An insider threat can happen when someone close to an organization with authorized access misuses that access to negatively impact the organization’s critical information or systems. This person does not necessarily need to be an employee – third party vendors, contractors, and partners could pose a threat as well. Insider threats can be unintentional or malicious, depending on the threat’s intent. Unintentional insider threats can be from a negligent employee falling victim to a phishing attack. A malicious threat could be from intentional data theft, corporate espionage, or data destruction.



Your biggest asset is also your biggest risk. The root cause of insider threats? People. Yet most security tools only analyze computer, network, or system data.

Threats can come from any level and from anyone with access to proprietary data 25% of all security incidents involve insiders.[1]

Recent insider threat statistics reveal that 69% say their organizations have experienced an attempted or successful threat or corruption of data in the last 12 months.

Cybersecurity Education and Training Begins Here

Here’s how your free trial works:

  • Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
  • Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
  • Experience our technology in action!
  • Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks

Fill out this form to request a meeting with our cybersecurity experts.

Thank you for your submission.

Definition of an Insider

A current or former employee, contractor, or business partner who has or had authorized access to the organization’s network, systems, or data. Examples of an insider may include:

  • A person given a badge or access device.
  • A person whom the organization supplied a computer or network access.
  • A person who develops products and services.
  • A person who is knowledgeable about the organization’s fundamentals.
  • A person with access to protected information.

What Is a Malicious Insider?

An insider threat is any employee, vendor, executive, contractor, or other person who works directly with an organization. A malicious insider is one that misuses data for the purpose of harming the organization intentionally. Malicious insiders are harder to detect than external threats because they know that they must hide their tracks and steal or harm data without being caught. They are also harder to detect because they often have legitimate access to data for their job functions.

A malicious insider can be any employee or contractor, but usually they have high-privilege access to data. For example, a software engineer might have database access to customer information and will steal it to sell to a competitor. This activity would be difficult to detect since the software engineer has legitimate access to the database.

Insider Threat Behavior Patterns

Most sophisticated intrusion detection systems and monitoring applications take a benchmark of typical activity from the network and use behavior patterns (e.g., access requests) to determine if there is a potential attack. These systems might use artificial intelligence to analyze network traffic and alert administrators.

A few behavior patterns common with insider threats include:

  • Frequent violations of data protection and compliance rules.
  • Constant conflict with other employees.
  • Performance reports are continually low.
  • Uninterested in projects or other job-related assignments.
  • Misuse of travel and expenses.
  • Interesting in other projects that don’t involve them.
  • Uses sick leave frequently.

Technical Indicators of Insider Threats

During data theft, a malicious insider often takes several steps to hide their tracks so that they aren’t discovered. These changes to their environment can indicate a potential threat and detect anomalies that could be warning signs for data theft.

A few indicators include:

  • Backdoors for open access to data either from a remote location or internally.
  • Installing hardware or software to remotely access their system.
  • Changing passwords for unauthorized accounts.
  • Unauthorized disabling of antivirus tools and firewall settings.
  • Malware installation.
  • Installing unauthorized software.
  • Access attempts to other user devices or servers containing sensitive data.

Who Are Your Insiders?

The term “insiders” indicates that an insider is anyone within your organization’s network. Most organizations understand this to mean that an insider is an employee, but insider threats are more than just employees. An insider can be an employee or a third party.

Insiders include:

  • High-privileged users such as network administrators, executives, partners, and other users with permissions across sensitive data.
  • Developers with access to data using a development or staging environment.
  • Resigned or terminated employees with enabled profiles and credentials.
  • Acquisition managers and employees.
  • Vendors with internal access.
  • Contractors with internal access.
  • Partners with internal access.

Insider Threat Statistics

One-third of all organizations have faced an insider threat incident.[2] The rest probably just don’t know it yet.


of incidents where private or sensitive information was unintentionally exposed[3]


of incidents where employee records were compromised or stolen[3]


of incidents where customer records were compromised or stolen[3]


of incidents where confidential records (trade secrets or intellectual property) were compromised or stolen[3]

Decrease your risk immediately with advanced insider threat detection and prevention.

Who Is at Risk of Insider Threats?

Every organization is at risk of insider threats, but specific industries obtain and store more sensitive data. These organizations are more at risk of hefty fines and significant brand damage after theft. Larger organizations are at risk of losing large quantities of data that could be sold off on darknet markets. An insider threat could sell intellectual property, trade secrets, customer data, employee information and more. Industries that store more valuable information are at a higher risk of becoming a victim.

A few common industries at high risk of insider threats:

  • Financial Services
  • Telecommunications
  • Technical Services
  • Healthcare
  • Government

Insider Threat Examples

Because insider threats are more difficult to detect, they often go on for years. One example of an insider threat happened with a Canadian finance company. Users at Desjardins had to copy customer data to a shared drive so that everyone could use it. A malicious insider continued to copy this data for two years, and the corporation realized that 9.7 million customer records were disclosed publicly. It cost Desjardins $108 million to mitigate the breach.

Technical employees can also cause damage to data. A Cleveland-based organization experienced a distributed denial-of-service (DDoS) from crashed servers after one of their developers decided to deploy malicious code to the system. The malware deleted user profiles and deleted files, making it impossible for the organization to be productive.

What Advantages Do Insider Threats Have Over Others?

Insider threats such as employees or users with legitimate access to data are difficult to detect. These threats have the advantage of legitimate access, so they do not need to bypass firewalls, access policies, and cybersecurity infrastructure to gain access to data and steal it.

High privilege users can be the most devastating in a malicious insider attack. These users have the freedom to steal data with very little detection. These users are not always employees. They can be vendors, contractors, partners, and other users with high-level access across all sensitive data.

What Is Not Considered an Insider Threat?

Corporations spend thousands to build infrastructure to detect and block external threats. These threats are not considered insiders even if they bypass cybersecurity blocks and access internal network data. Insider threats are specific trusted users with legitimate access to the internal network. They have legitimate credentials, and administrators provide them with access policies to work with necessary data. These users do not need sophisticated malware or tools to access data, because they are trusted employees, vendors, contractors, and executives.

Any attack that originates from an untrusted, external, and unknown source is not considered an insider threat. Insider threats require sophisticated monitoring and logging tools so that any suspicious traffic behaviors can be detected. Older, traditional ways of managing users was to blindly trust them, but a zero-trust network is the latest strategy for cybersecurity along with data loss prevention (DLP) solutions, and it requires administrators and policy creators to consider all users and internal applications as potential threats.

What Are Characteristics of an Insider Threat?

An external threat usually has financial motives. Their goals are to steal data, extort money, and potentially sell stolen data on darknet markets. Insider threats could have similar goals, but usually it’s accidentally falling for a sophisticated phishing or social engineering attack, or in the case of a malicious threat, the goal is to harm the organization by data theft.

The characteristics of a malicious insider threat involves fraud, corporate sabotage or espionage, or abuse of data access to disclose trade secrets to a competitor. Although not every insider threat is malicious, the characteristics are difficult to identify even with sophisticated systems. Because users generally have legitimate access to files and data, good insider threat detection looks for unusual behavior and access requests and compares this behavior with benchmarked statistics.

Examples of Insider Threats

Every organization that has vendors, employees, and contractors accessing their internal data takes on risks of insider threats. Some very large enterprise organizations fell victim to insider threats. Some of these organizations have exceptional cybersecurity posture, but insider threats are typically a much difficult animal to tame.

A few examples include:

  • Tesla: A malicious insider, according to an Elon Musk memo, performed “quite extensive and damaging sabotage” to the Tesla system when the employee altered code to the Tesla Manufacturing Operating System and exported highly sensitive Tesla data to a third party.
  • Facebook: In 2018, Facebook found that a security engineer was using internal tools and data to harass women.
  • Coca Cola: An investigator found that a Coca Cola employee copied data of about 8000 employees to a personal external hard drive. After Coca Cola became aware of the data breach, the organization notified employees and offered free credit monitoring for a year.
  • SunTrust Bank: A former SunTrust employee stole 1.5 million names, addresses, phone numbers and account balances for bank customers. Other sensitive data was not accessed, but it posed a risk to the bank and its customers.

Types of Insider Threats

What makes insider threats unique is that it’s not always money driven for the attacker. In some cases, the attacker is a disgruntled employee who wants to harm the corporation and that’s their entire motivation. There are four types of insider threats. They aren’t always malicious, but they can still have a devastating impact of revenue and brand reputation.

The malicious types of insider threats are:

  • Sabotage: The insider threat goal is to damage a system or destroy data.
  • Fraud: When theft or changes to data are meant for deception, the attacker’s goal is fraudulent and likely for the purpose of causing corporate disruption.
  • Theft of intellectual property: Any proprietary information is valuable to an organization, and an attacker aiming to steal it could create long-term monetary damage.
  • Espionage: Any sensitive trade secrets, files, and data are vulnerable to espionage if an attacker steals them to sell to competitors.

There are also situations where insider threats are accidental. Common situations of inadvertent insider threats can include:

  • Human error
  • Bad judgment
  • Phishing
  • Malware
  • Unintentional aiding and abetting
  • Stolen credentials
  • Convenience

Indicators of Data Theft

Characteristics can be indicators of potential insider threats, but technical trails also lead to insider threat detection and data theft. These technical indicators can be in addition to personality characteristics, but they can also find malicious behavior when no other indicators are present.

Technical indicators that your organization is the victim of data theft from a malicious insider include:

  • Large quantities of data either saved or accessed by a specific user.
  • Emails containing sensitive data sent to a third party.
  • Remote access to the network and data at non-business hours or irregular work hours.
  • Multiple attempts to access blocked websites.
  • Attempted access to USB ports and devices.
  • Frequent access requests to data unrelated to the employee’s job function.
  • Taking corporate machines home without permission.

How to Detect Malicious Insiders

Organizations that only install monitoring services on external traffic could be missing potential threats on the inside of the network. It’s important to have the right monitoring tools for both external and internal infrastructure to fully protect data and avoid costly malicious insider threats.

Taking the necessary cybersecurity steps to monitor insiders will reduce risk of being the next victim. A few ways that you can stop malicious insiders or detect suspicious behavior include:

  • Apply policies and security access based on employee roles and their need for data to perform a job function.
  • Monitor access requests both successful and unsuccessful.
  • Use cybersecurity and monitoring solutions that allow for alerts and notifications when users display suspicious activity.
  • Install infrastructure that specifically monitors user behavior for insider threats and malicious data access.

How to Stop Insider Threats

To stop insider threats–both malicious and inadvertent–you must continuously monitor all user activity and take action when incidents arise.

The potential risks of insider threats are numerous, including installing malware, financial fraud, data corruption, or theft of valuable information. To counteract all these possible scenarios, organizations should implement an insider threat solution with 6 key capabilities:

Detect Insider Threats

Uncover risky user activity by identifying anomalous behavior.

Investigate Incidents

Investigate suspicious user activity in minutes—not days.

Prevent Incidents

Reduce risk with real-time user notifications and blocking.

Protect User Privacy

Anonymize user data to protect employee and contractor privacy and meet regulations.

Satisfy Compliance

Meet key compliance requirements regarding insider threats in a streamlined manner.

Integrate Tools

Integrate insider threat management and detection with SIEMs and other security tools for greater insight.

Are you ready to decrease your risk with advanced insider threat detection and prevention? Let us walk you through our Proofpoint Insider Threat Management and answer any questions you have about Insider Threats.

Insider Threats FAQs

How Many Potential Insider Threat Indicators Are There?

Any user with internal access to your data could be an insider threat. Vendors, contractors, and employees are all potential insider threats. Suspicious events from specific insider threat indicators include:

  • Recruitment: Employees and contractors can be convinced by outside attackers to send sensitive data to a third party.
  • Voluntary: Disgruntled and dissatisfied employees can voluntarily send or sell data to a third party without any coercion.
  • Unknowing: Due to phishing or social engineering, an individual may disclose sensitive information to a third party.

What Advantages Do Insider Threats Have Over Others?

Because insiders have at least basic access to data, they have an advantage over an external threat that must bypass numerous firewalls and intrusion detection monitoring. The level of authorized access depends on the user’s permissions, so a high-privilege user has access to more sensitive information without the need to bypass security rules.

What Is Not Considered a Potential Insider Threat?

External threats are definitely a concern for corporations, but insider threats require a unique strategy that focuses on users with access, rather than users bypassing authorization. Attacks that originate from outsiders with no relationship or basic access to data are not considered insider threats. Note that insiders can help external threats gain access to data either purposely or unintentionally.

Subscribe to the Proofpoint Blog