Internal threats are posed by individuals within an organization who, whether intentionally or unintentionally, compromise sensitive information or expose the organization to external attacks. An important proportion (74%) of organizations report an increase in insider threats and feel vulnerable to it. In 2022, incidents related to internal threats increased by 47%, with a 31% rise in costs to businesses, including both direct and indirect expenses such as legal fees and system repairs. This article summarizes the research briefing note by Adeline Veyrinas conducted within the activities of the Research Chair in Cybercrime Prevention’s research program. The full research briefing note is available in both French and in English.
Internal threats can be categorized into two types: intentional and unintentional. Intentional threats involve deliberate acts such as espionage, sabotage, embezzlement, extortion, and corruption. Unintentional threats, on the other hand, arise from inadvertent actions like disclosing login credentials due to social engineering attacks or connecting to unsecured networks.
Several risk factors can contribute to internal threats, originating from various sources including organizational, cultural, and individual factors. Organizational risk factors contributing to internal threats include a work environment where security policies are unclear or poorly communicated, technological tools are difficult to use or insecure, and environmental factors like noise, temperature, and interpersonal conflicts are present. Management practices such as task overload, poor communication, and mismatched job requirements can lead to stress, anxiety, and errors. Cultural risk factors involve the organizational culture, where abrupt changes in structure or management can clash with existing norms, and regional culture, where differences in practices and languages can cause misunderstandings and conflicts. Individual risk factors include psychological traits from the Big Five personality model, affect (emotions), and the Dark Triad (narcissism, Machiavellianism, psychopathy), all of which can influence the likelihood of internal threats. Additionally, life events such as losing a job, major life changes, or health issues can increase an individual's susceptibility to internal threats.
Current challenges in addressing internal threats include the difficulty of developing models to detect and predict these threats due to the diversity of risk factors and individual reactions. Privacy and ethical concerns also arise when collecting information on employees' behaviors, as it may infringe on personal privacy. Additionally, encouraging employees to report suspicious behavior can result in false positives and create a negative workplace atmosphere.
Practical recommendations for preventing internal threats include raising awareness and providing training for employees and managers to recognize risk indicators and current cyber threats. Implementing risk mitigation strategies, such as improving working conditions, clarifying security protocols, and regularly updating security systems, is essential. Additionally, developing a database of objective indicators to track potential internal threats, with transparency and consent from employees, can enhance detection efforts. It's crucial to avoid relying solely on psychological or personal factors to identify threats; instead, focus on organizational factors and offer emotional or psychological support. These measures aim to prevent internal threats while respecting employees' privacy and well-being.