You’re well aware of the dangers of insider threats — people who pose a security risk within your company. But how do you identify and prevent them before it’s too late?
Insider threats are notoriously challenging to detect. They could be a departing employee stockpiling data to get a leg up in their next job, a negligent remote worker connected to an unsecured network or several other kinds of individuals.
This guide contains a complete list of the types of insider threats and real-life examples, so you have everything you need to spot them before a data breach occurs.
What is an insider threat?
An insider threat is a security risk that comes from within your company. Employees, partners, vendors, interns, suppliers or contractors can potentially become an insider threat. These people can access your organization’s internal network and may accidentally leak or purposely steal sensitive information.
Types of insider threats
You may have heard of grouping insider threats into two categories: malicious or negligent. However, there’s a more nuanced way of viewing these hazards and how they could manifest in your company.
Here’s a closer look at the six types of insider threats and the risky data movements security teams can watch for:
- Departing employees: Employees leaving the company voluntarily or involuntarily are among the most common insider threats. They might take materials they’re proud of to help land a new job or, more viciously, steal and expose sensitive data out of revenge.
- Malicious insiders: These individuals are current employees. They might not be your company’s biggest fans and usually act on their grievances by altering or deleting crucial data sets, disclosing secret information or engaging in other types of sabotage.
- Negligent workers: Although insider threat management strategies often focus on malicious insiders, careless workers are more dangerous. These employees can unintentionally put organizations at risk by leaving an unencrypted work device unattended and not signing in to their VPN, among other activities.
- Security evaders: Modern companies have security policies for safeguarding their essential data. Some workers can find these protections inconvenient, leading them to create workarounds that increase the chances of a data breach.
- Inside agents: These threats work on behalf of an external group, whether knowingly or unknowingly. Outsiders may compel them to give information through blackmail or bribery or deceive them into sharing their login credentials through social engineering.
- Third-party partners: Not all insiders are on the payroll. Suppliers, contractors, vendors and other external parties with some level of inside access can be just as dangerous as employees with the same permissions.
Knowing how insider threats manifest can help you safeguard your company from them, protecting your organization’s reputation, future success, customers and employees.
Real-life examples of insider threats
Insider threats can affect companies of all sizes in all industries. These 11 cases show the harm they can cause if companies don’t prevent or detect them.
1. The departing employee at Yahoo who allegedly stole trade secrets
In May of 2022, a research scientist at Yahoo named Qian Sang stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job.
A few weeks after the incident, Yahoo realized that Sang had stolen data (and a competitive analysis of The Trade Desk) and sent him a cease-and-desist letter.
Yahoo has brought three separate charges against Sang, including theft of IP data. In its filing, Yahoo claims that Sang’s actions divested it of the exclusive control of its trade secrets, information that would give competitors an immense advantage.
2. The negligent Microsoft employee who accidentally exposed login credentials
Not all insider threats are malicious.
In August 2022, several Microsoft employees exposed login credentials to the company’s GitHub infrastructure. The information would have given anyone, including attackers, access to Azure servers and potentially other internal Microsoft systems.
Exposing this data, as well as Microsoft source code, could’ve had devastating effects on the enterprise and its customers.
While Microsoft refused to elaborate on what systems the credentials protected, an outsider may have had the opportunity to move to other points of interest after gaining initial access. If the mistake had exposed European Union (EU) customer information, Microsoft could’ve faced a GDPR fine of up to €20 million.
Fortunately, cyber security firm spiderSilk spotted the leaked credentials and notified Microsoft. The tech giant found that no one accessed the sensitive data and is taking steps to prevent it from happening again.
3. The departing Proofpoint employee who allegedly enriched a competitor
Even cyber security companies can succumb to insider threats.
In July 2021, Samuel Boone, a former employee of Proofpoint, stole confidential sales enablement data before starting a new job at competitor Abnormal Security. Alarmingly, Proofpoint’s own solution for preventing data loss (DLP) couldn’t hinder the employee from downloading high-value documents to a USB drive and sharing them.
Months after Boone left, Proofpoint discovered that he had taken the files. At that point, Boone could’ve made substantial headway in channel sales at Abnormal Security. So Proofpoint sued him in federal court for unlawfully sharing battlecards that would give him and his employer an unfair advantage. In its filing, Proofpoint claims that “Boone threatens to inflict incalculable long-term competitive harm” on its company.
4. The group of inside agents at Twitter who fell prey to social engineering
Unfortunately, phishing attacks are a common vector for insider threats.
In July 2020, hackers compromised multiple high-profile Twitter accounts using a phone-based spearphishing campaign against Twitter employees to promote a bitcoin scam. Initially, attackers sought information about internal systems and processes. Eventually, they found the right workers to target and gained access to account support tools that helped them break into 130 Twitter accounts.
While the scam had a relatively minor financial impact on Twitter and victims received their money back, the incident highlights the stakes of the company’s influential role in the information market and its immense security vulnerabilities.
5. The departing Google employee who brought company data to a new employer for a competitive edge
Departing and ex-employees are among the most prevalent insider threats — even at big companies like Uber and Google.
In 2016, a former Google employee, Anthony Levandowski, downloaded thousands of company files onto his personal laptop. These files related to Google’s early self-driving car program “Project Chauffeur” and would’ve given him a leg up in his new job at Uber.
Google sued Levandowski, and he admitted that Google may have lost up to $1,500,000 due to his theft.
6. The third-party vendor to Marriott whose app had a vulnerability
The adverse effects of data breaches don’t just apply to your company — they can also extend to your customers.
In January 2020, cyber attackers exploited the credentials of two Marriott employees to hack an application the company used as part of their guest services. The attackers stole over 5 million guest records, including people’s contact information, gender, birthdays and loyalty account numbers.
While Marriott quickly reacted once it discovered the breach, it didn’t notice the suspicious activity for nearly two months. The company had to pay a £18.4 million fine for exposing the sensitive data of approximately 339 million guests and failing to comply with GDPR.
7. The group of departing Apple employees who allegedly stole trade secrets while being poached
While companies might poach employees from their competitors, especially in the tech world, sometimes they take it too far.
In late April 2022, Apple filed a lawsuit against stealth startup Rivos, purporting that the company took part in a coordinated campaign to poach Apple employees who worked on proprietary system-on-chip (SoC) technology.
Rivos hired 40 ex-Apple employees, and Apple accused at least two engineers of stealing gigabytes of confidential SoC information, which could “significantly accelerate” SoC development at Rivos. In its filing, Apple alleges a multi-billion dollar data theft, saying it had spent billions of dollars and more than a decade of research on its SoC technology. And now it’s in the hands of a competitor.
8. The security evader at Boeing who sent company data to a personal email account
Sometimes seemingly harmless actions can pose a significant security risk.
In 2017, an employee at global aerospace company Boeing emailed a spreadsheet to his wife — who wasn’t an employee — hoping she could help him resolve formatting issues.
Unbeknownst to the employee, the spreadsheet contained the personal information of approximately 36,000 of his coworkers in hidden columns. By bypassing security protocols and sending the spreadsheet to an unsecured device and non-employee, he compromised employee ID, place of birth and social security number information.
While Boeing says it’s confident the data didn’t move beyond those two devices, it offered all affected employees two years of free credit monitoring.
9. The group of departing McAfee employees who allegedly conspired to take sales tactics
McAfee, a world leader in data loss security, ironically experienced extensive data loss from an insider threat in 2019.
Three ex-employees named Jennifer Kinney, Alan Coe and Percy Tejeda, who had left for market rival, Tanium, stole trade secrets on their way out the door. McAfee discovered the incident months after it happened, giving the employees potentially plenty of time to use what they had taken.
To carry out the alleged heist, the employees moved confidential information about McAfee’s sales tactics, customer lists and pricing data to unauthorized USB devices and private email addresses.
McAfee says the three employees managed customer relationships worth tens of millions of dollars in sales revenue and claims its company has suffered harm from the employees’ willful and malicious actions.
10. The fired Stradis Healthcare employee who hacked into his former employer’s network
At the start of the COVID-19 pandemic, 81% of the global workforce had their workplace wholly or partly closed.
Christopher Dobbins, a vice president of the Georgia-based medical packaging company Stradis Healthcare, experienced the effects of those layoffs in early March 2020 when his company furloughed him.
Disgruntled by his situation, after his final days in the office, Dobbins used a secret account he created to access the company’s shipping system and deleted critical shipping data, delaying vital personal protective equipment (PPE) deliveries.
This case of data removal was particularly threatening, considering the PPE supplies were for hospitals and healthcare workers fighting the COVID-19 outbreak.
11. The malicious insider at Bupa who sold company data for profit
While insider threats often involve departing or ex-employees, occasionally, a current employee makes the news.
In 2017, an employee at Bupa, a healthcare company based in the UK, copied and deleted information from the company’s CRM. He then sold the data of nearly 550,000 customers on the Dark Web for financial gain.
Because this data was so sensitive, the Information Commissioner’s Office (ICO) launched an immediate investigation. Ultimately, the ICO forced Bupa to pay a £175,000 fine for failing to protect its customers.
Avoid data loss with an Insider Risk Management practice
Insider threats are top-of-mind for security professionals for good reasons. Insider Risk — the potential for data exposure by employees and partners — is everywhere in your company, and even the most prominent organizations suffer from data breaches caused by insiders.
Part of the reason Insider Risk is so common is because legacy DLP software has a siloed view of data movement, missing dozens of threatening use cases.
Implementing a security practice like Insider Risk Management that monitors all data activity — not just what a company has deemed potentially suspicious — can help you contain data leaks without disrupting employee productivity.
See why Insider Risk Management is the fastest-growing category in Data Protection and Security by downloading Gartner’s IRM Market Guide.
