Download our FREE whitepaper on data loss prevention best practices. Download Now

What Are Insider Threats and How to Combat Them?

Here is all you need to know about insider threats – what they are, how they operate, the common types – and how to protect your organization.

Insider threats are a major and increasing problem for organizations, as the human factor is often the most difficult to control and predict when it comes to data security and protection. With digitization, the amount of digital data is growing exponentially, and together with this, the number of interactions with the data is increasing too. More interaction involves exposing the data to more security vulnerabilities.

The potential risks of insider threats are numerous, including financial fraud, data corruption, theft of valuable information, and installing malware. These incidents can lead to data breaches that expose sensitive information such as Personally Identifiable Information (PII) or Intellectual Property (IP) and can result in high fines while detecting them is not an easy task for security teams.

What are insider threats in cybersecurity?

Insider threats are cybersecurity risks originating within the organization itself. They can be caused by users with legitimate access to the company’s assets – including current or former employees, contractors, business partners, third-party vendors, etc. Insiders can vary significantly in awareness, motivation, intent, and access level.

Traditional security measures such as firewalls or antivirus systems focus on external threats and are not always capable of identifying threats emanating from inside the organization. Besides being invisible to traditional security solutions, insider attacks can be harder to detect or prevent than outside attacks and go unnoticed for months or years.

Insider threat facts and figures: how big is the problem?

The 2020 Cost of Insider Threats Global Report from Ponemon Institute reveals a worrying trend in the rise of insider threats both in terms of overall cost and number of incidents. According to the study, the number of cybersecurity incidents caused by insiders increased by 47% since 2018. At the same time, the cost of these incidents has surged 31%, from $8.76 million in 2018 to $11.45 million in 2020.

In a Wall Street Journal Pro Research Survey of cybersecurity executives at nearly 400 companies, 67% said they were concerned about malicious employees. Published in June 2020, the results of the survey show a correlation between the size of the company and the concern about insider threats: the bigger the company, the greater the concern. Additionally, according to the survey, the concern about insiders grows to a higher degree than concern about other cybersecurity threats.

As the insider threat landscape continues to evolve, and the number of incidents is rising, it’s time for companies to become more alert about these threats. Insiders usually know where the sensitive data lives within the organization and often have elevated levels of access, thus distinguishing between a user’s normal activity and potentially malicious activity is a challenge.

Let’s have an overview of the types, detection, and mitigation of insider threats.

Types of insider threats

Malicious insider or Turncloak:

This is someone who uses their access privilege to exfiltrate or steal data and use it with the goal of personal or financial gain. Malicious insider threats include accessing and disclosing confidential information without authorization, carrying out fraudulent transactions, and sabotaging the organization’s systems, network, or data. Departing and disgruntled employees, as well as those with high-level access, can cause these types of incidents.

Negligent insider or Pawn:

A negligent or careless insider has no malicious intent but mistakenly gives away sensitive data or inadvertently puts company data at risk. These threats include misusing assets, mishandling data, and installing unauthorized applications (shadow IT). Negligent insiders may be well-intentioned, but they can become victims of phishing attacks or social engineering.

Collusive insiders:

This type will collaborate with malicious external threat actors to compromise the organization. These cases usually involve fraud, data theft, or a combination of the two. Although it is the rarest form of criminal insider risk, it can still come with high costs.

The Ponemon Institute identified the most common type of insider threat as a negligent employee or contractor, while the most costly incidents were credential thefts, which were both the least reported and the most expensive.

Insider threat motivations

Motivations can vary – malicious insiders might act out of a grudge towards their employer, might simply want money, or it could be an act of corporate or nation-state espionage. Unintentional insider threats could happen due to a lack of knowledge, out of curiosity, or convenience as well as misplaced technology. By understanding the motivations, security teams can be more proactive in their approach to insider threat defense.

Insider threats in the era of work from home

The coronavirus pandemic has set the remote work revolution on a fast track, and many companies have been forced to shift to work from home policies and enabling remote staff overnight.

Remote work is opening up new insider security threats, and companies are scrambling to keep up with these unprecedented risks. The new norm of remote work means no face-to-face supervision and little to no training for handling new security risks. Employees can also face more distractions in their home settings, coupled with the overlying stress of the pandemic and regular work pressure. Accidental disclosures can easily happen, as the lines between work and home, professional and family are more blurred than ever.

Remote working can also offer many data theft opportunities, including the loss or unlawful appropriation of physical devices, the possibility of sharing passwords, encryption keys, and company laptops with unknown third parties.

The insider threat is very present when using workstream collaboration (WSC) platforms like Slack or Mattermost. Employees can accidentally share a customer database, intentionally disclose a trade secret or share Social Security numbers in the public cloud. The increased data portability is another threat factor, posing a high risk of data loss or theft. Employees working from home can easily transfer, share or remove data, and cause the organization to lose revenue, get a penalty for non-compliance or damage the reputation.

Thus working remotely, especially for organizations with no solid remote work plans, means that their assets and confidential data are more vulnerable during the global pandemic. Implementing the right tools and technologies and paying closer attention to company data can decrease the risk of cyber incidents.

Common types of insider attacks

We have collected the most prevalent internal incidents and practices that represent a threat to a company’s data security.

1. Social engineering

Recognized as one of the biggest security threats facing companies, social engineering is a malicious threat that implies human interaction. Usually, it involves tricking someone inside the organization to make a security mistake or reveal sensitive information. Social engineering attacks have different forms, including phishing and baiting. Malicious actors who engage in social engineering manipulate human feelings, such as curiosity or fear, and compromise their targets’ information.

2. Data sharing outside the company

Employees sharing confidential data, either publicly or with unauthorized third parties, can cause serious problems. This type of incident usually happens out of carelessness: information is sent to the wrong email address, a reply all button is hit instead of a simple reply, confidential data is accidentally posted publically.

3. Shadow IT

The use of unauthorized devices, software, applications, and services in the workplace is often hard to trace by IT departments and this is where the term shadow IT comes from. While it can improve productivity and drive innovation, shadow IT also poses a serious threat to data security and can lead to data leaks, compliance violations, and more.

4. Use of unauthorized devices

With the rise of Bring-Your-Own-Device (BYOD) policies and the proliferation of mobile devices, organizations encounter many internal security problems, including the risk of losing data due to employee negligence or malicious intentions. Portable devices and USBs, in particular, although convenient to use, are easy to lose or steal. Thus negligence can easily lead to disastrous data breaches, such as the infamous Heathrow Airport security incident in which a careless employee lost a USB device with over 1,000 confidential files.

5. Physical theft of company devices

Nowadays, it is becoming increasingly common that employees take their work computers or portable devices out of the office. This can happen for several reasons, including remote work, attending an industry event, or visiting a client. By leaving the security of company networks, work devices become more vulnerable to physical theft and outside tampering.

How to protect against an insider attack: best practices

Organizations should start developing guidelines and implementing comprehensive insider threat programs to reduce risks while ensuring that they have the right balance between people, processes, and technology. Being proactive may allow organizations to catch malicious insiders and avoid data breaches caused by employee negligence, thus protecting their assets and reputation.

 1. Security awareness

Ensuring that all employees are aware of the valuable asset they are dealing with and how they need to manage it securely is an essential step that organizations must consider. Security technology continues to progress, but human behavior changes much more slowly.

While educating entire teams with little to no technical background can be difficult, everybody should know the importance and best practices of cybersecurity within the company. Employees should be prepared to recognize phishing and other social media threat vectors, as well as how outside attackers might approach them.

2. Security policies

Clearly documented organizational policies are another critical aspect when looking to prevent insider threats. By enforcing these, it can also help to avoid misunderstandings. Policies should include procedures to prevent and detect malicious activity, as well as an incident response policy. A third-party access policy, account management, and password management policy are also extremely useful. When developing cybersecurity policy and procedures, companies should also consider locating where their sensitive data resides, monitoring data flows, and determine who can have access to confidential data.

3. Cybersecurity tools

Implementing robust technical controls are also an essential step in mitigating insider threats. To efficiently protect all assets, companies shouldn’t rely on a single solution. For a successful insider threat detection strategy, it is advised to combine several security tools that increase visibility and keep track of employee actions. These tools include User Activity Monitoring (UAM), Secure Information and Event Management Systems (SIEM), User Behavior Analytics (UBA) software, and Data Loss Prevention (DLP) solutions.

DLP software is intended to discover sensitive data, address data loss across multiple channels, prevent unintentional data disclosure, detect data use policy violations, and offer remediation actions. User Activity Monitoring tools are user-centric rather than data-centric, and unlike DLP solutions that manage data activity, UAM does not limit or reject any action. UBA software promises to identify potential insider threats before they happen, based on previous behaviors, but usually doesn’t provide any action outside of an alert when an insider threat risk has been detected. SIEM tools can track anomalies across an entire network and flag up dangerous events to the security teams; however, these tools are typically focused on spotting external threats, not insider threats.

When looking for solutions that help mitigate insider threats, organizations should consider the performance impact, the ease of management and deployment, stability and flexibility of any solution.

Insider threats can be challenging to identify and even can be even harder to stop them from causing harm to the company. However, by implementing preventive measures and best practices, organizations can mitigate common insider threats. By combining training, organizational alignment, and technology, the risk of these threats can be significantly reduced.

How does Endpoint Protector help to mitigate insider threats?

Endpoint Protector is an advanced Data Loss Prevention (DLP) solution that minimizes the risk of cyberattacks carried out by insiders. By deploying it, enterprises can ensure the security of their sensitive data and reach compliance with regulations such as the GDPR, PCI DSS, HIPAA, or CCPA. Our DLP software comes with the following features and benefits:

  • Offers a data-centric approach to protecting sensitive information;
  • Keeps track of sensitive data and ensures that its transfer, whether by email or other internet services, is limited or blocked altogether;
  • Protects data regardless if it is stored in a physical or virtual environment;
  • Offers cross-platform protection for sensitive data, being compatible with Windows, macOS, and Linux operating system, as well as Thin Clients and Desktop-as-a-Service (DaaS) platforms;
  • Discovers sensitive data stored on computers, laptops, etc. and provides remediation actions;
  • Is easy-to-use and does not require advanced technical knowledge to run;
  • It provides the option to easily create granular security policies for users, computers, and groups.
  • Monitors and controls USB ports and portable storage devices;
  • Offers retailed reports of user activity and gives valuable insights about what sensitive data is being transferred where and by whom;
  • It is easy to scale and has several deployment options depending on the existing infrastructure of the organization;
  • It provides seamless integration with Active Directory (AD) and SIEM technology.

Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments
9 months ago

A very helpful post!

Data Loss Prevention Best Practices
Get our free white paper on

Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

Please use a valid email address!
Check your email to download Data Loss Prevention Best Practices
If you don't see it please check your spam or junk folders.