Skip to content

What Is an Insider Threat? (+Types and Warning Signs to Look For)

July 26, 2019

With each passing day, we grow more dependent on apps and devices to manage our lives, both inside and outside of work.

Because of this, data is everywhere and there are plenty of gaps where this data can be leaked and misused. We are conditioned to think that data leaks come from complete strangers hacking into our systems, but that isn’t always the case.

Sometimes the most malicious cyber security attacks on our data come from the inside in the form of an insider threat. If you’re unsure what an insider threat is, or what signs your IT and security professionals should keep an eye out for, just keep reading.

Insider threats: a breakdown

It can happen at any time, so you’ll want to know it when you see it. Let’s explore what an insider threat is exactly.

This sort of attack doesn’t have to necessarily be a current employee or stakeholder, but can come from a former employer, board member, or anyone who at one point had access to an organization’s confidential and private information.

Insider threats occur when someone close to an organization who has authorized access misuses it to negatively impact the organization’s critical information or systems.

Did you know? One-third of all organizations have faced an insider threat incident.

Types of insider threats

When it comes to insider threats, there are two main types to watch out for.


A malicious insider threat comes from someone deliberately trying to sabotage an organization. The goals are typically espionage, fraud, and intellectual property theft.

An example of this would be a disgruntled employee with the intent to steal information after quitting or being fired. There’s also a type of insider threat called a Logic Bomb, which is when malicious software is left installed on computer systems by former employees.

Get 50+ cyber security resources, FREE.    Get my resources →


An inadvertent insider threat comes from human error or poor judgment. This includes anything from opening a phishing email, triggering malware, engaging in Shadow IT, and unintentional aiding of the threat actor.

In 2017, a study conducted by Verizon found that an average of 4.2% of people targeted in a phishing campaign will click on a malicious link, and individuals with a history of falling victim to phishing scams are more likely to be phished again.

This basic misjudgment causes two-thirds of breached records.

Average cost of an insider threat

How to stop an insider threat

Insider threats are more difficult to identify and block than other types of attacks. Even if you’re using Security Information and Event Management (SIEM) software, a former employee using their login to hack your system won’t raise the same alarms as a high-level hacker taking over your cloud security network.

The best way to stop insider threats from happening is to continuously monitor all user activity and take action when incidents happen. You can do this by implementing threat intelligence service providers, which use state-of-the-art tools and methods to pinpoint cyber threats, including cybercrime actors who specialize in insider threats.

Find the best Threat Intelligence Service Providers for 2019 →

Know the signs of an insider threat

In addition, it’s important to remain aware of the warning signs of a potential insider threat.

  • Theft and corruption: Keep an eye out to see if your employees’ user activity deviates from the norm. Perhaps they have accessed an account for the first time in a while or from a new location.
  • Damaging mistakes: This is when your employees are acting carelessly. It entails anything from users opening personal accounts on enterprise servers, sharing credentials for a VPN, and checking emails using a third-party provider.
  • New openings for outsiders: These are signs that a cybercriminal has already infiltrated an organization. Look out for an increased number of data transfers, a higher than expected amount of logins, attempts to change privileges and credentials on an existing account, or opening a large number of new accounts.
Contractor negligence and insider threats

Real-life examples of insider threats

For all you true-crime enthusiasts out there, let’s take a look at some insider threats that happened, and the companies that paid the price.

Anthem: employee data infiltration

Between 2014-2015, Anthem experienced a data breach in the form of insider theft that resulted in personal data being stolen from over 18,000 Medicare members. It wasn’t until April 2017—nearly three years later—that the Medicare insurance coordination services vendor. Anthem was using learned an employee had been stealing and misusing member data.

The employer behind this insider threat had emailed a file containing Medicare ID numbers, Social Security numbers, Health Plan ID numbers, member names, and more to their personal email address.

This insider threat is significant in that theft of personal health information is on the rise, and 58% of it can be attributed to insiders.

Target: third-party credential threat

In 2013, Target went through a highly-publicized credit card data breach due to a third-party vendor that took the credentials of critical systems outside of an appropriate use-case. This information made it possible for hackers to infiltrate Target’s payment systems, gain access to the customer database, and install malware.

Doing so allowed them to steal information from Target’s customers, including names, phone numbers, email addresses, and payment card details.

RSA: employees falling for a phishing attack

In March 2011, the RSA fell victim to an insider threat when employees clicked on a targeting phishing attack, leading to 40 million employee records becoming compromised.

The two hacker groups behind this attack launched the phishing scam by pretending to be trusted coworkers and contacts within the organization. TheRSA is the security arm of the EMC, and this attack showed that no one, not even a security vendor, is safe from an inside data breach.

Rockwell and Boeing: employed a spy

Think spies are just for TV dramas and Hollywood films? Think again.

Spies come in all shapes and sizes, and in this case, they come in the form of Greg Chung, who spied for China when he was employed by both Rockwell and Boeing. Between 1979 and 2006, Chung stole hundreds of boxes worth of documents that contained information regarding plans for U.S. military and spacecraft expeditions.

This nation-state sponsored insider threat is one of the ways other countries can gain access to valuable and highly classified secrets and intellectual property.

Protect yourself from the inside out

With insider threats posing such a great financial risk, it’s more important than ever to not only make use of awareness training but to also be able to spot the signs of an insider threat before it happens. Never stop monitoring user activity, as the root cause of all insider threats to your systems are the people using them.

Interested in learning more about the threats out there? Check out how to prevent identity theft and how to identify the different types of spyware.

Never miss a post.

Subscribe to keep your fingers on the tech pulse.

By submitting this form, you are agreeing to receive marketing communications from G2.