Skip to content
Glossary

Malicious Insiders: Definition, Motivation and Examples

A malicious insider businessman using laptop computer with triangle caution warning sign.

Malicious insiders are only a small portion of threats that companies face today, but make no mistake: your company can lose hundreds of thousands of dollars because of one. According to the Aberdeen Risk Report, 20% of threats come from malicious insiders, and insider risk will cost companies on average $16 million in 2023.

Why do insiders act maliciously? Often, they want personal or financial gain. They might be a disgruntled employee looking for payback, or they could be stealing data on behalf of a competitor.

To defend against malicious insiders, establish a baseline of trusted activity and monitor data abnormalities to respond before an incident catches you unprepared. Before we dive deeper into how to detect and prevent malicious threats, let’s explore who malicious insiders are and how they can act against your company.

What is a malicious insider

A malicious insider is an employee, contractor, or business partner who uses their privileged access to deliberately share or abuse proprietary company information. Malicious insiders use their access to sabotage, share, or misrepresent your company’s data for personal, professional, or financial gain. 

Malicious insiders aren’t always employees. As long as a person has insider knowledge, they can act as a malicious insider by committing fraud, stealing intellectual property, sabotaging systems, or engaging in corporate espionage. 

Examples of malicious insider activity

Thanks to their access to company data and systems, malicious insiders can act against your company in multiple ways:  

IT sabotage

A white icon of a wrench and a backwards arrow on a purple background. The icon represents IT sabotage from malicious insiders.

Malicious insiders who engage in IT sabotage usually have tech know-how, like system administrators and software engineers. These employees are often retaliating against what they see as unfair treatment or vigilante motives. They intentionally damage internal systems and data but can cover their tracks effectively. 

For example, a software engineer may introduce code that destroys important logs of internal company messages or emails. A system administrator might change all employees’ passwords so that they can’t log in to corporate accounts to do their jobs. 

A real-life example of this happened in 2020 when the vice president of Stradis Healthcare was furloughed. The employee, Christopher Dobbins, used a secret account to log into the company’s shipping system and delete important shipping data

Data theft

A white icon of a lock on a purple background. The icon represents data theft from malicious insiders.

IT sabotage is common among the tech savvy, but other malicious insiders don’t need coding skills to do real damage. Data theft is common because insiders can easily download and share sensitive information. 

Data theft is most frequent among departing employees. If a sales executive is leaving, for instance, they may download customer lists from Salesforce to get a head start on establishing their client base at their new job. Similarly, a product manager might download copies of the company’s confidential product roadmap before going to work for a competitor. 

The current job market is one reason why employees may be more likely to steal data. Due to job insecurity amidst a landscape of layoffs, employees may be actively looking for other opportunities. Whether they’re proud of their work, or think their current work will help them in a future role, departing employee data theft is a real concern. 

Insider fraud

A white icon of a warning symbol inside a box on a purple background. The icon represents insider fraud from malicious insiders.

A malicious insider may not be profiting from data directly. Instead, they might use their access to company information to misrepresent themselves and commit fraud. These insiders might be facing financial hardship or are simply greedy – and they see your company’s data as a way to make a buck. 

Imagine that a customer support representative can access customer data, including credit card information. The representative might steal customers’ identities and commit credit card fraud. This behavior may continue until they resolve their financial issues – or until someone catches them.

How to detect and prevent malicious insiders

Because malicious insiders already have insider access, their activities are often invisible to security teams’ user activity monitoring. They can fly under the radar until weeks or months later when the cost of a data leak has ballooned. 

But a number of different indicators can point to an insider behaving maliciously. A few best practices can help you detect data leaks and misuse in real time.  

Track exfiltration abnormalities

Malicious insiders may want to share company data with a third party or keep the information for their own personal gain. So any unusual data movement could be a sign of data theft, like an employee trying to download large amounts of data or sending data to personal accounts. 

Additionally, malicious insiders may try to see data they don’t have permission to access. For example, an employee tries to request access to or change the sharing permissions of a private Google document. 

It may seem overwhelming to look for abnormalities across all of your company data. Beginning with high-risk data movement can be a great place to start. Track the data movement of outgoing employees, those with a history of poor security practices, or employees flagged by HR for one reason or another. Doing so will help your security analysts target the most vulnerable data at the right time. 

Establish trusted activity

To detect unusual behaviors across all data movement, it’s important to establish with all employees what’s normal and acceptable through training and awareness. A security policy is an important tool in educating employees on security best practices. This policy outlines how your organization and its employees should use and protect company data and systems.

A strong security policy looks at more than just data movement. It creates access controls, monitors user activity, trains employees, promotes awareness, and defines how to respond in the event of a data breach. All of these controls can help fend off threats from malicious insiders. By starting with trusted activity, your team can monitor known risks while developing a strategy for unknown risks, work that is often made easier with the right tools.  

Look for suspicious hardware or software

When a malicious insider steals data, they may use unauthorized hardware or software to download and move the data. Malicious insiders often send data to software like a personal email or cloud storage account. They may also use hardware like an unauthorized USB drive or personal device. Beyond digital theft, they may also rely on hard copies to take data with them by using company printers. Make a plan that can protect your data on and offline.

Create an insider threat program

Security teams alone can’t contain all the risk from malicious insiders, so a company-wide program can enlist employees’ help and the right software. An insider threat program includes all the steps and processes your company will need to manage the risks of insider threats. The program should include stakeholders in your company who will need to be a part of any threat response, like human resources, legal, and security teams. 

This group of stakeholders should define what actions would trigger an investigation and how to flag any suspicious activity. Additionally, this group should receive executive buy-in to train employees, create awareness, and implement new technology to help monitor all data movement. 

A successful insider threat program doesn’t just address malicious threats but also all known and unknown insider threats, and focuses on both prevention and response. With the right automated tools you can automatically block data exfiltration for a more proactive approach. 

What motivates malicious insiders?

Why might insiders act maliciously? Let’s take a look at the motivating factors behind malicious insiders: 

  • Financial gain: Malicious insiders sometimes are looking to make money. They may try to sell data to third parties. Often, departing employees will take a job with a competitor and use their insider access before leaving to gather data that they can then leverage in their new role.

  • Desire to get revenge or personal gain: This type of malicious insider has a vendetta against your company. Maybe they didn’t receive a promotion; maybe the company terminated their role and they’re angry about losing their job. Either way, this person might steal data or sabotage internal systems as a way to “get back” at those they feel have wronged them. Alongside money and revenge, malicious insiders may be looking for notoriety by leaking sensitive information to the press.

  • Corporate espionage: These insiders have been compromised by an external source and are stealing data in order to help that outsider. While the goal is still personal or financial gain, the motivation is slightly different than the examples listed above. This may seem like the most outlandish, but countless cases have lead back to a nation state using an employee to gain access to intellectual property for a strategic gain. 

Protect your corporate data from malicious insiders with Code42 Incydr

Malicious insiders are a real threat to businesses and can cost your company hundreds of thousands of dollars – if not more. Creating safeguards against malicious insiders can protect your company’s reputation and minimize financial losses. 

Code42 Incydr detects file exfiltration through Airdrop, cloud apps, web browsers, USB drives, email, cloud sharing, and more. Detect, investigate, and respond to security risks in real time before the damage is done.


Know what to look for to protect against malicious insiders

6 Unusual Data Behaviors That Indicate Insider Threat

View Infographic

You might also like: