Insider Threat Management

Data-Driven Tips for Managing Insider Threats with a Remote Workforce

Share with your network!

(Updated on10/29/2020)

“Shelter-in-place” orders have now been running for at least 10 weeks in many parts of the U.S., and even longer in some other parts of the world. Despite the turbulence and stress of the past few months, many businesses are finding that work-from-home dynamics can have many positive benefits when it comes to productivity and worker satisfaction.

However, it’s also true that this dynamic introduces a host of new cybersecurity concerns, such as securing remote workers and managing insider threats. These are not net-new concerns, of course, but many are now magnified by the current situation.

Insider threat management with a new remote workforce has become a more salient concern among security professionals. Organisations are racing to manage new remote endpoints and grapple with how the shift in working patterns creates more opportunities for outside actors to compromise users’ access or increase the risks posed by negligent users. Let’s take a look at data from last year before COVID-19 had spread globally, as well as some relevant data from the last few months.

What We Learned About Insider Threats in 2019

Research conducted last year by the Ponemon Institute, before anyone heard of Covid-19, broke down three types of insider-led breaches based on a survey of over 200 security organisations: negligent, compromised, and malicious. The graphic below depicts the relative frequency and average cost per insider threat incident of each type.

A close up of a sign

Description automatically generated

In looking at how insider threat teams are adapting to the “new normal” of widespread working from home, it’s useful to consider how the shift in work models impacts the risk and complexity of managing each category. 

One way to do this is to look at changes in user activity patterns at organisations with sophisticated insider threat programs in place. 

The Proofpoint Insider Threat Management Platform leverages a library of over 400 threat signals developed in collaboration with organisations like Carnegie Mellon’s CERT Institute, NIST, and NITTF.  Our customers can configure their implementations based on their specific needs and concerns, including relevant work from home changes. We track the most commonly used threat signals within our customer base and have seen a notable shift in patterns since the start of COVID-19.  

Below are the top findings:

Insider Threat Activity Rank before COVID-19 Rank during COVID-19 Change in the Rank
Searching data on hacking and spoofing 39 14 +25
Exporting Enterprise data by file download 34 12 +22
Exfiltrating a file to a cloud sync folder 33 17 +16
Accessing cloud file-sharing services 15 3 +12
Browsing objectional & disallowed web sites 23 15 +8
Summary of Insider Threat Signals

As you can see in the table above, we found activities that can lead to data exfiltration rose in rank significantly after work from home became the new norm. These were activities related to downloading files from corporate storage (e.g. Microsoft 365) and uploading these files to cloud storage services (e.g. Dropbox, Box, Google Drive, One Drive).  

We also noticed that the use of removable media such as USB devices remained one of the top activities. Were these activities for legitimate purposes, perhaps conducted by a well-meaning but negligent user, or were they for malicious purposes with the intent of stealing intellectual property? Without an insider threat monitoring tool, organisations are in the dark when it comes to answering these questions.

Here is why the type of insider threat you are dealing with matters, and how we believe these categories are evolving in the current climate.


Before: Negligent insider threats arise when users with good intentions forget or do not understand security policies and take actions that put the organisation at risk. As you can see from the chart above, negligent insider threats are the most common type. 

Now: The rapid shift to WFH has radically increased our reliance on video conferencing, chat, file sharing, and email—across both work and play use cases. With increasingly blurry lines between the two, the risk posed by insiders using non-sanctioned services becomes greater. For example, using a personal Gmail or Dropbox account to move information around for work can quickly increase the potential risk of accidental data loss. Furthermore, IT teams may have less visibility into remote endpoints (especially personal devices) to monitor for these “Shadow IT” services than they would have within the walls of the enterprise.


Before: While maliciously motivated insiders have been the least common type of threat seen in the Ponemon research illustrated above, they also come with the highest costs. This means organisations must take them very seriously.

Now: Individuals who want to commit malicious acts – whether misuse/theft of sensitive data or intentionally damage to the corporate infrastructure or brand – may now feel more emboldened to act, since they may believe they can do so with less oversight. Much has been written about the relationship between psychological stress and the propensity for insider threats.  As Joseph Blankenship from Forrester research wrote recently, COVID-19 has created a perfect storm for malicious insider threats.


Before: Compromised insiders are those whose credentials have been stolen or improperly used by others. While they may appear to be the culprit behind an insider threat incident, deeper investigation using an insider threat management platform will show that their user IDs or passwords have been phished, hacked, or otherwise compromised.

Now: With the majority of tech-forward organisations now accessing corporate data, applications, and infrastructure from home, and with users increasingly distracted by stress and abnormal work and life conditions, there is a substantial increase in the risk of a user’s credentials becoming compromised.  Proofpoint’s Threat Research team has been monitoring the radical jump in COVID-19 themed phishing schemes.  We see an increase in access from unprotected WiFi networks. We see exploits leveraging common productivity tools like Microsoft Sharepoint becoming increasingly common. Insider threat teams need to consider the increased risk of compromised insiders while adapting to having less direct oversight than they would in a more traditional office setting.

Adapting Insider Threat Management to the New Normal

Security teams need to move fast and decisively as they adapt to the new normal of working from home. Building modern, secure network access and identity management is critical. Protecting primary threat vectors like email is key. Building resilience into the fabric of the organisation with security awareness training is a must. Purpose-built insider threat management platforms, with the ability to leverage threat signals designed by experts and tested by real organisations in real environments, are uniquely positioned to provide the visibility and context needed to detect and respond to insider threats.  

Bottom line, in this post-perimeter world, security teams need to incorporate a holistic, people-centric approach to security. They should also consider how an insider threat management platform can provide visibility and context across corporate endpoints, whether users are working from home or back in a more traditional office setting. Taking a people-centric and data-driven approach to managing insider threats will result in a stronger security posture and decreased insider threat risk, no matter where your users may be.