An organization's personnel represent one of the biggest threats to its security. Human error or negligence is usually the leading cause of data breaches in an organization. However, a malicious insider poses a much more serious threat to an organization because they have access and intend to harm it, usually being responsible for providing initial access or the means to steal data. Compared to external threats such as hacker attacks, internal threats can have much more catastrophic consequences.

In this article, we'll introduce you to insider threat terminology, what types of insider threats exist, and how you can combat them to minimize the risk of a serious data breach.

What is an insider threat? 

To understand what an insider threat is, we first need to know who or what an “insider” is. An insider threat is the potential for an insider to use their authorized access or knowledge of an organization to cause harm to that organization. However, it is important to understand that not all insider threats are malicious. While they all have the same potential to cause harm, some do so with intent, while others do so due to human error or negligence (we'll cover more about types of insider threats in future chapters). Even though the latter are not intentionally malicious, statistically they cause the majority of data breaches.

Insider threats can be difficult to detect. Whether through malice or simple negligence, current or former employees may use inside information regarding the organization's security practices, data and IT systems.

Mitigating insider threats requires a combination of endpoint and network visibility, as well as enterprise investigative technology to identify hidden risks before they can cause damage.

There are several types of insider threats:

  • Malicious Insider - An employee or contractor who intentionally attempts to steal information or disrupt operations. This could be an opportunist looking for ways to steal information that they can sell or that can help them in their career, or a disgruntled employee looking for ways to hurt the organization, punish or embarrass their employer. An example of a malicious insider is various  Apple engineers  , who were accused of data theft for stealing self-driving car secrets for a Chinese company.
  • Sloppy Insider - An employee who does not follow proper IT procedures. For example, someone who leaves their computer without logging out, or an administrator who hasn't changed the default password or applied a security patch. An example of a negligent insider would be a data analyst who took home a hard drive containing personal data without permission.  26.5 million US military veterans , stolen in a home burglary.
  • Compromised Insider - A typical example is an employee whose computer was infected with malware. This usually happens through phishing or clicking on links that cause malware to be downloaded. Compromised insider machines can be used by cybercriminals as a "home base" from which they can scan file shares, escalate privileges, infect other systems, etc. As with the recent  Twitter hack  , where attackers used a phone phishing attack to gain access to employee credentials and their internal network. The attackers were able to obtain information about Twitter's processes and target employees with access to account support tools to hack known accounts and spread a cryptocurrency scam that earned them $120,000.


How employees are compromised

There are several ways an employee can become a compromised insider:

Phishing - a cybercrime in which a target person is contacted via email or text message by someone posing as a legitimate entity to lure the person into providing sensitive data such as personally identifiable information (PII), banking and credit information cards, and passwords. Some phishing schemes may also try to entice the target to click a link that triggers a malware download.

Malware infection - cyber crime, when a computer is infected with malicious software - malware - enters your computer. The goal of the malware, in the case of a compromised insider, is to steal confidential information or user credentials. Malware infections can be initiated by clicking on a link, downloading a file, or connecting an infected USB drive, among other methods.

Credential theft - a cybercrime aimed at stealing the username and password - credentials - of the target person. Credential theft can be accomplished in a variety of ways. Phishing and malware infections mentioned above are common. Some criminals may use social engineering, which involves using deception to manipulate people into divulging their credentials. A fake IT help desk call, where the attacker asks the user to confirm their username and password, is a common method.

Pass-the-hash is a more advanced form of credential theft in which hashed—encrypted or processed—authentication credentials are intercepted from one computer and used to gain access to other computers on the network. A pass-hash attack is very similar in concept to a password-stealing attack, but it relies on stealing and reusing password hashes rather than the actual plain-text password.

How to prevent

While insider threats cannot be completely prevented, if you combine them with detection tools, your organization can minimize the risk of them occurring. 

 There are several ways to prevent insider threats: 

  • Conduct security training 
  • Enforcing strict security policies 
  • Implement principle of least privilege 
  • Ensure compliance principle separation of duties 
  • Implement architecture zero trust 
  • Use DLP (Data Loss Prevention) solutions 

 As mentioned, they are not exhaustive, but will significantly help reduce the risk of insider data leakage. 


Insider threats will be the most common threat to any organization. This is because some insider threats are also unintentional threats (for example, human error when people fall for a phishing attempt). And this is precisely the most common initial access for attackers. Currently, attackers much more expensive hack environment "from outside" through brute force or exploiting vulnerabilities in Internet-connected devices. Moreover, these attempts (with adequate security monitoring) are very noisy and easy to detect. Unfortunately, the cheapest and most effective way is to try to exploit human vulnerabilities .  

However, malicious insiders also exist, and cooperation with external threats makes them quite stealthy and does not make them too obvious, while the damage is no less significant. 

en_GBEnglish (UK)