What is an Insider Threat?

An insider threat is an organizational threat, malicious or negligent, that comes from anyone who has authorized access to internal data or computer systems. These threats are often malicious but can also arise out of negligence. Insider threats can be employees, contractors or third party vendors that take or exfiltrate data.

Learn how you can protect all data from insider threats including workflows and how to get insider threat program buy-in from leadership. Download the eBook 

The Usual Suspects

  • Malicious insiders. Employees or anyone granted internal access who abuses their authority with the intent of causing damage to an organization is a malicious insider threat. For example, a former Google engineer took self-driving-car technology from the company shortly before he joined Uber's efforts to catch up in the high-stakes race to build robotic vehicles.
  • Negligent insiders. People who don’t have malicious intent but put their organizations at risk through inadvertent errors or simply disregarding IT policies are negligent insiders. An example of a negligent insider includes a data analyst working for the Department of Veterans Affairs who downloaded the personal data of 26.5 million US military veterans to their laptop. The analyst’s home was burglarized and the laptop was stolen.

Common insider threats

Departing employees

Departing employees account for more than half of all insider threat incidents. Two thirds professionals openly admit to taking data with them when they leave an organization.

Mergers & Acquisitions participants

Rumors of Mergers & Acquisitions commonly lead employees to begin preparing for the worst, pulling together files and data to help them land a new job. This also opens up and organization to risk through third party vendors used during the M&A process. 

Internal re-orgs

Non-voluntary employee changes and departures have an even higher risk of data loss, leak, theft, or worse—destruction or deletion.

High level access

Anyone that has access to source code, customer lists, internal strategy and planning documents or any other data that could cause damage if leaked to outside parties.

Personal cloud usage

It is all too common that employees are using their personal cloud accounts to transfer and store sensitive company data.

Unsecured physical drives

Unencrypted USB and external hard drives are often used to transport information while traveling.

Needlessly carrying sensitive information

Many employees store far more data locally than they need for their day to day job and expose it to theft.

Leaving devices unattended

It can take hackers as little as 7 seconds to gain access to that laptop you left at your table while you went to the bathroom.

2020 Data Exposure Report

36% of workers believe that the increased emphasis on file-sharing has made them more complacent about data security. Learn why insider threat programs have failed to keep pace with today's collaborative work cultures.


Why are insider threats on the rise?

Data portability. Personal cloud, removable media, bluetooth, airdrop, the list goes on but the reality is that data is more portable than ever. Many organizations attempt to prevent data loss or leaks through blocking. The reality is that there are simply too many vectors to cover, not enough people to cover them, and as a result data still gets out. 

How do you stop insider threats from taking data?

Develop an insider threat programEvery organization needs to have a comprehensive insider threat program that outlines what happens when a threat is identified. Many organizations rely on technology alone to solve the problem and fail to implement a program. Any tool or technology is only as good as how it is implemented and used. 


  1. Get executive buy-in: Don’t fight this battle on your own. Getting definitive buy-in from leadership is the first and most critical step in defining your security and IT team.
  2. Identify and engage your stakeholders: Identify and engage line-of-business leaders such as, HR, legal and other IT leaders as key stakeholders.
  3. Know what data is most valuable: All data has value, but it’s essential to understand the different types of unstructured data to keep a close eye on.
  4. Think like an insider: Why would they want to move or take information — and what would they ultimately want to do with it? What tactics or blind spots might they exploit to do it? What workarounds could they use to get work done? 
  5. Define insider triggers: Start by focusing on the most common data exfiltration scenarios. Departing employees and high-risk workers are a great place to start. 
  6. Establish consistent workflows: Exceptions and workarounds are the Achilles heel of insider threat programs. Make sure you clearly define the workflow for each trigger — and consistently execute and improve the steps you establish.
  7. Create rules of engagement: It’s important to define what happens once a workflow has been triggered and potential data exfiltration identified. Your rules of engagement separate security and IT from any enforcement responsibilities. This allows them to focus on monitoring, detection and remediation.
  8. Leverage existing security and IT teams — and train your stakeholders: Because you’ve honed your insider threat program down to a few key workflows, your existing security and IT teams should be able to handle the monitoring and detection responsibilities. But security and IT teams don’t have to shoulder the full burden. It’s also critical that all stakeholders (the HR, legal, line-of-business managers, etc.) be trained so they understand the full scope of the insider threat program.
  9. Be transparent in communication: Transparency is critical for building a healthy culture that values security. Employees should understand that your program is applied universally and without privileges or exceptions — and they should understand how the program is designed to support their productivity while protecting the business.
  10. Implement true monitoring, detection and response technology: True monitoring, detection and response technology must be continuously running, providing historical context and complete visibility into all data activity. This enables your insider threat team to quickly and effectively see the full picture — and protect all data at all times.

How to Build an Effective Insider Threat Program

This quick list will help your team brainstorm how to get an insider threat program off the ground. For some security teams, this can be an intimidating process — but this is a great place to start.


Implement an insider threat solution

Choose a solution that enables your organization to detect, respond and investigate insider threats. Here are the four things to look for in any insider threat solution:

Continuously monitor file activity to detect risk

Track creation, modification and movement of files

Easily identify suspicious behavior

Set up alerts for file activity based on user, data exfiltration vector and file count or size

Quickly investigate insider threats

Respond immediately by searching comprehensive file details including file hash, owner, path, size, and category alongside device information such as hostname and IP address

Access and recover files in seconds

Quickly access file contents to determine their sensitivity and value

Join more than 50,000 organizations using Code42 products

Get faster detection and response to data loss caused by insider threats.