What Is An Insider Threat and How Do You Deal With It?

As a business owner, it’s hard to think that your growing team of trusted employees, contractors and business associates could ever become an insider threat to your organisation but the threat is real and it’s costing the average business $513,000. 34% of data breaches in the 2019 Verizon Data Breach Investigations Report involve internal actors. The average time to detect an insider threat stands at 197 days with an additional 69 days needed to contain it.

The truth is, as a business grows and the data inside it becomes more valuable, users with access to sensitive material become more of a risk to your organisation. And management of those users becomes more vital.

Business owners and CEOs shouldn’t have to live in fear and need to delegate so they can grow their business - that is why insider threat management is vital to a growing digitised business.


insider threats pie security

Table of Contents
    Add a header to begin generating the table of contents

    Examples of Insider Threats

    Insider threats come in three forms;

    • Malicious insiders - people who take advantage of their internal access to seek out harm or damage to an organisation.
    • Negligent insiders - people who make errors or disregard policies that lead to risk for the organisation.
    • Infiltrators - external actors that obtain legitimate access credentials without authorisation.



    In 2013, Target was the victim of a major credit card data breach. Their third-party vendor had taken critical credentials outside of their intended use case, which then allowed hackers to gain access to a customer database and install malware on the system. Hackers were able to steal names, phone numbers, email addresses, payment card details, credit card verification codes and more.



    The UK-based accounting firm Sage was a target of an insider threat attack in 2016 when an employee used unauthorised credentials to access and steal private customer information including bank accounts and salaries.



    In this example of insider threats, Boeing was a target of a nation state attack when an employee who had been working at Boeing from 1979 to 2006 was stealing hundreds of documents relating to military craft and handing them over to the Chinese government.


    Anthem Insurance

    The largest for profit managed healthcare company in the United States suffered an insider threat attack when an employee managed to email a file containing Anthem customers Medicare ID numbers, social security numbers, health plan numbers, names and date of enrolment to his own personal email address.



    SunTrust bank was a victim of insider threat in 2018 when an employee had stolen names, addresses, phone numbers, and account balances of some 1.5 million of its clients.



    An employee of Coca-Cola was found in 2017 to be in possession of a hard drive containing data on 8,000 Coca-Cola employees.

    Why Do Insider Threats Occur?

    As you can see from the examples above, insider threats occur for a number of reasons and all types and sizes of organisations can be at risk. Not all insider threats are movie-style nation state attacks like that of Boeing, some are simply employees or ex-employees using their access to take information for their own benefit.

    For organisations, these data breaches come under GDPR laws and require reporting, often leading to a loss of reputation and regulatory fines. In addition, any and all data is up for grabs, we often think of customer data as our most sensitive but as in the case of the Coca-Cola data breach, sometimes, employee data is stolen too.

    Malicious insiders may seek financial gain, competitive edge when leaving a company, or to fulfil a grudge.


    According to Tessian, 45% of U.S. employees admit to downloading, saving, or sending work-related documents to their personal accounts before leaving or after being dismissed from a job.

    A negligent insider is just an average employee who made a mistake. An employee can send sensitive information to the wrong person, send company data home to their personal email address to work over the weekend, fall victim to a phishing scam or lose their work device.

    How to Stop an Insider Threat?

    Because insider threats are so diverse, they take a multi-layered IT Security strategy to solve them. A strategy for combatting insider threats must be fully embraced by C-Suite executives and trickled down to employees. Policies must be enforced and IT Security teams must be given time and resources to attentively set up policies, monitor networks and investigate flagged alerts.

    Stop Insider Threats With Security Awareness Training

    Security awareness training deals mostly with negligent insiders but may reduce the likelihood of an infiltrator and malicious insider. Many employees start their experience within a company by getting training in the systems, processes, health and safety and HR but companies are often late to implement cyber security training.

    At any and all sizes, your organisations should have, at the very least, a basic cyber security awareness training programme to give new and existing employees an understanding of how to detect cyber threats and what the consequences would be if they consistently fail to do so.

    An additional option is to implement phishing awareness training and send fake phishing emails to employers and use this as a teaching moment for employees who consistently fall for them. Everyone else in your organisation will be aware that any email could be a test and they would stay alert at all times. A great additional tool to your toolbox.

    Stop Insider Threats With Identity and Access Management

    Another step to reducing the likelihood of an insider threat is good identity and access management. Small organisations in particular, are using multiple cloud SaaS services to conduct their day to day business activities but how many actually have a picture in their mind of who has access to what information? Can you be sure that employee access is revoked as soon as they leave an organisation?

    Depending on the sensitivity of the information in your organisation, you should have a plan in place for when an employee leaves and when they’re dismissed. I’m personally not a fan of long notices and would suggest, where possible, if an employee gives a month notice, they’re paid that month but not asked to work it. This means that processes and responsibilities will have to be managed properly in advance, to ensure a smooth handover.

    Privileged Access Management (PAM) ensures that employees are only given access to the data they need and that access can be easily revoked when they leave or are dismissed. A good PAM solution can cover all SaaS applications within your organisation and gives you a good picture of who has access to what but it does need to be managed by someone who is a super user. A super user should be a trusted and well vetted person in the organisation.

    Policies should be in place which explain how someone goes about getting approval to get access to information, how that access is given, how and why it can be revoked etc. These policies make sure that everyone has a clear guide to sensitive data in your organisation and that there’s ownership if mistakes are made.

    Stop Insider Threats With Secure Devices

    You can’t stop insider threats if you allow employees to work on their personal devices. Not being able to monitor a personal device means that employees can fall for phishing scams, take home company data, potentially leave everything on a device without a password and keep data after they leave.

    If your employees work from home, they should be using corporate devices to conduct this work. Policies should be in place to ensure that no information is sent to personal email addresses and IT admins can securely manage and monitor the activity on a corporate device.

    Corporate devices come with additional security features such as the ability to enable two-factor authentication (such as through biometrics or ID cards). Lost computers are far less likely to be cracked and any data on the devices can be monitored as it moves around the corporate network.

    Stop Insider Threats With Email Security

    With most insider threats taking place via email, one of the most important defences for insider threats is good email security tools. There are various features of an email security suite which can be explored to fend off various types of insider threat.


    Email identity verification

    To reduce the threat of negligent insiders falling for phishing scams, companies should ensure that all emails coming from internal and external domains are monitored. SPF and DKIM policies (which I write more about in this blog) can require that emails received from unverified IP addresses are quarantined as suspicious.

    Finally, S/MIME can be used as a tool for employees to check the identity of an internal sender since only people with certificates installed on their devices are able to sign corporate emails. Digital signatures and how they work are explained more in this post (link).


    Data loss prevention

    Data loss prevention tools allow organisations to manage and monitor sensitive data leaving the organisation’s email server. A very useful tool to monitor and engage with employees who are maliciously or accidentally sending sensitive information outside of the organisation. It does this by, for example, monitoring emails for words like “password” or strings of numbers that look like credit card information and immediately alerting management. It can also prevent these emails from leaving or automatically encrypt emails based on the companies policies created when setting up the tools.


    URL Scanning

    DLP scans outgoing emails for sensitive data to prevent data leaving. URL scanning prevents employees from clicking on a link containing malware or going to phishing sites to enter sensitive company information. All email security tools should come with at least the ability to scan incoming emails and check link domains against blacklists.


    Email security gateway tools

    Finally, another tool to help reduce the likelihood of phishing is the use of email security gateways. A gateway is a server that sits between the sender and your organisations email server. The tool decrypts, reads and scans email before sending them to your organisations network, putting any emails in a quarantine that may look suspicious and protecting your corporate network from anything malicious.

    Email security gateways like Pie Security often include features like Data Loss Prevention, URL Scanning, S/MIME, encryption and archiving. They often come fully compliant with local data protection regulations and are easy and simple to install. For smaller businesses with small IT teams and a need for security, email gateways can be a lifesaver.


    To learn more about Pie Security features, feel free to contact us to get a demo for free.