Hello, this is Matt Collins, a graduate assistant at the CERT Insider Threat Center. While the center's research has found that insider threats impact all industry sectors, this post narrows the focus to insider threats in the state and local government sectors.

Of more than 700 cases we collected, 49 cases involve state or local government. Let's take a look to better understand the insiders, their motives, and their impact to this industry:


Who are the insiders?

Full-Time Employees - Of the employees who were insider threats, 30 (61%) were full-time employees, 5 served as contractors, and 1 worked part time. The type of employment of the remaining 13 insiders is unknown.

Current Employees - Of the employees who committed insider attacks, 43 (88%) were current employees at the time of the attack and 4 were former employees. The employment status at the time of the attack is unknown of the remaining 2 insiders.

Both Male and Female - Of those who posed an insider threat, 26 (53%) were female and 21 were male. The gender of 2 insiders is not known.

All Ages - The youngest insider was under 20 at the time of the attack and the oldest was over 60 years old.


What are their motives and how did they attack?

Fraud - Of the insiders in these cases, 27 (55%) committed fraud and 10 committed insider attacks to sabotage the organization. Only 1 insider stole intellectual property. The remaining 11 attacked the organization for reasons other than fraud, sabotage, or the theft of intellectual property.

On Site - Of the insiders in these cases, 32 (65%) attacked on site and 5 used remote access to carry out their attack. It is unknown whether the remaining 12 insiders attacked on site or remotely.

With Their Own IT Account - Of the insiders in these cases, 34 (69%) used their own account to carry out the attack against the organization and 6 used a coworker's account. Other ways that insiders accessed the IT systems were through shared accounts (3), system administrator accounts (3), and back doors (3). Cases also involved the use of authorized third-party accounts (2) and organization accounts (1). The IT account was unknown for only one case. The number of cases above totals more than 49 due to overlap.

As you can see, insider attacks can come from unexpected insiders. As we learn more about trends in the types of insiders who commit attacks and the types of attacks, we'll keep you informed. If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.