Industry Perspectives

Detecting and Preventing the Insider Threat

There is no denying it: the insider threat poses a significant risk to organizations. Any accidental or malicious act by an employee can potentially lead to catastrophic incidents that threaten a company’s brand and reputation.

One example of an insider threat is an employee who has access to sensitive company information and intends to use it maliciously. In this scenario, the insider might anonymously threaten to release the data unless a ransom is paid. These attacks may be carried out by greedy staffers or disgruntled employees experiencing financial hardships, but ultimately it is the HR or Legal departments that must determine the motivations behind the attack.

Another insider threat is known as the accidental insider, where the employee was manipulated to cause harm. In this situation, external threat actors would manipulate the accidental insider using a variety of techniques, including clever phishing and social engineering. Following a successful manipulation, the external attacker is then able to use the accidental insider’s machine and access to propagate throughout the company’s environment.

Despite the risks posed by insiders, companies are still required to give employees access to company data in order for them to perform necessary job functions. While it is difficult to implement controls that are able to detect or mitigate these risks, there are processes that organizations can develop to reduce the chances that an insider threat will be successful.


As mentioned, it is difficult to detect insider activity; however, there are some processes that organizations can develop or enhance to increase their chances of detecting malicious and accidental insider threat activity:

  • Identify critical data assets and baseline employee data access activities to increase the chance that anomalous insider behavior will be quickly identified
  • Enforce mandatory vacations and job rotations so employees remain fresh and alert, thus increasing the likelihood that malicious insider activity is detected
  • Ensure that data protection mechanisms are established and will alert for unauthorized data transfers (e.g., sensitive data sent via email, data copied to removable drives)
  • Conduct regular security awareness training that stresses the importance of identifying and reporting insider threat activity to the appropriate security teams
  • Conduct regular security awareness trainings:
           o   Stress the importance of identifying and reporting insider threat activity to the appropriate security teams
           o   Educate employees about phishing/spearphishing emails and how employees should not click on attachments or links within unsolicited emails and that they should alert the appropriate security teams
  • Monitor for unusual outbound traffic patterns, including:

          o   Odd connections to unknown IP addresses
          o   Unusual connection length times for outbound connections
          o   Abnormally large amount of data transferred from the environment


Preventing insider threats can be just as challenging as detecting malicious insider activity since employees have approved access to company information assets. However, there are some processes that organizations can implement to reduce the chance that a malicious insider will be able to compromise the integrity, availability or the confidentiality of company data.

  • Follow the principle of “least privilege,” and ensure that employees are not able to access data unless necessary to complete their current job function(s)
  • Implement preventative controls such as removing access to removable drives, making it so an insider will not be able to use thumb drives to steal company information
  • Implement data loss prevention (DLP) technology that can be used to analyze company emails and reduce the chance that an insider can email sensitive data from the environment
  • Monitor egress traffic and detect unauthorized uses of encryption, which may indicate an attempt to remove data from the environment
  • Develop security enclaves (e.g., network segmentation, network segregation) where sensitive company data is housed and implement processes to detect unauthorized attempts to transfer data from these enclaves
  • Provide regular security awareness training and stress that employees should validate emails prior to opening attachments and clicking on links

Detecting and preventing insider threats is a difficult task, but if organizations are able to identify the most critical assets and ensure that they have good visibility into the activities of those assets, the chances for detecting unauthorized activities increases and significantly reduces the likelihood that an insider will be able to execute a successful attack. Organizations must stay vigilant against external threats, but should not ignore the risk that insider threats pose to sensitive data.