When thinking about cybersecurity threats, most of us likely focus on hackers, malware, phishing attacks, and other external dangers. But some threats begin within, with peers or colleagues who—accidentally or on purpose—expose organizations to risk.
It’s easy to overlook insider threats. We want to trust the people we work and study with, to believe they’re well-meaning and capable. And in most, cases, they are.
But security means understanding different kinds of insider threats and developing policies, practices, and training to prevent them.
Who’s an insider?
University of Iowa insiders can include employees, contractors, vendors, students, or anyone with access to university systems, data, hardware, or facilities.
People with access to student, patient, or research data need to exercise special care with data security and privacy. Learn more about data privacy.
What are insider threats?
An insider threat is any kind of security risk that comes from within an organization, involving any of the “insiders” described above.
Many insider threats are non-malicious, often unintentional. They tend to come from lapses in security practice or training, or from simple negligence. Some examples include:
- Falling for a phishing scam or other social engineering ploy
- Failing to use Two-Step Login or other security systems
- Sharing login information with others
- Accidentally sharing data or other information
Some insider threats are malicious. The involve individuals abusing privileged access to systems or data. They may be driven by financial gain (e.g., selling confidential info), disgruntlement, or other motives.
How do we prevent insider threats?
Like cybersecurity in general, preventing insider threats starts with individual awareness and good practices:
Know the signs of cyber-scams. Stay up-to-speed on topics like phishing and social engineering. Exercise caution and trust your instincts when responding to email, direct message, and text requests. Take special care to verify who you’re dealing with.
Protect your credentials. Never share your HawkID login/password or any other credentials you use to access university systems. Always use Two-Step Login or other multifactor authentication systems whenever they’re available.
Access only the data you need. Respect the university’s Institutional Data Policy and avoid accessing any data you don’t need for work, study, or research.
Establish transition plans. If you’re an employee, make sure your work group promptly updates system access for new/departing employees, contractors, and vendors. Discontinue access for individuals who no longer need it.
Report concerns and assess risks. Talk to your security team—notify the Information Security and Policy Office (ISPO) if you’re concerned that unauthorized access to institutional data or systems may have occurred. ISPO also can help you and your team assess potential risks and improve overall cybersecurity practices.
Seek help when you need it. If you think your online security might be compromised (e.g., if you’ve fallen for a phishing scam) contact your local IT support, the ITS Help Desk, or the ISPO. If you’re concerned about a colleague, speak with your supervisor. For general security-related concerns, the ITS Help Desk is a great place to start.