Insider threats are a big problem for nonprofits of all types. Why? Because they’re so hard to detect. After all, insiders have legitimate access to systems and data; unlike external bad actors many security policies and tools help defend against.
It could be anyone, from a careless employee to a rogue business partner.
That’s why we’ve put together this list of Insider Threat types and examples. Exploring different methods and motives will better equip nonprofit leaders (and their employees) to spot Insider Threats before a data breach happens.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
Types of Insider Threats
First things first, let’s define what exactly Insider Threats are.
Insider threats are people – whether employees, former employees, contractors, business partners, or vendors – with legitimate access to an organization’s networks and systems who deliberately exfiltrate data for personal gain or accidentally leak sensitive information.
The key here is that there are two distinct types of Insider Threats:
- The Malicious Insider: Malicious Insiders knowingly and intentionally steal data. For example, an employee or contractor may exfiltrate valuable information (like Intellectual Property (IP), Personally Identifiable Information (PII), or financial information) for some financial incentive, a competitive edge, or simply because they’re holding a grudge for being let go or furloughed.
- The Negligent Insider: Negligent insiders are your average employees who have made a mistake. For example, an employee could send an email containing sensitive information to the wrong person, email company data to personal accounts to do some work over the weekend, fall victim to a phishing or spear-phishing attack, or lose their work device.
8 Examples of Insider Threats
The employee who exfiltrated data after being fired or furloughed
Since the outbreak of COVID-19, 81% of the global workforce have had their workplace fully or partially closed. And, with the economy grinding to a halt, employees across industries have been laid off or furloughed.
When you combine this distress with the reduced visibility of IT and security teams while their teams work from home, you’re bound to see more incidents of Malicious Insiders.
One such case involves a former employee of a medical device packaging company who was let go in early March 2020
By the end of March – after receiving his final paycheck – Dobbins hacked into the company’s computer network, granted himself administrator access, and then edited and deleted nearly 120,000 records.
His actions caused significant delays in the delivery of medical equipment to healthcare providers.
The employee who stole trade secrets
In July 2020, further details emerged of a long-running insider job at General Electric (GE) that saw an employee steal valuable proprietary data and trade secrets.
The employee, named Jean Patrice Delia, gradually exfiltrated over 8,000 sensitive files from GE’s systems over eight years — intending to leverage his professional advantage to start a rival company.
The FBI investigation into Delia’s scam revealed that he persuaded an IT administrator to grant him access to files and that he emailed commercially-sensitive calculations to a co-conspirator. Having pleaded guilty to the charges, Delia faces up to 87 months in jail.
What can we learn from this extraordinary inside job? First, ensure you have watertight access controls and monitor employee email accounts for suspicious activity.
The employees who exposed 250 million customer records
Here’s an example of a “negligent insider” threat. In December 2019, a researcher from Comparitech noticed that around 250 million Microsoft customer records were exposed on the open web.
This vulnerability meant that the personal information of up to 250 million people—including email addresses, IP addresses, and location—was accessible to anyone with a web browser.
This incident represents a potentially severe breach of privacy and data protection law and could have left Microsoft customers open to scams and phishing attacks—all because the relevant employees failed to secure the databases properly.
Microsoft reportedly secured the information within 24 hours of being notified about the breach.
The nuclear scientists who hijacked a supercomputer to mine Bitcoin
Russian secret services reported in 2018 that they had arrested employees of the country’s leading nuclear research lab on suspicion of using a powerful supercomputer for bitcoin mining.
Authorities discovered that scientists had abused their access to some of Russia’s most powerful supercomputers by rigging up a secret bitcoin-mining data center.
Bitcoin mining is highly resource-intensive, and some miners are always seeking new ways to outsource the expense onto other people’s infrastructure. This case is an example of how insiders can misuse company equipment.
- The employee who fell for a phishing attack
While we’ve seen a spike in phishing and spear-phishing attacks since the outbreak of COVID-19, these aren’t new threats.
One example involves an email that was sent to a senior staff member at Australian National University. The result? Criminals stole 700 Megabytes of data.
This data was related to both staff and students and included details like names, addresses, phone numbers, dates of birth, emergency contact numbers, tax file numbers, payroll information, bank account details, and student academic records.
- The work-from-home employees duped by a vishing scam
Cybercriminals saw an opportunity when many of Twitter’s staff started working from home. As a result, one cybercrime group conducted one of the most high-profile hacks of 2020 — knocking 4% off Twitter’s share price in the process.
In July 2020, after gathering information on key home-working employees, the hackers called them up and impersonated Twitter IT administrators. During these calls, they successfully persuaded some employees to disclose their account credentials.
Using this information, the cybercriminals logged into Twitter’s admin tools, changed the passwords of around 130 high-profile accounts — including those belonging to Barack Obama, Joe Biden, and Kanye West — and used them to conduct a Bitcoin scam.
This incident put “vishing” (voice phishing) on the map, and it reinforces what all cybersecurity leaders know — your company must apply the same level of cybersecurity protection to all its employees, whether they’re working on your premises or in their own homes.
- The ex-employee who got two years for sabotaging data
The case of San Jose resident Sudhish Kasaba Ramesh serves as a reminder that it’s not just your current employees that pose a potential internal threat—but your ex-employees, too.
Ramesh received two years imprisonment in December 2020 after a court found that he had accessed Cisco’s systems without authorization, deploying malware that deleted over 16,000 user accounts and caused $2.4 million in damage.
The incident emphasizes properly restricting access controls—and locking employees out of your systems as soon as they leave your organization.
- The employee who took company data to a new employer for a competitive edge
This incident involves two of the most prominent tech players: Google and Uber.
In 2015, a lead engineer at Waymo, Google’s self-driving car project, left to start his own self-driving truck venture, Otto. But, before departing, he exfiltrated several trade secrets, including diagrams and drawings related to simulations, radar technology, source code snippets, PDFs marked as confidential, and videos of test drives.
How? By downloading 14,000 files onto his laptop directly from Google servers.
Uber acquired Otto after a few months, at which point Google executives discovered the breach. In the end, Waymo was awarded $245 million worth of Uber shares, and, in March, the employee pleaded guilty.