthday. He didn’t get laid off, but still kept the code in the scripts and just moved the date forward. Eventually the malicious code was discovered, but the takeaway here is that sometimes employees plan retaliation when they anticipate being laid off or demoted. Unmet employee expectations can also drive employees toward becoming insider threats – if employees feel that their salary is too low for the work they perform, their supervisors give unrealistic deadlines, or they are passed over for a promotion, they may feel wronged by the employer and plan retaliation.

Besides all of the aforementioned qualities which deal with perceived wrongs to the employee, financial gain can play a huge part in insider threat cases. Employees who are offered money to use their privileges to perform unauthorized or illegal work may choose to take it and violate company policy, embezzle money from the employer, or steal intellectual property. In one example, an employee discovered she had database write privileges that she wasn’t supposed to have, and used these privileges to create fake drivers’ licenses in exchange for money from the recipients. It is unclear whether the employee was disgruntled with her employer, making it difficult to have seen her actions coming.

You may also be interested in:

The Sleepless CISO: Spot the early warning signs of insider threats
Insider Threat: A New Era and Evolution of the Cyber Security Digital Inside Trader
On-demand Webinar: Enemy Within: How to Detect and Stop Insider Cyber Threat