What is an insider threat attack? 6 things to watch out for

IBM reports that up to 60% of cybersecurity threats often come from within your own company¹. This is known as an insider threat attack.

Unlike external attacks, these come from people you trust such as employees, contractors, or third-party vendors. If not properly managed, insider threats can lead to severe data exfiltration, which means your sensitive data could be stolen or exposed.

But how do you protect your business from this growing risk? Understanding the different types of insider threats is the first step.

What is an insider threat attack?

An insider threat attack happens when someone inside your organisation such as an employee, contractor, or partner, misuses their access to harm your business. This could be intentional, such as stealing data for personal gain, or accidental, like sending sensitive information to the wrong recipient.

In most cases, the primary goal of an insider threat is to steal or expose your company’s data. This is called data exfiltration. Whether it’s customer information, trade secrets, or financial records, the consequences of this kind of data breach can be devastating.

But it’s not always about malicious actions. Sometimes insider threats come from carelessness or a lack of awareness. That’s why it’s critical to understand the different forms these threats can take.

1. Departing employees and insider threats

Have you thought about the risks posed by employees who are about to leave your company?

When someone leaves your business, especially those in senior roles or with access to sensitive data, they might take important information with them. Intentionally or not.

This can lead to a serious insider threat attack, particularly when it comes to data exfiltration.

In 2022, a Yahoo research scientist named Qian Sang downloaded approximately 570,000 pages of proprietary information about Yahoo’s AdLearn product shortly after receiving a job offer from a competitor.

He transferred the intellectual property (IP) to his personal devices, with the intent of using the confidential data to gain an advantage in his new role. This shows the harm departing employees with elevated permissions can achieve.

If you don’t have clear offboarding procedures, departing employees might retain access to critical systems and data. This could allow them to copy, delete, or transfer important files even after their employment ends.

To protect your business, you need to make sure that access to systems is immediately revoked once someone leaves. This reduces the risk of sensitive information walking out the door with them.

2. Malicious employees and insider threat attacks

Sometimes, the biggest threat to your business comes from within.

Malicious employees are those who intentionally seek to damage your company. This might be driven by financial gain, revenge, or other personal reasons. These employees may have legitimate access to your systems, but they use that access to steal or sabotage your data.

For example, they might sell sensitive information to competitors or leak customer data to damage your reputation.

In July 2022, General Electric discovered that an engineer named Jean Patrice Delia had stolen over 8,000 sensitive files over a span of eight years.

Delia manipulated an IT administrator into granting him access to confidential information, which he siphoned off to help start a rival company.

The FBI investigated the breach and found that Delia had emailed commercially sensitive data to a co-conspirator. He ultimately pleaded guilty and was sentenced to up to 87 months in prison.

The problem? Malicious insiders can be hard to spot because they blend in with your workforce. That’s why it’s so important to monitor employee behaviour and track unusual data access patterns.

With the right precautions, you can catch suspicious activity before it’s too late.

3. Negligent employees and insider threat attacks

Not every insider threat comes from bad intentions.

Sometimes, employees make mistakes that accidentally put your business at risk. This is what we call a negligent insider threat attack.

Have you ever had an employee accidentally send sensitive information to the wrong email address? Or forget to lock their device while it contains important data?

Employees are also often targeted by social engineering scams such as Business Email Compromise (BEC) attacks.

These simple errors can lead to data exfiltration and security breaches.

In 2024, researchers found a Microsoft Azure server containing secret code, passwords, and employee credentials left unsecured and exposed to the public internet.

McKenzie Jackson, developer advocate at code security platform GitGuardian, said:

The exploit discovered plain text secrets in internal systems and source code. Secrets like certificates, passwords or API keys are the easiest way for an attacker to move from one system to another undetected.

To reduce the risk of negligence, it’s vital to provide regular training and raise awareness about security best practices.

The more your employees know about keeping your data safe, the less likely they are to make costly mistakes. Make sure your team understands the consequences of accidental breaches and how to avoid them.

4. Security evaders within organisations

Have you ever come across employees who try to bypass your security measures just to make their jobs easier?

These are what we call security evaders. While they might not have bad intentions, their actions can still expose your company to serious insider threat attacks. For instance, they might share login credentials, use personal devices for work, or disable security settings to avoid restrictions.

Even if these employees aren’t trying to steal data, their shortcuts create vulnerabilities. Hackers or malicious insiders can exploit these gaps, leading to data exfiltration.

A Boeing employee emailed a spreadsheet containing hidden personal information of around 36,000 coworkers to his wife for help with formatting issues. By bypassing security protocols and sending the data to an unsecured device, he compromised sensitive details such as employee IDs, places of birth, and social security numbers.

Although Boeing stated that the data likely didn’t leave those devices, it still offered two years of free credit monitoring to all affected employees, costing an estimated $7 million.

To prevent this, it’s important to enforce strict security protocols and educate your team on why these rules exist. Security should never be optional.

5. Inside agents and insider threats

Inside agents are one of the most dangerous types of insider threats.

These individuals are often placed within your company by external groups to exfiltrate sensitive data. Unlike other insider threats, inside agents are fully aware of their role and actively work to gather and transfer your company’s valuable information.

These threats are hard to detect because they often blend in with your workforce, pretending to be regular employees or contractors.

In 2021, a Russian hacker group approached a Tesla employee. Egor Igorevich Kriuchkov offered the employee $1,000,000 to install malware on Tesla’s network. The malware was designed to exfiltrate data and potentially hold the company to ransom.

Thankfully, the FBI was able to stop the attack on Tesla before it took place. If it had been successful and Tesla refused to pay the ransom, then the company’s secrets would be placed on the internet.

To protect your business, you need to limit access to sensitive data and closely monitor anyone with elevated privileges.

A zero-trust security approach, where no one is automatically trusted, can help keep inside agents from gaining too much access.

6. Third parties and insider threat risks

Are your third-party partners posing a risk to your business?

Contractors, vendors, and other third parties often have access to your systems, and if they’re not properly managed, they can become a source of insider threats.

In 2024, Synnovis, a UK-based laboratory services provider for the NHS, suffered a cyber-attack. This breach compromised sensitive patient data and disrupted laboratory services, directly disrupting NHS operations for thousands of patients.

Cybersecurity expert, Ciaran Martin, told the BBC it was:

One of the most significant and harmful cyber attacks ever in the UK.

Since they aren’t part of your organisation, it’s easy to overlook them. However, they still handle your sensitive data.

Your business depends on these third parties, but they can increase the chance of a security breach if they don’t follow strict security protocols.

Make sure you limit the access they have to only what’s necessary. Regularly review their security practices to avoid unnecessary risks.

How businesses are combating insider threat attacks

So how can you protect your business from insider threat attacks?

Companies are taking a proactive approach by improving monitoring systems. Security Incident and Event Management (SIEM) tools track unusual behaviour or data access patterns. This helps identify and remediate threats before they can cause harm.

Another key step is to improve your employee training programmes. Ensuring that your staff understands security best practices can reduce the risk of negligence or accidental breaches.

On top of this, having strict offboarding procedures will prevent departing employees from taking sensitive data with them.

Many businesses are also adopting zero-trust security models. This approach means you limit access to sensitive data based on role and always verify user activity.

By monitoring everyone’s access, you can catch potential threats early on and prevent data exfiltration before it happens.

Summary

Insider threat attacks are a serious concern for any business. By understanding the risks and taking action, you can protect your data.

Whether the threat comes from a departing employee, a careless mistake, or a malicious insider, the goal is the same. You must prevent data exfiltration to protect your business.

With the right security protocols and awareness, you can significantly reduce the chances of an insider attack harming your organisation.

Insider threat attack prevention checklist

1. Monitor departing employees:
   • Revoke access to systems and data immediately upon departure.
   • Ensure all company devices and sensitive information are returned.
   • Conduct exit interviews to identify any potential risks.
2. Watch for malicious employees:
   • Monitor unusual behaviour, such as accessing sensitive data outside of regular duties.
   • Implement data monitoring tools to track suspicious activity.
   • Limit access to critical data based on role and responsibilities.
3. Address negligent employee actions:
   • Provide regular cybersecurity training to all employees.
   • Educate staff on the importance of secure data handling.
   • Use role-based access to minimise potential for accidental breaches.
4. Prevent security evasion:
   • Enforce strict security policies, including strong passwords and multi-factor authentication.
   • Discourage the use of personal devices for work without proper security protocols.
   • Regularly audit employees for compliance with security rules.
5. Limit inside agents’ opportunities:
   • Adopt a zero-trust security model to monitor and restrict access.
   • Continuously vet employees and contractors with access to sensitive information.
   • Use behavioural monitoring tools to detect unusual data transfers.
6. Review third-party access:
   • Regularly audit third-party access and restrict it to necessary systems only.
   • Ensure vendors follow your security standards.
   • Immediately revoke access when contracts end or when roles change.