IT Center Blog

Insider Threat: The Threat from Within

May 16th, 2022 | by
Person in front of monitor

Source: Pixabay

In an increasingly digitalized world, cyber threats are playing an ever greater role. The pandemic and working at home also favor these threats. In the last two years, the number of cyber attacks has increased sharply. This is also confirmed by a study by EY (german only). The human factor plays a major role in this context. But what if the threat itself comes from within the company’s own ranks? So-called insider threats are often underestimated by many companies and organizations. Yet the effects of such a threat can be devastating.

What is an Insider Threat?

An insider threat is a special type of threat to data security and IT systems in which the threat does not come from external hackers, but from people with legitimate access rights. These threats can be caused both consciously and unconsciously. Basically, any employee or person with access to data, servers, or systems, can potentially become an insider threat.

How do Insider Threats happen?

Insider threats can be caused consciously or unconsciously, and the insiders themselves can vary significantly in their awareness and intentions. An unconscious threat can occur when employees thoughtlessly open attachments, click on links, or download malware. Unlocked screens or misplaced devices containing stored credentials and/or other confidential data also represent a major security risk. Careless handling of external data carriers may also cause a security threat. The main reasons for an unintentional insider threat are lack of knowledge, phishing, malware, and theft of credentials and devices.

In some situations, the attack can also be intentional. This is the case, for example, when an insider intentionally introduces viruses and ransomware into the system or steals, leaks, or deletes confidential data. The insider may have different intentions: Sabotage, espionage, fraud or theft of intellectual property.

How can these Threats be avoided?

Insider threats are often difficult to detect because legitimate credentials and access rights are used. It is also particularly difficult to determine which of these threats are actually due to malicious intent.

To prevent employees from unintentionally becoming a threat, they must be properly trained. For example, employees may be sensitized and made aware of risks through security awareness training. This can at least minimize the insider threats that arise unknowingly. However, employees can also become insider threats with malicious intent for a variety of reasons. Among the most common reasons are value conflicts, revenge and bribery. It is not uncommon for insiders to even be recruited by third parties. Such threats can be minimized by strengthening team spirit, collaboration, and communication.

Regardless of the nature of the threat, arguably the most important risk minimization measure is thoughtful management of access permissions. For example, access can be restricted by assigning roles. In this way, employees or external persons are only granted access to the data and systems that are required for their individual work. If external persons are given access authorizations as part of a specific project, care should be taken to ensure that these access authorizations are readjusted once the project has been completed.

Another popular measure in companies is behavior-based analytics. This involves monitoring and analyzing the users’ behavior and relevant activities. This analysis identifies deviations from normal behavior patterns, such as copying large amounts of data. In this way, suspicious activities can be detected particularly quickly.

The damage that insiders can cause is both extensive and varied. What becomes particularly apparent is that the human factor should by no means be underestimated. Even the best security programs are of little use if employees are not aware of the potential risks. Clearly defined processes and the creation of a solid and sustainable security culture not only minimize risks, but also enable companies and organizations to be well prepared and able to act quickly in the event of a threat.

Data Protection Incidents at RWTH*

Data protection incidents, such as unlawful transmission, loss or theft of storage media or documentation containing personal data, data breaches and leaks, accidental modification or unintentional deletion of personal data, must be reported to the LDI NRW (Landesbeauftragten für Datenschutz und Informationsfreiheit) within 72 hours.

To avoid duplicate processing, the RWTH institution at which the data protection incident occurred must first report the incident internally within RWTH. For this purpose, the Lucom form “Notification of Data Protection Violations” must be filled out by the affected institution (only accessible from the RWTH network / via VPN).

The following key data should be included in the form:

  • What happened?
  • When did it happen?
  • When did it become known?
  • Which organizational unit is involved?
  • Is personal data affected?
  • Who is affected?
  • How many people are affected?
  • Who is responsible for further inquiries?

The affected institution is helped by the data protection officer to examine the incident. An evaluation then follows as to whether the incident requires reporting and whether further measures are necessary.

If you have any questions, please contact the RWTH Data Protection Officer and the staff of Division 5.5 – IT Strategy and IT Organization.

Want to learn more about IT security? You can find all our blog posts on this topic under the tag IT Security.


Responsible for the content of this article is Stéphanie Bauens.

(*) Note: The paragraph “Data Protection Incidents at RWTH” was added on 20.05.2022.

You like this post?

Then leave us a heart! ♥️

Leave a Reply

Your email address will not be published. Required fields are marked *