Insider Threat

What is an Insider Threat?

An insider threat is a security risk that originates within an organization. Insider threat actors include current employees, consultants, former employees, business partners, or board members

A 2019 Verizon Data Breach Investigation Report reveals that 34 percent of data breaches involve internal actors. Seventeen percent of all sensitive files in a company are accessible to every employee, according to a 2019 Varonis Data Risk Report.


Key Takeaways

  • An insider threat originates within an organization
  • An insider can be a current employee, consultant, former employee, business partner, or board member
  • 34 percent of all data breaches involve insiders
  • Many employees have access to all sensitive files in an organization
  • An insider threat actor can be turncloaks who maliciously breach systems or pawns who unintentionally make mistakes leading to cyberattacks

34 Percent of Data Breaches Involve Insiders

According to these statistics, insiders have the capabilities, motivations, and privileges to cause a data breach. In a 2019 SANS Report on Advanced Threats, security practitioners identified significant gaps in insider threat defense caused by lack of visibility into typical user behavior. The report also revealed weaknesses in privilege user account management.

Types of Insider Threats

There are different types of insider threats, including:

  • Turncloaks – a turncloak is an employee or contractor who maliciously steal confidential information. The insider has legitimate access to company networks and systems but abuses their access for fun or financial gains. Turncloaks are also collaborators who cooperate with competitors, nation-states, and hacktivists to breach systems and steal information
  • Pawn – a typical employee can make a mistake that hackers exploit to steal sensitive information. A pawn is an unintentional do-gooder who unintentionally aids a data breach.
  • Goof – these insiders take deliberate and potentially harmful actions, even without malicious intentions. Goofs are ignorant and arrogant employees who operate without following security policies. Goofs cause 90 percent of insider threats.
  • Lone Wolves – these independent insiders act maliciously without external influence. Lone wolves with privileged access are dangerous. A classic example of a lone wolf is Edward Snowden, who used his skills and privileged access to leak sensitive information at NSA.

Previous Examples of Insider Threats

Some of the previous insider threats include:

Detecting Insider Threats

Various behaviors suggest the presence of an insider threat. Some indicators of insider threats include:

  • Employee downloading or accessing substantial data amounts
  • Insiders accessing sensitive information that does not involve their job function
  • Personnel accessing data that is outside of their specific behavioral profile
  • Using unauthorized and external storage devices such as USB drives
  • Data hoarding – copying files from confidential folders
  • Sharing sensitive information with external parties through emails
  • Users attempt to bypass security policies

Preventing Insider Threats

Traditional perimeter security measures are not effective in detecting and preventing insider threats. You can employ the following security measures to respond to insider threats:

  • Monitor emails, files, and other activities on systems
  • Inventory all location with sensitive files
  • Update access control policy to determine and manage user access to company data
  • Implement a least privilege model
  • Install a tool to collect, monitor, analyze, and detect abnormal behaviors
  • Conduct user awareness training to educate employees to avoid mistakes that lead to cyberattacks