What are insider threats? Definitions, threat types, and prevention guide

19th January 2022

There’s a massive misconception in cyber security. Chances are, when you picture a cyber attack, you imagine some shadowy bad guy or gal intricately orchestrating their criminal masterwork from afar; watching the digital chaos unfold across an unsuspecting organisation through tented fingers.

Yes, these external boogey-persons do exist. But cyber threats can come from within your organisation too. Sometimes it’s as simple as a team member innocently clicking on a malicious link, letting a vulnerability into your network. But sometimes – rarely, but sometimes – it’s someone on the inside purposefully causing a cyber-threat, actively looking to do your organisation harm.

Both types of “insider threat” can cause your company serious damage. In fact, insiders – with their internal access to company resources – can be more damaging than external vectors.

Let’s investigate how – like in horror films – the most dangerous call can come from inside the house.

What is an Insider Threat?

Insider threats refer to cyber risks posed to an organisation by those “inside” it – i.e., its employees, contractors, volunteers, former team members, and associates – who have an insider’s access to, and knowledge of, internal systems and data. Though as we’ll explore below, these threats aren’t always a result of malice.

Types of insider threats

Malicious Insider Threats – Malicious insider threats occur when an insider purposefully acts to cause harm to their organisation by deliberately stealing, destroying, sharing, or sabotaging valuable data or business functions. This can be done out of spite towards the organisation, for personal gain, or simple apathy; sometimes a mixture of all three.

Negligent Insider Threats – Negligent insider threats occur by accident or as a result of poor cyber training. The insider culprit wasn’t trying to do the company harm, they just slipped up or didn’t realise their activity was harmful.

What sort of threats do insiders pose?

Data theft

This one is pretty much what it says on the tin – where a nefarious actor steals data in order to sell it on, leak it, or use it in a future role. Direct data theft by an insider is obviously a malicious act, yet negligent or ignorant internal data practices can leave your data vulnerable.

If you think that your seemingly innocuous email marketing lists or HR databases don’t have a market, then think again. There’s someone out there who will pay top dollar for even the most innocent-seeming data.

Intellectual property theft

IP theft is where the insider steals designs, plans, trade secrets, or proprietary ideas in order to leak them, sell them, use them as a bargaining chip, or for corporate espionage.

When stolen directly, this is obviously a deliberate, malicious act. Yet negligent workers could render a piece of intellectual property less secure or respond to a spear phishing email with highly sensitive information.


This is where a user purposefully destroys data or systems. This can also include “temporary” sabotage like obfuscating access or ransomware encryption. Direct sabotage is usually carried out with intense malice, though deletion or ransomware infections can happen by accident.

Alteration of data

This is where incorrect alterations are made to important data without being corrected. Yes, it can happen by accident – but it can also be a sign of someone trying to cover their tracks after carrying out espionage, embezzlement, or just causing chaos and confusion.

How common are insider threats?

Exact definitions of the term “insider threat” can vary so pinpointing exact data can be tricky. What we do know is that, in 2020, 68% of organisations surveyed by Cybersecurity Insiders felt that insider attacks have become more frequent over the previous 12 months. 98% of respondents to their 2021 survey felt vulnerable to insider attacks in some way.

We hypothesise that negligent insider threats are more common than malicious ones. Honest mistakes happen more frequently than vendettas, after all! Data from WatchGuard subsidiary Panda Security seems to bear this out, with 62% of insider incidents happening through negligence (though strangely, this figure doesn’t seem to include credential theft).

How to Defend Against Insider Threats

Invest in Data Loss Prevention (DLP) tools

Data Loss Prevention tools are designed to prevent potential data breaches by monitoring access to and usage of sensitive data. They’re essential, but they aren’t the only thing you should rely on to save your bacon.

DLP protection can be achieved in two ways. The first is to install Data Loss Prevention software on each endpoint device, (PCs, servers, laptops, etc.) within a network. This software will monitor user interactions with sensitive data and will prevent them from sharing anything too sensitive or doing so in a way that is insecure or against policy. For example, DLP software may prevent a user from moving an essential spreadsheet to a pen drive or copying sensitive data into an instant messaging tool. DLP functionality can also feature on firewalls, providing network-wide monitoring and protection. This serves as an essential safety net for the network but it doesn’t provide the same granular data monitoring and control as endpoint monitoring solutions.

Explore network security monitoring

IBM’s 2021 Cost of a Data Breach report revealed that it took organisations 287 days on average, the better part of a year, to identify and contain a data breach. So, it’s important to keep an eye on what’s going on within your network – or better still, give the job to an expert.

Effective, constant network security monitoring will undoubtedly unearth issues far earlier, usually leaving less of a mess to clean up. If you don’t have the budget or capacity for in-house IT security personnel, network security monitoring is thankfully easy to outsource.

Good cyber-awareness training

Cyber-awareness training is far more than just making people aware of the cyber and data risks out there. Training is an ongoing endeavour that should seek to embed good cyber-habits over time so doing the right thing becomes second nature. Though one-off cyber-training workshops are a great investment, they simply aren’t enough on their own.

Any organisation’s cyber-training “curriculum” shouldn’t just focus on mitigating risks. Devise and communicate a proper data security classification system with clear guidance about what data needs to be kept private, what can be shared with certain parties, and what data you can be an open book with.

Though you need to give your team a clear idea of what they can and can’t do with data, it may be a mistake to share the complete ins and outs of your DLP and monitoring policies. If that information got into the wrong hands, it could be used against you to deliberately skirt those defences.

Create a cyber-aware company

This is much bigger than simply putting on a bit of training every so often. Weaving a new strand into your company culture isn’t an easy task; you have to get your team’s hearts and minds on board to truly enact change.

Cyber-culture-building should start as soon as someone joins your organisation and shouldn’t cease until they leave – regardless of role or seniority. From day one, your team should be equipped with the knowledge and skills to fully embody your cyber, data, and IT policies in everything they do – that even goes for those who don’t use IT particularly closely.

Training is great, but ongoing training is even better. Yet carving out half a day for training every 3-6 months can be tricky and besides, hearing the same old messaging time and time again can eventually fall on deaf ears. Mock phishing emails can be sent out to your entire team to both establish how susceptible they are to phishing threats and to keep your team’s guard high.

Those who fail the test can be flagged for further training, leaving those who pass the test free to continue their work. This can embed a bit more cynicism towards unsolicited emails; nobody wants to be the one who causes a cyber incident, but nobody wants to be called in for further training either!

You could even establish a culture of blame-free reporting. This is where staff are encouraged to report any suspicious internal data or IT usage to an IT-savvy individual. This individual should have the authority to approach the parties involved and remind them of the rules without blame or judgement. But stay aware that any systems that involve “dobbing someone in” can be open to abuse.

Principle of Least Privilege (PoLP) and Segregation of Duties (SoD)

These are two concepts that can help you drastically reduce the prospect of insider threats, especially malicious ones. The principle of least privilege (PoLP) is where you give every team member just enough access, information, or privileges in order to do their job and nothing more. This way, they can’t tinker with anything outside of their role – whether maliciously or accidentally.

Segregation of Duties (SoD) is a risk management principle that basically requires two or more people to agree or sign off on important tasks and deliverables. It’s used frequently in accounting fields but can be applied to anything with a bit of imagination – as long as you don’t create horrendous bottlenecks in the process!

Identify risky users

An essential exercise! If there is someone on your team who frequently forgets or flouts your data policies, remind them of your rules ASAP, as well as the damage that their transgressions could cause.

This doesn’t have to be done with an authoritarian style – just provide help and gentle reminders until it clicks. However if someone engages in ever more risky behaviour or seems to be deliberately rebelling, then that may be time to tighten the reins.

Prepare a proper termination procedure

What happens when team members leave your organisation? If they’re not leaving you by choice, in their shock and anger, they could cause deliberate harm to your systems. If you do ever have to give someone their marching orders with immediate effect, disable their logins, email, remote access, phone routing, and change any shared access credentials before they’re called in for “the talk”.

Obviously, a more nuanced approach will be needed if the team member has to work a notice period. So work with your HR team to devise IT termination procedures that legally, technologically, and practically protect your organisation from outgoing IT misuse. Relatively few people have a mean enough streak in them to do anything detrimental but it pays to have plans just in case.

Don’t forget physical security, too!

Cyber security isn’t just limited to cables and WiFi! Any kind of device can be destroyed, stolen, or tampered with, so physical access to devices and servers needs to be thought about too. Apply the principle of least privilege to physical access – for example, if your HR or Accounts team don’t need access to your server room, don’t let them have it!

Your staff should also regularly take stock of what IT should be present at their workstation or in communal areas. If, for example, a team member finds a new device plugged in somewhere, they should report it to IT immediately. It’s also useful to keep thorough, up to date records of what tech is in each team member’s care, especially if they work remotely.

Physical cyber-security also applies when someone leaves. Outgoing team members’ premises access cards and authentication devices/apps should be handed over, securely wiped, or destroyed before that person leaves.

Regular penetration testing and risk assessments

Penetration testing is a valuable cyber security service that actively hunts down security weaknesses in your networks and systems. “Pentesters” know all of the same tricks that the criminal hackers know but instead of exploiting any security flaws they find, they can help you patch them up.

But once you have your defences in place, don’t simply “set it and forget it”. Continually monitor your progress and strive for continuous improvements across security, functionality, and culture-building.

Have a plan for every eventuality

Granted, this can be a tricky one without a crystal ball! It can also be a demoralising exercise, thinking of every single thing that can go wrong… or at least not 100% to plan. So if you aren’t sure where to start – or what big red panic button to press in each eventuality – ask the friendly experts here at Just Cyber Security!

Our experts are on hand to help keep you safe, providing everything from security monitoring services, to cyber-awareness training, to penetration testing, to security consultancy.

Get started right away – book a call with one of our friendly boffins today, or ring 0808 1644414.

You’re in safe hands with our cyber security team