SecurityTrails Blog · Aug 18 · by Sara Jelen

Insider Threats in Cybersecurity: The Enemy Comes From Within

Reading time: 16 minutes
Listen to this article

People, process, and technology are the pillars of cybersecurity. And while people are every organization's best asset, they are also its biggest weakness. Security technology continuously evolves to counter emerging security threats and new techniques, but there is one threat that can't be thwarted by merely employing new tools and processes. The biggest security threats of today are not the result of malicious attackers, advanced persistent threats, or malware. They come from within.

Let's also consider the current shift taking place in many organizations: working remotely is all the rage right now. And with more and more team members working from home, more devices are accessing your network, along with new technologies and tools being utilized to make at-home-offices function properly.

This blurs the lines between the personal and professional use of devices. We also have to deal with the cloud, malicious attackers at the ready, and the tectonic changes in so many companies' organizational structures. All of this points to a very real and potentially dangerous threat.

According to a recent study by Verizon, 57% of all data breaches were attributed to insider threats within an organization. While outside forces, malicious attackers, ransomware, DDoS and other types of cybercrime are external threats organizations need to watch and prepare for, letting your guard down in the current threat landscape doesn't cut it for organizations who want to be cyber resilient. And just as we said in our article on Zero Trust security, you should trust no one. Even if you believe in your employees and team members, your biggest enemy might be sitting at the table right next to you.

What are insider threats?

Insider threats are security risks. Specifically, the term refers to scenarios where anyone connected to the inner workings of an organization has authorized access to internal systems and networks, and misuses that access to willingly or unwillingly reveal, modify, or remove sensitive data.

Insider threats are particularly dangerous because, as we can see from the report cited above, they're the main reason behind many data breaches. They can also go undetected for months or even years.

Why are they so hard to detect? Because when someone already has access to sensitive information, it's almost impossible to distinguish whether they're engaging with it in a malicious way or not. And if you have a tech-savvy employee working with that data, covering their tracks isn't hard for them to do.

There are different motivations behind an insider attack, and it can vary from the type of "insider" involved. It could be revenge, exacted by a disgruntled employee. It happens; a lot of people have left companies on bad terms, and might even wish them harm, but there are those who would actually act on it. It could be financial gain, because information is power. Having access to sensitive data like customer and employee information, financial data, even an organization's security practices can all be worth a lot to crackers. And we can't forget about cyber espionage: actors working for outside organizations and competitors can infiltrate your organization and carry out attacks to obtain classified information without you suspecting a thing.

There's one more motivation, and it's tied directly to human nature. It's accidental and unintentional, and when you're dealing with a range of humans from employees to third-party vendors, it might be the hardest one to prevent: a moment of carelessness, which can lead to a security breach.

The 5 types of insider threats

Regardless of motivation, insider threats are a huge risk to all organizations. But by examining different types of motivations, we can recognize different types of insider threats and situations.

1. Negligent employees

While it might be tempting to blame malicious insiders on your premises and finding ways to steal information, the most common insider threats are simply careless and negligent employees. They might've found the cybersecurity awareness training unstimulating and skipped important lessons to be learned from it, or they could have momentarily lost their focus and clicked on a wrong link. They might have forgotten a certain security policy, didn't enforce 2FA or MFA when asked, or simply stored sensitive data on their private cloud or personal device. This can all lead to a data breach, and there you have it—sometimes the employee who normally adheres to all security practices can cause you extensive loss.

This is where the "trust no one" philosophy really matters, regardless of whether they're inside or outside your organization.

2. Inside agents

While they're the rarest form of insider threats, inside agents who act out of revenge or even financial gain to steal sensitive data or intellectual property (sometimes aligned with external forces), are among the most dangerous.

They can range from employees recruited by cyber criminals with promises of financial gain to hacktivists who believe they're doing "the right thing" by exposing business practices they consider harmful (has anyone watched the TV series "Enlightened"?). One thing, however, rings true for every insider agent who's an insider threat—they're extremely difficult to detect, and can compromise an organization's most valuable information. After all, they know exactly where to look.

3. Disgruntled employees

We've all had some bad jobs, and left the position with a bad taste in our mouth. And even if your imagination runs wild with wanting to expose the company and showing everyone how "bad" they are, most of us wouldn't act on it. There are, however, some who would, who aren't afraid to cross the line of feeling disgruntled all the way to carrying out a cyber crime.

Disgruntled employees can be frustrated by not getting that raise they were hoping for, and act in frustration without specific theft goals in mind. Others count on insufficient policies around access management for terminated employees, and others have already hatched a plan for the harm they'll do the moment they give, or receive, notice.

Whatever the reason, human nature can be unpredictable, even if you think you know your employees.

4. Malicious attackers

While both insider agents and disgruntled employees act in a malicious way, we can differentiate them from truly malicious actors. These insider threats have access to internal organization's systems and networks and will use their existing privileges to access sensitive and valuable information for their own gain. With actual malicious intent, they'll abuse credentials, install backdoors and malware, sell an organization's private data to the black market, or even simply leak it to the public.

But what makes them really dangerous, which can also be said for many types of insider threats, is that they are often well-versed in existing security policies and practices. They may even be familiar with security vulnerabilities in the organization's security infrastructure.

5. Third party vendors

Mergers and acquisitions is a branch of corporate strategy whose value continues to rise. Consequently, there have been many high-level security breaches that have occurred during M&As, showing us that when it comes to security policies and due diligence, companies in a merger or acquisition may have to think beyond their own.

The process is highly attractive to attackers because the number of parties only doubles the potential attack surface. And even if all goes well, having a number of third party suppliers and vendors opens you up for trouble down the line. Bad security practices, negligence, or even malicious intent can lead to supply chain attacks that can harm organizations, as vendors often already have access to private information and business data.

'The 5 types of insider threats'

Top 5 insider threat indicators

We've mentioned that what makes insider threats so dangerous is that they're hard to detect, and while it's important to not trust anyone, no one wants to go around doubting their employees and team members. But knowing what to look for can do away with a lot of unnecessary paranoia and boost awareness.

We've grouped insider threat indicators into five groups:

1. Unusual access requests

Unusual access requests can come from an authorized employee trying to access something out of curiosity and test the limits. Or they can come from an authorized employee with malicious intent, wanting to access data or servers and aiming to modify or destroy data. Some requests may even come from unauthorized users, eager to gain access without permission. Any of these activities are a clue that something might be happening just under the surface.

Watch for unusual activity such as access to areas of the network or data outside of the usual permissions and job role needs, access at unusual times during weekends and after hours, repeated and failed attempted access, and the like.

2. Attempts to expand user privileges

Identity and access management policies ensure which individuals have access to different company resources. These roles need to be strictly defined to avoid the abuse of privileges. Individuals with administrative roles and high asset and system access can cause many losses to the organization, merely because of their access to data that someone with malicious intent could find a way to compromise.

Another insider threat indicator is the increase in the number of people gaining escalated access to sensitive data and normally inaccessible areas. Having access to these areas of the organization's IT ecosystem allows the perpetrators access to data that can be used for financial gain, shared with competitors, and destroyed in an act of frustration. Anyone who wants to cause harm can gain access and stay under the radar with seemingly authorized privileges.

3. Data storing and downloading

Before insider threats can execute the attack, they need to download and store information on different channels. Some of the threat indicators for data storing can include unusual and increased bandwidth usage, and the downloading of large amounts of data that can alter access from outside the network. While some teams might consider this type of behaviour normal, it's important to follow any newly emerged data download patterns that involve individuals whose roles don't usually engage in this way. It can indicate an insider threat.

4. Data transmission to outside channels

Besides data storing and downloading for viewing outside of the network, insider threat perpetrators will also try to translate files and data outside channels for later access. This can include bringing in unauthorized physical storage media such as USB drives or CD burners that will be used to transmit data. Another insider threat indicator of data transmission is the sending of emails from the company to others outside of the organization. These recipients can include those who are clearly not clients, partners or third party vendors and are unusual and unexplainable in the context of an individual's particular role.

And were you aware that fax machines are still a major security risk? While also quite valid as an attack vector for other types of cyber threats, fax machines can be used to transmit sensitive information. Any unusual or unauthorized fax use is a good insider threat indicator.

5. Unusual and alarming behaviour

In this group of insider threat indicators, we list all the unusual behaviours exhibited by individuals that could be a cause for alarm:

  • Exhibiting behavior that repeatedly breaks security violations and policies
  • Exhibiting sudden personal financial changes without explanation
  • Repeatedly performing job activities outside of their normal scope of work
  • Decline in work performance, but also
  • Being overly enthusiastic about their work
  • Sudden behavioral changes to other team members
  • Quitting out of the blue
  • Communication and relation with known competitors

Detecting an insider threat

While we have said that insider threats are hard to detect, nothing is impossible, once you start with awareness. Many tend to dismiss the signs of an insider threat, choosing to direct most of their resources toward detecting and battling external threats. But now that you're armed with knowledge about insider threats, including indicators that "one of your own" might be after your critical assets, time you spend looking for them can truly pay off.

Remember that they're invisible to traditional security solutions like firewalls and intrusion detection systems, which focus on external threats. If an attacker exploits an authorized login, the security mechanisms in place may not identify the abnormal behavior. Moreover, malicious insiders can avoid detection more easily if they're familiar with an organization's security measures.

To protect all your assets, you should diversify your insider threat detection strategy instead of relying on a single solution. An effective insider threat detection system combines several tools to not only monitor insider behaviour, but also filter through the large number of alerts and eliminate false positives. Consider the following:

  • Security awareness - The first step toward battling any threat is being aware of its possibility. Awareness also applies to your critical and sensitive data and assets, their location, user access to it, and more. With awareness, we can continue to build on our insider threat detection capabilities.

  • Watching for indicators of compromise - The good news is that we have just now shown you the top five insider threat indicators, meaning you're on the right path.

  • Monitoring access to sensitive information - Awareness of your sensitive information and where it's located should be paired with monitoring access to it. Some roles will require more access to critical assets than others, so it's important to monitor if any users without authorized access are trying to do so.

  • Detecting repeated failed logins - When insider threats are trying to access areas or sensitive data without authorization, their repeated login attempts should be monitored and detected. You may require a tool that shows account activity, failed logins and their origin, as well as the data they were trying to access, date, time, and the cause of the failed login.

  • Controlling user access - Besides monitoring user access and their login activity, it's also important to enforce strong policies that control user access. Controlling user access and having enforcements on accessing accounts is an important security layer for both external and internal threats. Here we can see that 2FA and MFA are crucial, as well as strong password policies requiring frequent password changes, the use of complex passwords, and utilizing the best password managers available to prevent users from storing their credentials in unsafe areas.

  • Log management - Know what is going on inside your network. Log management will provide visibility on all applications, systems, traffic and every activity conducted in your IT environment. Having a log monitoring solution that will automatically log all movement within your system will allow you to stop any changes or unusual behaviours.

Popular insider threat examples

If you're still not convinced of the very real dangers of insider threats, let's take a look at some of the more popular security breaches they've caused:

  • Tesla: Insider data theft. In January, 2020 Tesla filed a lawsuit against a former employee after they found that the actor made changes to company source code and exported proprietary data to third parties. In an email sent to employees by Tesla CEO Elon Musk, it was reported that the internal threat actor had conducted extensive sabotage and shared data outside of the organization, including numerous confidential photographs and videos of Tesla's manufacturing systems and process. This case has been linked to the "disgruntled employee" type of insider threat, as Musk claimed that the perpetrator acted in revenge over a promotion he did not receive. Because this insider threat incident took place recently and was highly publicized, it put the spotlight back on the dangers of insider threats.

  • Coca-Cola: Former employee and a hard drive. It was reported that in May 2018, Coca-Cola announced that they were facing an insider threat in the form of a former employee who was found with a personal hard drive containing employee information. The course of action looked like this: after departing from Coca-Cola, the insider threat uploaded data containing various data on their coworkers to an external private hard drive, which they took with them outside of the company. This data theft impacted 8,000 Coca-Cola employees.

  • Apple: Leaver insider threat. During April 2018, one of Apple's former employees traveled to China, and upon his return to the company, announced that he would be departing from Apple to join their competitor in China—Xmotors. The insider threat perpetrator was known as what's called a "leaver", someone who conducts malicious activity upon leaving a company. It didn't help that the leaver was a privileged user, meaning they had access to trade secrets about Apple's self-driving car program that Xmotors intended to steal. The actor was caught, and this insider threat incident served to show just how dangerous insider threats and privileged users are when one and the same.

  • Target: Third-party vendor trouble. This highly publicized data breach affected more than 41 million of Target's customer payment card accounts. In November 2013, retail giant Target suffered a credit card data breach caused by a third-party vendor. Cybercriminals gained access to Target's computer gateway through credentials that were stolen from a third-party vendor, and with those credentials, they were able to capture names, phone number, emails, payment card numbers, and other sensitive data on Target's customers.

  • RSA: Insider threat caused by user negligence. Phishing has always been a dominant security threat, even when it comes to one of the most highly regarded security vendors around. In March 2011, RSA faced an insider threat when two cybercriminal groups launched phishing attacks at RSA employees, posing as trusted coworkers. Employees who fell victim to these phishing attempts allowed access to cybercriminals, who in turn were able to compromise SecureID authentication tokens. This goes to show how even the simplest social engineering attacks can wreak havoc on organizations.

Insider threat management and response plan

Executive buy-in

When creating an insider threat management and response plan, you need senior leadership buy-in. This is the first and most crucial thing you must take on when developing policies and engaging your security team.

Zero Trust

Sensitive data in the wrong hands can be the Achilles heel of many organizations. One of the best ways to limit exposure to insider threats who abuse privileges and gain unauthorized access to sensitive data is to employ Zero Trust, along with all the technologies behind it, and a policy of least privilege—meaning individuals will have access limited to only those resources they need for their regular activities and nothing more.

Cybersecurity culture

Fostering healthy and engaging cybersecurity culture in an organization should never be taken lightly. Because tools and solutions can't completely eliminate social engineering attacks and phishing emails that prey on human psychology, it's important to implement ample security awareness training, phishing simulations, and the like.

Identify and protect critical assets

All data has inherent value to its organization, but it's important to classify the different types of data and their value, or more accurately—their sensitivity. Identifying critical assets, their location, user access to them following least privilege, and maintaining proper defenses is crucial in avoiding insider threats.

Using SIEM - security information and event management

In order to track all user behaviour and identify patterns of suspicious behaviour, organizations turn to security information and event management, or SIEM. This assemblage of tools will collect, correlate, analyze, report and alert you to suspicious user activity, helping you identify insider threats before they cause real damage.


We hope that our in-depth analysis of insider threats has turned your attention to just how real and dangerous these threats are. While we've offered insider threat indicators and tips on how to detect and prevent insider threats, the truth is that the threat of insider attackers is an expected part of human nature, as with social engineering attacks.

In the phrase "people, process, and technology" the word "people" comes first, because in cybersecurity, there is always a possibility that even your favorite coworker, the one who really loves his job, is your biggest threat. We all need to learn the characteristics of insider threats and be prepared for when they happen, not wonder if they'll happen.

Sara Jelen Blog Author

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders