Introduction Into Insider Threat and Mitigation Best Practices

Your staff members may fail to notice how they expose their business to security risks. Beware of the most common insider threats and learn how to resist.

David Balaban

June 29, 2021

10 Min Read
Introduction Into Insider Threat and Mitigation Best Practices
(Source: Image by Pete Linforth from Pixabay)

Let us assume you do your best to protect your business from security risks. But do you know that a good deal of the danger accounts for insiders? Dealing with insider threats is an awfully bad experience for too many businesses so far.

Let us define what the insider threat is

This is the risk that originates from current staff members, former staff members, corporate partners, and contracted parties. These people have access to lots of data associated with your business. Any non-compliance or intentional misdeed on their part exposes your company to severe security threats.

Spying, privacy violations, disabling security tools, waste, or unauthorized spending are the top offenses the people acting from within your company can do.

These occurrences are quite common. FBI security experts break them down like this:

Personal motivations

  • Seeking monetary benefits based on the belief that money is the ultimate power. Urgent need to cover borrowed funds or excessive spending.

  • Being angry with the company and seeking vengeance. Dissatisfaction strong enough to spawn a desire for revenge towards the company concerned.

  • Unhappy experience. Conflicts with colleagues or leadership, tedious work, the threat of dismissal.

  •  Self-esteem issues. This extends to breaking the rules to prove exceptional status and to improve the self-image. Falling for adulation or promotion to a higher position.

  • Various addictions like compulsive consumption of substances such as spirit drinks, drugs, etc.

  • Social issues like problems with a spouse or inadequate interaction with other family members.

Corporate motivations

  • Secret business data availability, its handling conditions are not strictly defined. Making such materials available to the persons who do not require using them.

  • Inappropriate marking of restricted access data or lack of such marking.

  • Persons leaving corporate areas (both online and offline) may easily retain restricted access data and materials without authorization.

  • Remote processing of restricted access data without specifying exact limitations on its use and disclosure.

  • Lack of instructions and training on how to handle restricted access data in a due way.

Types of dangerous insiders

Most of the observers distinguish two major types of insider threats. These are risks posed by malicious intent and risks posed by negligence or non-compliance. This classification is very general and straightforward. Often reality calls for more details. A more advanced classification splits the threats into four categories by type of actors involved.

1) Ordinary users: Ordinary users, or pawns, do not realize they do anything bad as they fall victim to phishing and different types of computer viruses sent via email. Staff members downloading malware, providing their sign-in info to strangers on the first request without verifying their legitimacy are typical scenarios in this category. Unwitting workers are common targets of hackers attacking a company.

2) No-ordinary, goofy users: Freedom is slavery, war is peace... No, their real motto is ‘Ignorance is Strength.’ These users believe they may go beyond any requirements. No-ordinary users may break the rules for the sake of convenience or out of incompetence. They may do it also just for fun.

3) Secret agents: These are collaborators who use their insider status to capture secret data and affect the performance of the organization they stay within. They do it as an agent of the third partн they work for. Examples of such third parties include intelligence gathering run by foreign governments, competitors attempting to undermine your operations.

4) Sole attackers: Sole attackers do not necessarily have any third-party support, but they do not collaborate explicitly and definitely do not work as agents of any third party. These insiders pose an extra threat to your business if they have high levels of access to company resources. Working as database or computer system admins, they can do the utmost damage.

Common indicators of insider threats

  • An employee copies material without a specific need, especially if it is proprietary or classified.

  • An employee without specific need remotely accesses the computer network while on vacation, sick leave, or at other odd times.

  • Employee disregards company computer policies, installs personal software or hardware, accesses restricted websites, conducts unauthorized searches, or downloads confidential information.

  • Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel.

  • Unexplained affluence: an employee is buying things that he cannot afford.

  • An employee is interested in things that lie outside the scope of his business duties.

Insider threat cases

Microsoft database goes public

This case exposed a vast list of Microsoft support records at the end of 2019. The scale was huge as the database contained approximately 250 million entries collected over 14 years. Attackers got a copy of IPs, locations, and remarks made by Microsoft support workers. The leakage lasted for one month.

The problem occurred because the Microsoft workers modified the privacy settings of the Azure system, failing to protect it with passwords or MFA.

Microsoft did not pay any penalties in this case as they proved the database contained no personal information and the problem was fixed once detected.

Marriott data breach

2020 started for Marriott with an attack on their records by stealing the credentials of two of their staff members. The attackers used the stolen credentials to access the third-party app used by the company to manage the records of their guests. The information contained reservation info, guests' contact details, and account data.

The company security failed to detect the intervention until the early spring. The consequences are way much worse for Marriott than for Microsoft as the data stolen included personal details disclosing the guests' identity.

Marriott's Fines seem to be pending, and it is not the first time the company is facing penalties for security negligence.

Twitter got hacked

Quantity sometimes breeds quality, but this works both ways as compromising just 130 accounts of famous Twitter users cost the company million-dollar losses. These accounts, compromised in July 2020, included both private and corporate users. Apple, Uber, Bill Gates, and Barack Obama were among those notable victims. Malefactors used 45 of the hacked accounts in Bitcoin-based scams.

Twitter got compromised as a result of highly targeted phishing campaigns. The crooks did not target the account owners directly. Instead, the primary attack hit Twitter employees working remotely. The attackers contacted those persons as though they were Twitter IT staff and requested their corporate passwords and logins. They further made use of the accounts of Twitter employees to reset accounts of notable Twitter users.

During the Bitcoin scam that involved 45 Twitter accounts, fooled users sent over 180,000 USD to crooks. Meanwhile, Twitter lost 4% of its market value. That is a major loss incomparable to the hackers’ gain.

There are plenty of other insider threat cases faced by businesses and organizations with great actual or potential damages.

How to be safe from insider threats?

Malicious insiders are inherent in any business. Harm can be severe. However, there are plenty of methods to mitigate insider threats. Let us take a look.

Secure essential corporate assets

There are tangible and intangible assets. Simply put, tangible assets are physical things like human resources and buildings, while intangible assets are non-physical, for example, data of your clients, technology data, software, etc. In order to achieve the goal of securing resources in both of these categories, you would want to implement a reliable DiD (defense in depth) strategy and have an incident response plan.

IT assets require advanced tech solutions to be protected. These include:

  • DNS, URL filters blocking malicious access attempts.

  • Detecting and fixing security flaws with vulnerability management tools.

  • Identifying and disabling malware with an advanced antivirus.

  • Correct management of user privileges and access rights.

  • Software control, scam prevention, email protection.

Ensure SOP implementation and compliance

Standard operational procedures (SOP) enable your staff to understand what they need to do. Security procedures are their essential part. Employees must clearly realize your corporate security policies and how to comply with their requirements, in particular concerning intellectual property. Enforce the SOP compliance by adequate training.

Track and examine any unusual or suspicious events

Monitoring any suspicious or abnormal events is critical, even if they look totally safe. The points I listed above provide essential clues on the circumstances like entering the IT systems from an unrecognized location, unusual data transfers, etc.

Let your people go

Once your employee becomes your former employee, that person’s further actions might be of no interest to you. However, they may affect you badly unless you complete a proper post-employment routine. First off, ensure that your staff firing process is well-recorded. Terminate access of your former employees to company resources, including facilities and software. It is highly recommended to terminate access to various systems no later than on the day of dismissal.


Human factor poses the highest security risk for the network environment. Employees may severely affect your company image, performance, and assets both intentionally and unintentionally. Stay alert and beware that reducing insider threats is a must to ensure the IT security of your business.

Implementing security measures might be too tedious and resource-consuming for many businesses. That is why companies choose to subscribe to trusted third-party security providers, including personnel security training services.

David Balaban is a computer security researcher. He runs and

About the Author(s)

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs and projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights