Mitigating against an insider threat

In today’s relentless cyber threat landscape, it’s easy for companies to spend an excessive amount of time, money and effort to protect themselves from external attacks. But, with the shift to remote and hybrid work environments, the worst threats are sometimes internal. With so many employees, vendors, partners and consultants with legitimate access to company systems, it’s easy for malicious or even unintentional leaks to happen under your company’s radar. Discover how to identify insider threats, how they occur and tips for defending your organization against them below.

What is an insider threat?
An insider threat is a cyber security risk introduced by an individual with access to a company’s systems and data. Insider threats can arise from anyone with authorized access to a company’s underlying network and applications, such as employees, partners, vendors, interns, suppliers or contractors. Not all insider threats are necessarily malicious. Some occur due to human error and some occur because an employee is just trying to work more efficiently with tech or apps they prefer.

Types of insider threats
While insider threats are tough to detect and prevent, you can start to mitigate them by understanding the different forms they take.

1. Malicious insiders
Malicious insiders use their privileged access to commit fraud, intellectual property (IP) theft, sabotage, or espionage. Lone wolf Actors, operating alone, often have proximity to a company’s sensitive systems like networks or databases, allowing them to expose HR records, passwords and more.

2. Inside agents
Inside agents are employees or partners who work on behalf of an external group to carry out a data breach or other attack. These types of insider threats can be a pawn or a mole.
• Pawns are not aware they’re acting as insider agents because they’ve fallen victim to a phishing or social engineering scheme.
• A mole, on the other hand, is an imposter who has gained access to internal systems, posing as an employee, partner, vendor, or contractor.

3. Security evaders
Modern companies have security policies designed to safeguard their data, customers’ data and employees. However, workers can find these protections inconvenient, leading them to create workarounds that increase the chances of a cyberattack.

4. Negligent workers
Not all insider threats stem from spiteful intent, sometimes employees fail to recognize threats or unintentionally expose data simply through error, using options that are more efficient or unwittingly participating in hackers’ scams. They may be careless and lose a work device that gets compromised or accidentally download malware.

5. Departing employees
Some employees don’t leave on good terms, and even when they do, it’s natural to stockpile data during uncertain times. Departing employees might send a list of prospects, strategy slides, or lines of code they’ve written to personal email addresses. Additionally, disgruntled former employees who can still log into applications or know how to circumvent company security might steal and expose sensitive data out of revenge.

6. Third-party partners
Many companies’ third-party partners, suppliers, or consultants have permission to use company platforms, and 72% of the time, these workers have elevated permissions. Unfortunately, this means that third-party players pose the same risks as employees with the same level of access, whether they’re being malicious or not.

Examples of insider threats
Insider threats might seem alarming in theory, but they’re even more dangerous in real-life.
• In 2019, McAfee sued three former employees for stealing company data. Although the company is a “leader” in data loss prevention, they didn’t realize that the former employees stole critical data until months after they did it. And even then, they couldn’t determine what they took or how much.
• In 2020, Stradis Healthcare let go of employee Christopher Dobbins who then, acting in revenge, penetrated the company’s network. Once he was in, he gave himself admin access and edited or deleted over 120,000 records, delaying PPE shipments for months.
• In 2020, former Google executive Anthony Scott Levandowski stole trade secrets from the company’s self-driving car department and took them to his new job at Uber. Levandowski admitted that Google may have lost up to $1,500,000 due to his theft.

How to protect against insider threats
While upper management and security teams can certainly watch out for digital and behavioural indicators, that shouldn’t be a company’s only protection method. Instead, they should approach their insider threat program from three perspectives: establishing normal user behaviours, identifying, and protecting critical assets and mitigating risk.
• Perform enterprise-wide risk assessments. Clearly document and consistently enforce policies and controls.
• Establish physical security in the work environment.
• Implement security software and appliances.
• Implement strict password and account management policies and practices.
• Monitor and control remote access from all endpoints, including mobile devices.
• Harden network perimeter security.
• Enable surveillance.
• Enforce separation of duties and least privilege.
• Recycle your old hardware and documentation properly.
• Use a log correlation engine or security information and event management system to log, monitor and audit employee actions.
• Implement secure backup, archiving and recovery processes.
• Identify risky actors and respond promptly to suspicious behaviour.
• Configure alerting on all critical systems and events, and ensure the alerts warn you through multiple channels.
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
• Develop a comprehensive employee termination procedure.
• Include insider threat awareness in periodic security training for all employees.

How can we help?
At Priavo Security we provide comprehensive advice on every aspect of security from corporate operations, commercial risk and foreign investment to organisational resilience, executive protection, and travel risk management. We aim to minimise the compromise of sensitive information by identifying the cyber assets most critical to you, evaluating the susceptibility to threats and vulnerabilities, and identifying existing and potential gaps in your infrastructure. We then work with organisations to effectively implement our recommendations, based on our findings, prioritising, and aligning measures against tailored business risk profiles.

Contact our team at or call +44 (0) 20 7315 4221.

Sign up to our security newsletter

* indicates required