Skip to content Skip to bottom

Insider Threat: What is it and How Do You Manage it?


As businesses tighten their defences against cybercrime, hackers are turning their attention to your people as a way to ‘get inside’. Just last year, Russian organised cyber criminals, attempted to launch a ransomware attack against Tesla by bribing one of its employees.

However, insider threats come in all forms, from malicious bribes, fraud and untrustworthy employees, to poor staff conduct and weak authentication processes. Insider threat is one of the key concerns of security and compliance professionals in the modern workplace. Protecting your business against these risks can be challenging to identify and costly to overcome.

This blog explores the different types of insider threat and what you can do to protect your business.

What is Insider Threat?

An insider threat refers to a security risk that originates from within an organisation. It typically involves a current or former employee, business associate, or contractor with legitimate access to sensitive data or privileged accounts. The insider will misuse their user credentials to access, share, modify or delete business assets and data. An insider threat is not always intentional, but can have the same outcome. Regardless of the intent, the outcome is compromised confidentiality, availability, and integrity of business information.

Insider threats are the cause of most data breaches across all industries. This is because most businesses focus their cybersecurity defence on external threats, leaving the organisation vulnerable to attacks from within. According to Security Intelligence, 40% of insider attacks involve an employee with privileged access to confidential company data. It’s important that businesses assess and address insider threats with as much diligence as when securing the perimeter from external risks.

Why is it so Dangerous?

Your business runs on data. Some of that data contains mission-critical assets or sensitive information that only specific people should have access to. If that data is leaked, your business could face significant financial and reputational damage. So, how do you assess legitimate access and spot an insider threat before a breach can occur?

Detecting insider threat is no easy task. Distinguishing between normal user activity and potentially malicious actions can be challenging. Insiders typically know where the sensitive data lives within the business ,and often have elevated levels of access. Therefore, a data breach caused by insider threat can be significantly more costly for your business than one caused by an external attacker. Furthermore, the larger the organisation, the larger the risk of insider threat, incidents, and remediation costs.

According to the Ponemon Institute’s 2022 cost of insider threats global report, insider threats have increased in both frequency and cost over the past two years. According to this research, the number of credential threats has almost doubled since 2020. In fact, 56% of incidents were due to negligence, and the average annual cost to remediate an incident stemming from an insider threat was nearly £500,000.

Examples of Insider Threats

So many cyberattacks take place each year, but the majority don’t make headlines. There have, however, been a number of insider threats in cyber security that have stood out in recent years.

  • In 2020, the Information Commissioner fined British Airways £20M for the loss of personal data of over 400,000 people – its biggest fine to date.
  • In 2020, a former Google executive was sentenced to 18 months in prison for stealing trade secrets from Google’s self-driving-car division and handing them over to Uber, his new employer.
  • In the 2019 Capital One data breach, a former Amazon engineer retrieved more than 100 million customer records. They exploited their inside knowledge of Amazon EC2 to circumvent a misconfigured firewall in Capital One’s cloud server.
  • In 2018, Facebook fired a security engineer for using information his position enabled him to access to stalk women online.
  • A 2017 US government report estimated that US companies were losing up to $600 billion per annum as the result of IP theft by China.

Types of Insider Threats

Current or former employees, business partners or contractors are all insiders that could pose a threat. But in reality, any person with the right level of access to your IT systems and applications could compromise business data.

However, not all insiders are alike and vary greatly in motivation, awareness, access level and intent. Gartner and Ponemon Institute group insider threats into four categories: pawn, goof, collaborator, and lone wolf.

The Pawn – Unaware employees who are manipulated into engaging in malicious activities. Whether that’s clicking harmful links, downloading malware, or disclosing credentials to hackers through phishing or social engineering attacks.

The Goof – Ignorant users who believe they’re exempt from security practices and policies. Out of incompetence or convenience, they actively attempt to bypass security measures or controls. Goofs leave important data and resources unsecured and exposed, giving attackers easy access.

The Collaborator – Working with outsiders, collaborators take advantage of their access levels to steal intellectual property and private data, or cause business operations disruptions. Often executed for financial or personal gain.

The Lone Wolf – Independent and malicious, lone wolves act without external influence or manipulation and often for financial gain. Lone wolves can be extremely dangerous especially when they have elevated levels of access and privilege, such as system or database admins.

How Can You Manage Insider Threat?

There are several different types of insider threat that all present different symptoms for security teams to diagnose. By understanding the motivations of attackers, your teams can be more proactive in their approach to insider threat management.

Raise cybersecurity awareness

When was the last time you delivered cybersecurity training to your employees?

Security awareness should be a key priority for your business. It’s important not just to assess security and data protection measures across your organisation, but to evaluate how aware your employees are of security best practices, risks and controls. It’s essential to educate yourself and your staff on how to securely work, connect, and collaborate in the digital workplace.

Take a look at our security awareness blog, which provides tips on how to educate your workforce on information security and data protection best practices.

Enforce policies

Is accountability for insider threat clearly defined? Do people from operations, HR, IT, and security share responsibility for insider risk? 

To establish the right foundation for enforcement and to prevent ambiguity, it’s crucial that you define, document and apply your security policies. No employee, partner, or contractor should have any doubts about what acceptable user behaviour is. They should recognise the importance of security controls and access and not divulge privileged information to unauthorised people.

Create a baseline of normal user behaviour

Speak to your IT teams or partner about software solutions that can track insider threats, such as privileged access management (PAM). These solutions track and log online user activity, such as access, authentication, account change and VPN logs. This data is then used to model and assign risk scores to the user behaviour linked to specific events such as downloading private data or a user logging in from an unusual device, time, or location.

User behavioural analytics can detect things such as abnormal login attempts, or multiple failed password attempts and generate an alert where appropriate for an analyst to validate. Build a baseline of normal behaviour for each user and device. From this, deviations can be flagged and investigated.

Adopt a Zero Trust approach

Embedding Zero Trust into your business culture can also help you proactively manage insider threats. Zero Trust begins with the assumption that your business is compromised, and you must always authenticate and authorise connections between every user, device, and application.

Securing the whole enterprise with Zero Trust is critical to preventing business disruption, especially in a world where many employees work remotely. A Zero Trust approach continually verifies users and can help reduce exposure in the event of a security breach. It helps to detect risks, and ultimately protect all employees and resources in the face of insider threats.

Work with a cybersecurity partner

The 848 Group is an IT Partner with a dedicated cybersecurity practice and diverse team of IT experts to secure and manage your IT systems, applications, and cloud environments.

We also work in partnership with Blacksmiths Group, a team of independent complex security specialists and deep technical experts with leading skills acquired in UK Government and industry. Together, we design and deliver tailored solutions, frameworks, and expertise that keep your organisation protected from evolving and sophisticated threats.

For more information, please get in touch with one of our experts today.