Insider Threats

How to tackle insider threats

The three types of insider threat

Insider threats are a huge challenge for most organisations. Insider threats can do much more damage than outside threats so it is essential that your company develops a comprehensive security system to protect against insider threats. While most companies have adequate processes in place to protect themselves against outside threats, they often lack a system that protects the company’s assets against its own employees.

“On average, organizations will take more than two months to contain an insider incident. Whether through malice, negligence, or error” 2)

What are the intended objectives of insider attack? Typically, one of three areas:

  1. Financial theft
  2. Intellectual property theft (e.g. customer lists or confidential data)
  3. System sabotage (e.g. ransomware, malware or data deletion)

Ponemon’s 2022 report1) states that 60% of organisations experience more than 21 insider threat incidents annually, up from 53% in 2018. Incredibly this survey was taken before COVID-19 and it has been widely reported in the industry that this figure is probably much higher now – growing rapidly in terms of both incidents and costs.

Organisations are now dealing with a massive shift to remote working, with the vast majority at home. Due to the speed of the shift, many employees have had minimal awareness training. Remote working is also driving new regulations within industry sectors, countries and regions.

“Not every insider risk becomes an insider threat; however, every insider threat started as an insider risk.” 2) 

If your organisation is yet to implement insider risk management, or an insider threat strategy, there are some effective ways your organisation can address this challenge. Firstly, we need to understand the three main categories of insider threats, these are:

  1. Compromised insiders. For example, the employee gets infected with ransomware from clicking a malicious link in a phishing email, or from credential leaks.
  2. Malicious insiders. One of an organisation’s current or former employees, contractors, or trusted business partners who misuses their authorised access to critical assets.
  3. Accidental insiders. Perhaps tricked by an external attacker (vishing), or simply accidently sending that file when they didn’t truly know all the contents.

Compromised insiders accounted for 18% of incidents over a 12-month period, while malicious insiders accounted for 26% of incidents, but the majority of incidents related to accidental insiders, at 56%.1)

5 steps to prevent insider threats

We could break this out into more areas, but for starters here are 5 steps to help prevent insider threats:

  1. Security Policy

One of the best ways to prevent insider threats is to include comprehensive procedures in your security policy to prevent and detect misuse. Your policy should also contain guidelines for conducting insider misuse investigations.

  1. Physical Security and Perimeter Security

Prevent insider theft by physically keeping employees away from your critical infrastructure. Give your employees a place to lock up their sensitive information and isolate high-value systems. Implement two-factor verification systems or even biometric authentication to verify employees are not using other employee’s key cards.

  1. Use Multi-factor Authentication

Many employees use weak passwords to access data and password hacking technology is now very advanced. The financial gains are high for hackers to access sensitive information. You must implement strong, multi-factor authentication measures to extremely sensitive applications within your organisation. This will make it much more difficult for an unauthorised user to access sensitive data.

  1. Securing Hardware and Services

It is often a huge challenge to lock down desktops, servers, and cloud services across the entire organisation. You can’t just depend on your employees to be as responsible as they should be. It is essential to get the appropriate balance between securing the information but allowing employees to perform their job functions – ensuring data is being used appropriately. Utilising an appropriate tool that covers all these areas is key – it’s not just about blocking USB use, certain apps and cloud services, but looking at tools that allow flexible policy mapping between different users within the organisation.

  1. Monitor and Investigate Unusual Activities

Another benefit to deploying an effective tool is the ability to monitor employees directly. A lot of companies are too busy looking for outside threats and just rely on perimeter tools and services. For this reason, any time there is unusual activity happening on your organisation’s LAN, it is very beneficial for you to investigate. However, please ensure you familiarise yourself with the monitoring laws in your region to ensure you stay within the boundaries permitted.

“The reality is that insiders have an advantage over an external attacker — they know where the data exists and how to get it.” 2)

By implementing a comprehensive security policy and utilising insider threat detection techniques with effective tools, you will help protect your organisation’s sensitive information more effectively. Effective tools must allow you to:

  • Classify data, and secure based on risk levels
  • Monitor data at rest, in motion, and in use (ideally with encryption)

If your organisation has yet to implement a security policy that covers insider threats and outside threats, your employees could be violating your trust and stealing highly sensitive information. This could not only cost your organisation financially, but also damage reputation and be in breach of governance and compliance regulations.

If you want to find out more about these ‘5 steps to prevent insider threats’ and how we can help, please get in touch with us at SecurEnvoy.


Sources used:  

  • 2022 Ponemon “Cost of Insider Threats Global Report”
  • 2021 (December) Gartner “The Rule of 3 for Proactive Insider Risk Management”

Published: 19 October 2022

Category: Industry News

Data Classification / Data Control / Insider Threat Protection / MFA / Remote Working

Sean Hanford

Sean Hanford, Principal Pre-Sales Consultant SecurEnvoy

Sean is an expert in information management and data-centric security solutions - governance, archiving, eDiscovery, compliance, risk, data loss prevention, data analysis and behavioural analytics. A strong consultative sales professional working directly with enterprise and smb customers, alliance partners and resellers for over 20 years.

Multi-Factor Authentication



Any user. Any device.

For companies that take authentication seriously.

Learn more about SecurEnvoy MFA
Cyber Security Blog

Hear more from
our security

Sign-up today

What to read next...