Skip to content
Industry Insights

What Is An Insider Threat?

In today’s relentless cyber threat landscape, it’s easy for companies to spend an excessive amount of time, money and effort to protect themselves from external attacks. 

But, with the shift to remote and hybrid work environments, the worst threats might be sitting right in front of you, operating from the inside, risking the exposure of trade secrets, HR information, customer data and more.

With so many employees, vendors, partners and consultants with legitimate access to company systems, it’s easy for malicious or even unintentional leaks to happen under your company’s radar. 

So, in this guide, you’ll discover how to identify insider threats, how they occur and tips for defending your organization against them.

What is an insider threat?

An insider threat is a cyber security risk introduced by an individual with access to a company’s systems and data. Insider threats can arise from anyone with authorized access to a company’s underlying network and applications, such as employees, partners, vendors, interns, suppliers or contractors.

Not all insider threats are necessarily malicious. Some occur due to human error and some occur because an employee is just trying to work more efficiently with tech or apps they prefer.

Types of insider threats

While insider threats are tough to detect and prevent, you can start to mitigate them by understanding the different forms they take

Here’s a closer look at six typical types of insider threats:

1. Malicious insiders

Malicious insiders use their privileged access to commit fraud, intellectual property (IP) theft, sabotage or espionage. These insiders are motivated by money, personal or other negative reasons and may operate in a team or on their own. 

One specific type of malicious insider, a lone wolf, operates alone, often having proximity to a company’s sensitive systems like networks or databases, allowing them to expose HR records, passwords and more. 

2. Inside agents

Inside agents are employees or partners who work on behalf of an external group to carry out a data breach or other attack. These types of insider threats can be a pawn or a mole

Pawns are not aware they’re acting as insider agents because they’ve fallen victim to a phishing or social engineering scheme. With the data that this inside agent provides, an external actor can then wreak havoc with the proper credentials, banking information or classified information. 

A mole is an imposter who has gained access to internal systems, posing as an employee, partner, vendor, or contractor. Sometimes moles offer insiders compensation for letting them into the network to steal trade secrets, customer data and more, or they coerce them through blackmail.

3. Security evaders

Modern companies have security policies designed to safeguard their data, customers’ data and employees. However, workers can find these protections inconvenient, leading them to create workarounds that increase the chances of a cyberattack. Even transferring company files to a personal laptop can relinquish some of an organization’s control over that data, opening the doors to theft.

For example, an employee could bypass restrictions on data sharing by saving files to a personal cloud drive. This workaround can destroy an organization’s visibility and control over its data and leave it open to compromise (intentional or otherwise).

4. Negligent workers

Not all insider threats stem from spiteful intent or from a desire to get a leg up in the next job. Sometimes employees fail to recognize threats or unintentionally expose data simply through error, using options that are more efficient or unwittingly participating in hackers’ scams.

Some negligent workers are goofs一employees who purposely disregard a company’s security procedures but harbor no malicious intent. They may be careless and lose a work device that gets compromised, accidentally download malware or even let a family member use their machine一a much more common incident in hybrid workforces where employees use their computers at all hours, not just in the office.

Want to learn more about how workforce volatility has affected data exposure? Download the Code42 Annual Data Exposure Report.

5. Departing employees

Some employees don’t leave on good terms, and even when they do, it’s natural to stockpile data during uncertain times or to take materials you’re proud of to get a leg up in your next job. 

Departing employees might send a list of prospects, strategy slides, or lines of code they’ve written to personal email addresses or commit a brand of code to their personal code repository via Git. They’ll likely do this in the 90 days before submitting their notice. Hence, paying particular attention to a departing employee once you know they’re leaving is only helpful in the case of layoffs, furloughs and organizational change.

Additionally, disgruntled former employees who can still log into applications or know how to circumvent company security might steal and expose sensitive data out of revenge.

6. Third-party partners

Many companies’ third-party partners, suppliers, or consultants have permission to use company platforms, and 72% of the time, these workers have elevated permissions

Unfortunately, this means that third-party players pose the same risks as employees with the same level of access, whether they’re being malicious or not. Something as simple as emailing a client’s files to a personal computer means that an organization can no longer track how someone uses that file or who has access to it—making the risk that it falls into the wrong hands very challenging to mitigate.

How to detect insider threats

With so many ways for insider threats to arise, the best way to detect and ultimately deflect them is to look for consistent data movement and digital signals.

Data movement and digital signals

Insider threat actors can leave a trail of activities or characteristics that suggest corporate data is at a higher risk of exposure or exfiltration. While each of the below indicators may be benign on its own, a combination of them can increase the priority of data loss events—making it clearer that there’s an insider threat occurring:

  • Zip file exfiltration
  • Attachment sent via ProtonMail
  • Corporate data movement to personal versions of approved applications
  • Accessing information that isn’t relevant to their job function
  • Spikes in outbound data exfiltration attempts 
  • Airdrop transfers
  • Renaming files where the file extension doesn’t match the content

Keeping an eye on these signals can help security teams spot unusual activity and stop insider threats before they turn into a breach. 

Some cyber security vendors might suggest monitoring employee behavior—particularly for actions showing that they’re disgruntled or dissatisfied—to detect an insider threat, but this is often unproductive.

Why monitoring behavioral indicators alone is ineffective

Looking at employee behavior approaches the problem from the wrong angle. If you check for employees doing something different or strange and then look for something terrible that happened to data, your position of inherent distrust often delivers false positives and breeds resentment among employees. When Security and Employees are adversaries, building a more secure culture becomes an uphill battle. 

Instead, if you monitor all data, see when it moves to untrusted locations, and then respond appropriately to the event’s severity and data type that someone moved, you take employee intention out of the equation. You won’t harass employees who might be doing their job perfectly well—just later at night because of a sick kid. And, just as significantly, you’re following up on a few actual risk signals instead of every anomalous behavior.

How to protect against insider threats

While upper management and security teams can certainly watch out for digital and behavioral indicators, that shouldn’t be a company’s only protection method. 

Instead, they should approach their insider threat program from three perspectives: establishing normal user behavior, identifying and protecting critical assets and mitigating risk.

Create a baseline of trusted activity

You need to know what trusted activities are before you can spot risky data access movement. Your optimal cyber security software will have built-in features that establish and infer a baseline of trusted data access activity to use as a comparison when tracking everyday data movement. 

The activity of interest might be authentication methods, access times and VPN logs. Your cyber security system should alert security teams when anomalies appear so they can review and determine whether the irregularities are, in fact, potential insider threats.

Monitor all of your data and its movement

You may have heard of protecting your most critical assets, but it’s easier and more efficient to treat all data as essential and monitor its movement accordingly. 

Inadvertent data exposure occurs up to 34 times per user every day, so protecting all data as if it’s critical helps minimize the risk of accidentally moving sensitive information and creating a situation for IP theft.

Ensure employees know that monitoring data movement to untrusted locations isn’t the same as surveillance. Instead of tracking keystrokes, taking pictures of screens, watching performance or other invasive activities, a company monitoring the data it owns is in the interest of employees and the company since it protects innovation and competitive edge.

Manage insider threat by addressing risk

The 2022 Data Exposure Report by Code42 found that 73% of senior business leaders, senior cyber security leaders and practitioners found Insider Risk to be a big problem within their organizations. Insider Risk is data exposure that jeopardizes the well-being of an organization and its employees, customers or partners.

Instead of looking for a needle in a haystack and that one person who’s an insider threat, consider implementing an Insider Risk Management (IRM) strategy—monitoring activities that place sensitive information at risk. This approach prepares you to respond to any potential data breach, regardless of the intent behind it.

Executing IRM isn’t about surveilling employees or waiting for them to slip up. It’s about monitoring data changes and movement, looking for risk indicators and prioritizing that risk. Based on the priority, you can take action quickly to contain damage and prevent a breach. 

The quickest way to discover Insider Risks is with the assistance of intelligent software. Unlike humans, AI-based tools can continuously monitor a company’s systems and bring risks that you may not even notice to light. The best platforms scan all systems for vulnerabilities, empowering security teams to patch them quickly.

Examples of insider threats

Insider threats might seem alarming in theory, but they’re even more dangerous in real-life. Here are a few examples of insider threats:

  • In 2019, McAfee sued three former employees for stealing company data. Although the company is a “leader” in data loss prevention, they didn’t realize that the former employees stole critical data until months after they did it. And even then, they couldn’t determine what they took or how much.  

  • In 2020, Stradis Healthcare let go of employee Christopher Dobbins who then, acting in revenge, penetrated the company’s network. Once he was in, he gave himself admin access and edited or deleted over 120,000 records, delaying PPE shipments for months.

These are just three examples of real insider threats that happen every year, causing severe financial and reputational damage.

Elevate your insider threat protection with Insider Risk Management (IRM)

From harming a company’s reputation with customers to stripping them of funding to exposing proprietary innovations, insider threats can have devastating consequences. 

For companies with security policies that try to prevent insider threats, these guidelines can only guess which users pose a threat to an organization’s data and tend to focus on malicious activities. In contrast, IRM prioritizes action to protect the data that’s at risk of compromise, monitoring for untrusted actions regardless of intent.

Code42’s Incydr is an IRM solution that detects file exfiltration via Airdrop, cloud apps, web browsers, USB, email, file link sharing and more, giving security teams a birds-eye view into files shared across or outside your organization. 

Incydr also prioritizes file activity based on 120+ contextual Incydr Risk Indicators (IRIs), ensuring that security teams only spend time looking at risks that matter. And with out-of-the-box workflows and integrations, your staff can immediately initiate response controls without hindering employee collaboration and productivity. 

Find out more about managing Insider Risks to deflect insider threats by reading The Three “T”s That Define An Insider Risk Management Program.