The Insider Threat: New Report Highlights Problems, Recommendations and Resources

The Institute for Critical Infrastructure Technology recently published a fascinating report on insider threats. This excellent white paper defines insider threat categories, offers deep Web screenshots, recommendations and resources to help.

Credit: Shutterstock/LeoWolfert
Earlier this month, I was in Washington, D.C., presenting at ISC2’s annual CyberSecureGov Conference, which has become a top-notch federal government cybersecurity event. As I was looking through the agenda after my session, one title grabbed my attention: “Mitigating Insider Threats to our Nation's Critical Infrastructures.”

The presentation, which highlighted new research from The Institute for Critical Infrastructure Technology (ICIT), was groundbreaking in many respects. While the report highlights critical infrastructure sectors, the findings and solutions also apply to state and local governments, and other private-sector companies in numerous ways.

ICIT is a leading cybersecurity think tank that “bridges the gap between the legislative community, federal agencies and critical infrastructure leaders.” They do this with a wide variety of legislative briefs, research reports, events and other materials that offer outstanding insights and action steps. Their extensive list of free legislative briefs and research reports can be found here.

The presenter on insider threats was a respected colleague who I’ve known for several years — Mr. Parham Eftekhari, co-founder and senior fellow at ICIT, who has been working with technology and security leaders in the federal government for more than 15 years.  

Describing the insider threat challenges we faced, Mr. Eftekhari said this: “Critical Infrastructure leaders and policy makers are just now beginning to understand the potential for catastrophic digital and cyber-kinetic incidents at the hands of insider threats. As the authors point out, mitigating malicious and non-malicious insiders must be a top priority not only for our government, but for all private-sector organizations. This publication is a powerful asset for any organization looking to build or improve an insider threat mitigation program.”

Insider Threats: A Deep Dive

Starting with definitions, the presentation used a definition by US CERT Common Sense Guide to Mitigating Insider Threats, which states that an insider threat:

  • Has or had authorized access to an organization’s network, system or data
  • Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity or availability of the organization’s information or information systems
Varieties of insider threats include:

  • Careless or Uninformed Users
    • Undertrained Staff
    • Accident-Prone Employees
    • Negligent Workers
    • Mismanaged Third-Party Contractors
    • Overwhelmed Personnel
  • Malicious Users
    • Undertrained Staff
    • Accident-Prone Employees
    • Negligent Workers
    • Mismanaged Third-Party Contractors
    • Overwhelmed Personnel
While none of these definitions is new or surprising, the real examples shown were much more eye-opening. For example, look at these real screen shots from the deep Web:

Hacker for Hire


Self-Proclaimed Insider Threat


W2 Database For Sale on Alphabay


Disgruntled Employee Solicitation



The primary author of the insider threat paper is James Scott, co-founder and senior fellow at ICIT. The new brief is titled: “In 2017, the insider threat epidemic begins.”

On recommendations, Mr. Scott said, “The best protection against insider threat is a basic level of layered security-by-design endpoint protection paired with a combination of solutions that secure data according to its value, according to the principle of least privilege, and according to role-based access controls, as well as other technical controls, and that monitor personnel and users using bleeding-edge artificial intelligence, big data analytics, and solutions that automate cyberhygiene and ensure verifiable accountability trails.”

The solutions offered in the report are vast as well as rather complex. They include these nontechnical controls, such as:

  • Utilize the Information Security Team
  • Heed the Information Security Team
  • Hire Trusted Personnel
  • Cultivate a Culture of Trust
  • Effectively Communicate
  • Appreciate Personnel
  • Train Personnel to Defend the Organization
Policies, procedures and guidelines:

  • Principles of Least Privilege
  • Limit Access According to Duties
  • Segregate Administrative Duties Based on Roles
  • Address Cybersecurity in SLAs (service level agreements)
  • COTS (commercial-off-the-shelf software)
Technical Controls:

  • Data Encryption
  • Network Segmentation
  • Predictive Artificial Intelligence
  • Security Information and Event Management (SIEM)
  • User and Entity Behavior Analytics (UEBA)
  • Identity and Access Management
  • Data Loss Protection (DLP)
  • User Activity Monitoring
 Other resources include the National Insider Threat Task Force.

  • Co-Chaired: DNI and U.S. Attorney General
  • Agencies with Classified Networks are Required to Establish Insider Threat Detection and Prevention Programs Aligned with NITTF
  • NITTF Provides Assessments, Training, Assistance, Education
Additional Helpful Resources on Insider Threats

This is not the first time, nor will it be the last that this insider threat topic is brought up in the Lohrmann on Cybersecurity & Infrastructure blog. As a reminder, this topic was even hot back in 2010 when I wrote the blog: “Are you an insider threat?” for CSO Magazine. 

I also wrote my views on Edward Snowden, which haven’t changed much, touching on insider threat topics as well. Yes — some good has come from Snowden, but the ends do not justify the means, in my opinion.

Other good reports and publications on addressing insider threats are available at:

Final Thoughts

Regardless of your views on individuals such as Edward Snowden or interest in national defense issues surrounding insider threats, we all face similar insider threat challenges in our workplaces. The many reports and presentations offered for free by ICIT are an outstanding set of resources that I highly recommend your teams take time to review.

I also want to give a shout-out to the ICIT Annual Forum ( June 7 in D.C.

The insider threat issues within cybersecurity and physical security are increasing worldwide. Small, medium and large-sized organizations need to take immediate action to address this growing challenge. These materials can show you how. 


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
Special Projects
Sponsored Articles
  • Sponsored
    How state and local government transportation and transit agencies can enable digital transformation in six key areas to improve traveler experience.
  • Sponsored
    The latest 2020 State CIO Survey by NASCIO reveals that CIOs are doubling down on digital government services, cloud, budget control and fiscal management, and data management and analytics among their top priorities.
  • Sponsored
    Plagiarism can cause challenges in all sectors of society, including government organizations. To combat plagiarism in government documents such as grants, reports, reviews and legal documents, government organizations will find iThenticate to be an effective yet easy-to-use tool in their arsenal.
  • Sponsored
    The US commercial sector, which includes public street illumination, used 141 billion kilowatt-hours of electricity for lighting in 2019. At the national average cost of 11.07 cents per kilowatt-hour, this usage equates to a national street energy cost of $15.6 billion a year.