Managing Insider Threat

A lot of focus is placed on managing external threats by organisations, when in fact their biggest asset is also their biggest risk: People (Insider Threat). You can’t run a business without giving employees  access to resources, and you can’t give them that access without some degree of risk. 

An insider threat is when a past or current employee, contractor or business partner who had or has authorized access to your organisations network systems, premises or data, uses their access to compromise the confidentiality, integrity or availability of your organisations network systems, premises or data. Insider threat incidents can happen for a wide range of reasons, from espionage to unintentional actions by good people. Insider threats can include:

  • Fraud
  • Theft of intellectual property (IP) or trade secrets
  • Unauthorized trading
  • Espionage
  • I.T infrastructure sabotage

Insider threats bring with them unique security challenges. These challenges stem from the fact that these threats are created by insiders in plain sight and as a result, are extremely difficult to detect. Unlike normal attackers, insiders did not need to “break in” because they already have access to the systems, networks and computers and have knowledge pertaining to the location of critical assets. Additionally, these insiders are already within the confines of the organisations thus making their illicit activities harder to detect via traditional detection methods.

People are the root cause of Insider Threats, whether or not their actions are malicious in nature or inadvertent. The reality for companies nowadays is that there are too many vectors for data portability to cover using basic data loss prevention platforms, not enough people to cover them, and as a result sensitive data still gets exposed to unauthorized personnel. Typical security tools focus on analysing computer, network or system data and threats, but insider threats have evolved into some of the costliest and most challenging risks facing organisations today. This shift is due to the fact that many organisations lack the ability and resources to monitor risks associated with their trusted employees and contractors who act negligently or maliciously.

The Statistics:

Based on an independent report conducted by Ponemon Institute (2020):

  • The number of insider-cased cybersecurity incidents jumped 47% from 2018 to 2020, with the average cost increasing by 57%
  • 62% of insider threats arose from negligent behaviour by users who exposed data unintentionally
  • Spending to stop insider threats has increased by 25% since 2018, and is up almost 60% since 2017
  • Insider threats take an average of 77 days to contain
    – Incidents that were resolved in less than 30 days cost victims $7.12 million
    – Incidents resolved in 90 days or longer cost victims $13.71 million

Types of Insider Threats:

When it comes to insider threats, they can typically be classified into three different categories:


This behaviour combines a motive to harm the business with a decision to act inappropriately. For example, an employee may decide to keep or turnover sensitive proprietary information to a competitor after being terminated for financial or other personal gain. Malicious behaviour may arise from:

  • Departing employees
  • Internal re-organisations
  • Mergers and acquisition participants
  • High level access

One famous example of a malicious insider is that of Greg Chung, who spied for China while employed at Rockwell and later Boeing, stealing hundreds of boxes worth of documents pertaining to military and spacecraft from 1979 to 2006, when he was finally caught. While most businesses probably do not have to worry about nation-state spying, the bottom line is that you should have controls in place that will alert you if any employee takes an action that could be indicative of an insider threat. If you are in the supply-chain of a government agency or a large organisation, the risk for insider threat must be carefully analysed.


This behaviour can occur when employees look for ways to avoid policies they feel may impede their work. While most employees have a general awareness of security risks, the workarounds they create can be risky and put data at risk. This type of behaviour may arise from:

  • Employees using their personal cloud accounts to transfer and store sensitive company data
  • Employees needlessly carrying sensitive information
  • Unsecured physical drives
  • Employees leaving laptops and other portable working devices unattended

This behaviour can occur as a result of an individual’s careless actions that inadvertently cause security breaches. This type of behaviour may arise from:

  • Employees not actively patching their systems
  • The use of BYOD (Bring Your Own Device) devices
  • Employees connecting their work devices to public, unsecured WIFI networks
  • Users falling prey to phishing attacks

How to identify an Insider Threat:

Internal threats have an advantage over external threats in terms of avoiding detection as they are often already within the four walls of the organisations, thus making identification much more difficult for organisations. These people already have access to critical systems and data and don’t need to rely on sophisticated hacking procedures or anything of the likes to bypass security protocols. Due to the difficult nature of detecting internal threats, it is important for organisations and business leaders to have a heightened level of awareness with regard to employee’s behaviours, attitudes and actions in order to help identify malicious or negligent actions before it’s too late.

An insider threat may occur out of the blue or may be developing over a period of time. There are both ‘direct’ and ‘indirect’ indicators that may reveal an insider threat at play:

  • A ‘direct’ risk indicator may involve more obvious abnormal actions that deviate from an employees normal day to day duties or job requirements such as downloading large volumes of data to external drives, emailing confidential files to their personal email address or accessing sensitive data that has no relevance to their own role or department.
  • Indirect’ risk indicators are less obvious and often require greater analysis to reveal any sort of suspicious motives. These can often be identified by investigating patterns of employee behaviour such as them venting about the organisation over social media, developing close relationships with high-risk personnel outside the organisation and a sudden change in demeanour whilst at work.

Indicator Examples:

  1. An employee attempting to gain access to sensitive data unrelated to their role
  2. An employee consistently requested access to the office outside of normal working hours
  3. A major decline in work performance
  4. Posting abnormal messages on social media about the company and colleagues
  5. Saving data to external storage devices
  6. An employee attempting to bypass security controls

It is important for organisations and business leaders to note that these red flags should not be deemed as malicious behaviour straight away. Instead, it should invoke a process of analysis, review and clarification before making a final judgement. It is important that accusations should only be made when there is a significant amount of proof available to back it up, and this requires increased awareness and vigilance on the part of business leaders to identify the threat and manage it accordingly. Identifying the early warning signs of malicious or negligent behaviour is crucial in managing and limiting the threat, as well as having a coherent and cohesive procedure in place for accessing, managing and control internal threats to the organisation.

How to build an insider threat program:

Remove insider threats before their malicious or negligent behaviour becomes detrimental to the organisation:

  1. Know your critical assets
  2. Document and enforce policies and controls
  3. Monitor and respond to suspicious or disruptive behaviour
  4. Proactively manage negative work environment issues
  5. Consider insider threats in enterprise risk assessments
  6. Practice social media vigilance
  7. Structure management and tasks to minimize insider stress and mistakes
  8. Conduct regular insider threat awareness training
  9. Implement strict password and account management practices
  10. Consider the right technologies:
  • Monitor network activity using advanced threat intelligence systems with user behaviours analytics (UBS)
  • Impose stringent access controls and monitor policies on privileged users using Privilege Access Management (PAM) systems
  • Understand where your data resides and use data classification software to classify your information. Then,  in conjunction with DLP rules, ensure that classified data does not leave the perimeter

Only when each and every one of the above measures are imposed and followed strictly can an organisation be in a strong position to prevent and detect the insider threat. Awareness is a critical feature of identifying internal threats and business leaders and managers need to know their employees and check in on them regularly in order to be able to identify abnormal behaviour. Internal threat programs require the buy in of senior management, and employees must conduct regular training to be able identify when an insider threat is at play. Whilst following all these steps does put your organisation in a strong position, it by no means ensures that the insider threat will never occur. It is almost impossible to detect an insider threat if they are cunning enough, but being aware of your employees and their behaviours means out of the norm actions can be identified before it’s too late and thus, reducing the risk of your organisations most sensitive data.

Mark Thornton

Mark Thornton