Insider Threats, Organized Crime, and Shadow IT (Domain 2)
In this episode, we are continuing our discussion of threat actors by focusing on insider threats, organized crime groups, and the growing problem of Shadow I T. These three threats can emerge from within the organization or blend into everyday operations, making them difficult to detect. While they differ in intent and structure, each of them poses serious risks that security teams must be prepared to identify and manage.
Let’s begin with insider threats. These threats originate from within the organization. They may come from employees, contractors, vendors, or anyone who has legitimate access to internal systems or data. Insider threats are generally divided into two categories: malicious and negligent.
Malicious insiders are individuals who intentionally harm the organization. Their motivations may include financial gain, revenge, or ideological beliefs. They might steal data, delete files, or sabotage systems. In many cases, they already know where valuable data is stored and how to avoid detection.
Negligent insiders are not trying to cause harm, but their carelessness can lead to security breaches. These individuals might click on phishing links, use weak passwords, or store sensitive data in unsecured locations. While their intentions are not harmful, the results can be just as damaging as those caused by malicious insiders.
Indicators of insider threats include unusual file access patterns, data transfers outside of business hours, and employees bypassing security controls. Detection strategies often rely on behavior monitoring tools, access audits, and user activity logging. Security awareness training can also help reduce negligent behavior by teaching employees to recognize and avoid risky actions.
A well-known insider threat incident involved a systems administrator who, after being terminated, used his access to disable systems and erase data. In another case, a negligent employee uploaded customer information to a personal cloud drive to work remotely—exposing that data to the public internet. These examples show the importance of monitoring, revoking access promptly, and enforcing clear data handling policies.
Now let’s examine organized crime groups. These are professional, highly structured groups that carry out cyberattacks for financial gain. They often operate like legitimate businesses, complete with management structures, dedicated developers, and customer support—for criminal services.
Organized cybercrime groups are well funded. They may finance their operations through successful attacks or other illicit activities. Their resources allow them to purchase zero-day exploits, rent server space, and even pay insiders to help gain access to secure environments.
Common operations include ransomware attacks, where they encrypt an organization’s files and demand payment in cryptocurrency to unlock them. Other common crimes include online fraud, credit card theft, and identity theft. These attacks often target businesses, government agencies, and healthcare organizations, where the stolen data can be sold or held for ransom.
Case studies include large-scale ransomware attacks against hospitals and critical infrastructure. In one major incident, a pipeline operator in the United States was forced to shut down operations after ransomware encrypted its systems. The group responsible demanded millions of dollars, and the resulting disruption affected fuel supply across several states. Another case involved a global credit reporting agency, where attackers accessed sensitive personal data affecting millions of individuals. These incidents demonstrate how organized crime can scale its operations to cause widespread damage and financial loss.
Lastly, let’s look at Shadow I T. This refers to any technology, software, or device that is used within an organization without approval or oversight from the I T department. Shadow I T can include cloud storage services, messaging apps, personal laptops, and unsanctioned mobile devices.
The main risk posed by Shadow I T is the lack of visibility. If I T teams are unaware of the technology being used, they cannot ensure it is secure. These tools may lack encryption, access controls, or audit logging. They might also create backdoors for attackers or increase the attack surface.
For example, if employees use a free file-sharing service to collaborate, sensitive company documents may be uploaded to a platform that does not meet organizational security standards. If those documents are exposed, there is no way to trace the breach or recover the data. In another case, developers might use public code repositories to store internal code, accidentally making it accessible to outsiders.
Detecting Shadow I T involves monitoring network traffic for unusual destinations, reviewing cloud service usage, and conducting regular audits of software and hardware assets. Management strategies include setting clear policies, providing secure alternatives to popular tools, and educating users about the risks of bypassing approved systems.
Security incidents tied to Shadow I T include data leaks from unsecured apps, malware infections from unauthorized downloads, and compliance violations caused by storing regulated data in inappropriate locations. Preventing these issues requires a combination of policy enforcement, technology controls, and ongoing communication between I T teams and business units.
As you prepare for the Security Plus exam, make sure you understand the differences between insider threats, organized crime, and Shadow I T. Know the signs of malicious versus negligent insider behavior, the structure and tactics of cybercrime groups, and the risks associated with unsanctioned technologies. The exam may present scenarios involving suspicious behavior, unexpected data leaks, or coordinated attacks, and your job will be to identify the threat actor involved and recommend an appropriate response.
