Manoharan Mudaliar

Cyber Security Consultant

A Guide to Insider Threats and How to Manage Them

With the disparate nature of cyber threats currently facing businesses, it isn’t easy for organizations to identify the ones they should prioritize. Most organizations and their think tanks make the deadly mistake of focusing entirely on threats originating from the outside. With the severity and volume of threats and breaches caused by insider attacks on the rise, this oversight can prove to be costly in the long run.

Regardless of whether your internal stakeholders are acting out of negligence or malice, businesses need to realize just how significant a risk insider threats pose for them. We discuss insider threats in greater detail within this guide and also look for ways you can follow to manage them. Just remember to take insider threats as seriously as you take threats originating from the world outside your firm.

What Are Insider Threats?

Insider threat is a common phrase in the world of cyber security, used to define threats posed from within the organization. These threats come from current or former employees, partners or your contractors. Almost all of these individuals have had or have access to your databases, networks and applications. They can unwillingly or willingly use this access to cause disruption, damage and/or modify, steal and erase all sensitive data currently in possession of the organization.

While almost all forms of data under your possession are at threat during an insider attack, the information most commonly targeted includes personal information related to customers and employees, financial records, details about the security controls in place within the organization and intellectual property. While organizations from all kinds of industries are at risk of insider breaches initiated by disgruntled employees or some other stakeholders, recent research indicates that the manufacturing, healthcare and finance sectors happen to be the most susceptible.

Types of Insider Threats

Contrary to popular belief hosted by most individuals, insider threats don’t always happen to be malicious in nature. Cyber security experts are very clear on their definition of insider threats and believe that the term encompasses any action taken from within an organization that can negatively impact its security. Most cases of insider threats are borne more out of unwilling negligence than out of malice.

Research by Ponemon revealed that almost 63 percent of all insider threat related incidents reported in the year 2017 happened out of negligence than an actual agenda. Negligent insider threats are often a result of inadvertent employee errors and poor employee behavior online, including accidentally deleting security protocols or falling for basic phishing scams.

The research also indicated that 37 percent of all threats for the said year were malicious. Malicious insider threats are usually initiated by disgruntled or rogue employees who purposely leak confidential data to inflict damage on the company’s rapport and standing. Criminal insiders don’t work alone, but collude with competitors and can even be affiliated with some other hacking groups.

There are four common types of insider threats, which are outlined below:

Second Streamers

Most insider threats originate due to second streamers. Second streamers are employees with an attitude to ‘stay and profit’. These are current employees who misuse confidential corporate information to generate additional profit through external collusion, fraud or by selling secrets. The University of Surrey hosted a study concerning insider threats recently and found that over 35 percent of all activity on the dark web relates to the trading of corporate data. While most of this data is hacked through external attacks, some of it is also sold by second streamers to add an additional income into their accounts.

Disgruntled Employees

A disgruntled employee can really damage your business today. Unsatisfied former employees or disgruntled current employees pose a serious threat to your corporate data. These employees usually have motive to commit this crime and can use their unfiltered access to get their hands on costly data sources. An insider threat survey by Gartner revealed that almost a third of all criminal insiders committed data theft as a means of revenge. Revenge is perhaps the only thing on the minds of disgruntled employees, and they can go to unprecedented levels in their quest for it.

Inadvertent Insiders

Inadvertent insiders are all employees who usually exhibit compliant and secure behavior, but can fall guilty of occasional errors every once in a while. Since all endpoints are connected to your corporate network, an error made by one employee can have serious repercussions. Such inadvertent insiders usually fall prey to phishing attacks and do not realize the extent of their mistakes until it is too late for them to take remediation measures.

Persistent non-responders

Persistent non-responders are employees that can be considered guilty of criminal negligence. These are employees, often senior executives, that take cyber security awareness training non-seriously. These employees are guilty of showcasing behavior that can often leave them vulnerable to compromise and other social engineering scams. These attacks can compromise the entire corporate network.

Insider Threat Examples

There are multiple examples of insider threats for organizations today to learn from. These examples include:


This is perhaps the highest profile example of insider threats today. Waymo, which is an autonomous car division by Google, was thriving in May 2016, when an employee left them to found a self-driving truck business by the name of Otto. The newly found company was taken over by Uber within 2 months of its introduction. It is alleged that before leaving Waymo, the employee in question downloaded over thousands of trade secrets, confidential files, design files, testing documents and blueprints. Waymo filed a lawsuit against Uber, and the case was settled at a whopping $197 million part way through the trial.


Tesla was recently involved in an insider threat attack as well, where a disgruntled employee abused their internal privileges to alter the manufacturing processes. These alterations damaged manufacturing levels. A public dispute was filed on the basis of whistle blowing. Tesla’s reputation in the market was damaged after this incident.


In 2018, an employee at one of Coca-Cola’s subsidiaries stole a hard-drive containing personal information for thousands of employees and consumers. This breach caused major repercussions, but the impact could have been much worse had the breach occurred after May 2018, the enforcement month of GDPR.

Managing Insider Threats

Reading horror stories related to insider threats can be daunting and troubling. But, rather than doubting every single employee, you should take proactive steps to reduce your risk. We mention 5 key safeguards below:

Closely Manage Privileges and Permissions

Closely monitoring account privileges for different users can help you limit the risk of compromise, be it from an insider in the organization or from someone who has gained access to their account. Privileges and permissions should be reviewed every time roles change and organizations should adopt a policy of ‘least privilege’ for employees, agencies and contractors.

Implement Device Management Policy

Employees access company systems from a number of locations and a number of different devices. Even though organizations have imposed BYOD policies, unsecure devices present a massive security risk. Organizations should make sure that all employee devices have endpoint security software installed.

Application control is also necessary, which is why organizations should post a list of approved apps for use. This will help employees identify the tools that are permitted and others that are not. Organizations should also monitor USB points on high risk devices.

Regular Staff Training

Human errors can be minimized through regular staff training. We discussed inadvertent employee mistakes above, and these acts of negligence can be reduced with proper training. Training employees about their obligations when it comes to data security is just one crucial step to reducing risk inside the organization.

Security awareness training given to employees should also cover topics such as phishing prevention, data protection and password management. With the right training, you can limit negligence on part of your employees which often leads to insider threats.

Proactive Monitoring

Proactive endpoint and network security monitoring through the use of technologies such as EDR, IDS and SIEM can actually help your security team in identifying insider threats before they cause any damage.

For monitoring to be successful, it is necessary that you identify a baseline ‘normal’ activity. Any behavior that falls outside of this baseline should be considered a threat.


UEBA – User and Entity Behavior Analytic – is one way to combat insider threats in your organization. UEBA can help neutralize known and unknown user threats as it uses behavioral profiling and advanced machine learning techniques. All anomalous activities are reported and privilege abuse is limited.

A cyber security consultant can help manage insider threats for your organization. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.