By Drew Fox Jordan • June 1, 2021

    10 Ways To Recognize An Insider Threat At Your Nonprofit

    Detecting and preventing Insider Threats isn’t easy. Why? Because unlike external bad actors, Insiders – whether a disgruntled employee, a distracted freelancer, or a rogue business partner – have legitimate access to a nonprofit's database. That puts them in an ideal position to exfiltrate data.

    10 Ways To Recognize An Insider Threat At Your Nonprofit

    So, how do you spot one? To start, you have to know what an Insider threat is and understand the different methods and motives behind these data exfiltration attempts. Insider Threats can be malicious or the result of negligence. Malicious Insiders knowingly and intentionally steal data and generally do so to gain a competitive edge or because they’re dissatisfied at work. Negligent Insiders are just your average employees who have made a mistake. For example, they could send an email to the wrong person, misconfigure a system, fall for a phishing email, or lose their work device.

    While every incident is different, there are some tell-tale signs of an Insider Threat. Malicious Insiders may act suspiciously well before they actually exfiltrate any data. For example:

    1. Declining performance or other signs of dissatisfaction

    As we’ve said, one reason why Insiders exfiltrate data is that they’re dissatisfied at work. It could be because of a poor performance appraisal, because they were denied a promotion or raise, or because of a disagreement with a co-worker or manager. Whatever the reason, 1 in 10 Insider Threats is motivated by a grudge.

    Look out for a consistent or sudden decline in performance or attitude and for employees who become angry or combative. Employees who are actively looking for other jobs should also be on your radar. While they could simply be moving on to a new opportunity, they may be inclined to steal data in order to impress or bribe a new or potential employer.

    2. Unusual working hours

    While passion and enthusiasm are generally considered positive attributes when talking about an employee, these can occasionally be early signs of bad intent. For example, if an employee consistently volunteers for extra work, regularly works in the office late, comes in early, or attempts to perform work that’s outside of the scope of their normal duties, they could be trying to gain access to sensitive systems or data.

    Then, of course, there are signs of the data exfiltration attempt itself. For example:

    3. Large data transfers or downloads

    There are a number of ways to exfiltrate data, including email, Cloud Storage, USB sticks. In fact, 23 percent of insiders exfiltrate data via USBs and 24 percent exfiltrate data via laptops/tablets. However, email is the threat vector to be most concerned about. After all, it only takes one click to transfer dozens of files.

    4. Multiple failed logins (or other abnormal login activity)

    Whether it’s an employee trying to access networks or systems they don’t have access to or an employee with legitimate access logging in more frequently than usual, login activity can offer nonprofit leaders clues about Malicious Insiders.

    Certainly, the employee could simply be curious and may even be going above and beyond to get their job done, but these behaviors could also be indicative of nefarious intent and should be investigated.

    5. Upgraded privileges or sharing access

    When someone is promoted or there is another shift in the structure of an organization, it makes sense that access to systems and data might change. But, what about when someone’s privileges or access are escalated without a clear reason why? It could be an administrator granting themselves more privileged access or it could be a team effort. For example, an administrator could be bribed to upgrade another employee’s access. Both are signs of a Malicious Insider.

    Finally, there are signs that the Insider has successfully exfiltrated data or is still successfully exfiltrating data. For example:

    6. Unexpected changes in financial circumstances

    86 percent of breaches are financially motivated. Whether it’s a list of donor email addresses being sold on the Dark Web or financial info being sold to a data broker, data is valuable currency. So, if you hear of or notice an employee suddenly and unexpectedly paying off debt or making expensive purchases, you may need to investigate the source of the additional income. It could be a sign that they’re profiting from company or customer data.

    While certain behaviors exhibited by Malicious Insiders may set off alarm bells for security teams before exfiltration attempts occur, Negligent Insiders can be harder to preempt. Nonetheless, there are four key things to look out for.

    7. Failure to comply with basic security policies

    Whether it’s consistently using weak passwords, refusing to enable 2FA, or frequently downloading tools or software that haven’t been approved by security teams, an employee who disregards security policies could be more likely to accidentally exfiltrate data than one who consistently plays by the book. 

    8. Low engagement in security awareness training

    Most employees (and even some security leaders!) would agree that security awareness training is “boring”. And, while that may be the case, training is absolutely essential. It could be training around how to spot a phish or training around new and existing compliance standards or data privacy laws. Employees who either don’t attend training at all or who perform poorly on assessments related to that training should be closely monitored and be re-targeted with tailored programs.

    9. History of falling for phishing attacks

    Phishing and other social engineering attacks are designed for one of three reasons: to extract sensitive information or credentials, to install malware onto a network, or to initiate a wire transfer. If the attack is successful – meaning the target (an employee) falls for the scam – there could be serious consequences. That means any employee who falls for a scam should be reminded of phishing tools and techniques and may need to be more closely monitored.

    10. General carelessness or haste

    Accidents happen. Whether it’s firing off an email to the wrong person or accidentally leaving a computer unblocked, we all make mistakes. Nonetheless, they aren’t trivial and any employee who consistently makes mistakes will need to be reminded of security best practices and may, in some cases, need to be monitored with more stringent policies. 

    How can you detect and prevent Insider Threats? 

    When it comes to detecting and preventing Insider Threats, there are a number of solutions, including:

    1. Training
    2. Physical and Digital Monitoring 
    3. Data Loss Prevention (DLP) tools and software

    Importantly, all of these have a place in security strategies. Training should be used to reinforce existing policies, especially for those employees who consistently break the rules or make mistakes. Nonprofit leaders should be diligent in their physical and digital data monitoring and should always look out for the above warning signs, as well as being up-to-date on what threats could potentially damage the organization.

    And DLP tools like rule-based solutions, endpoint scanning, firewalls, and anti-phishing software do, in some instances, help curb the problem of data loss.

    But, as we’ve said, incidents involving Insider Threats are on the rise which means security stacks are missing something. What they’re missing is protection for their people and at Gravyty, we call it Human Layer Security.

    Gravyty Guard helps keep your employees safe from data breaches without getting in the way of their work. With years of experience within the nonprofit space, our AI understands the behaviors that nonprofit employees have and use that information to keep data secure. 

    Learn more about how Gravyty Guard can help keep your most sensitive donor data protected

    Posts by Topic

    see all