Insider Threats

What Are Insider Threats? 

Insider threats refer to human security risks that originate within an organization. They are security risks posed by individuals with far-reaching access privileges to an organization’s systems, networks, or data to do their jobs. These individuals include current or former employees, contractors, business partners, trusted insiders, or third-party vendors. Insider threats can manifest in different forms, from unintentional errors and negligence to malicious intent. 

Unlike external threat actors, insiders are familiar with an organization’s internal workings, making it easier to bypass security measures and go undetected for extended periods. They can wreak havoc on an organization’s security infrastructure, compromise confidential information, and cause severe financial and reputational damage. 

Why Insider Threats Are So Dangerous

A recent Verizon wireless report revealed that the human element contributed to 82 percent of all breaches in 2022. Insider threats were suddenly thrust into the limelight and quickly became a serious concern. 

Insider threats are dangerous due to their inherent advantages:

  • Insiders know intimately about an organization’s security infrastructure, making exploiting vulnerabilities or finding workarounds easier.
  • Insiders often have authorized access to sensitive data, allowing them to perform actions that may go unnoticed or raise fewer red flags.
  • Uninformed employees could inadvertently expose data and credentials to threat actors.
  • Insiders may be able to abuse their privileges without triggering alerts, which can result in significant damage before detection.

Types of Insider Threats 

Malicious Insiders

These are individuals who intentionally cause harm to an organization. They may be disgruntled employees seeking revenge, malicious actors with hidden agendas, or for political reasons, financial or personal gain, espionage, or competitive advantage.

Careless Insiders

These unwitting individuals pose a threat due to negligence, lack of awareness, poor cybersecurity education, or weak cybersecurity policies and procedures. They may unknowingly fall victim to phishing attacks, unintentionally compromise assets or expose credentials, accidentally share sensitive information, or fail to follow established security protocols.

Compromised Insiders

This category includes individuals whose accounts or access credentials have been compromised by external actors. Cybercriminals may exploit vulnerabilities, use social engineering tactics, or employ malware to gain control over an insider’s account and exploit it for their nefarious intentions.

Examples of Insider Threats

NSA Leaks

In 2013, former National Security Agency (NSA) contractor Edward Snowden leaked classified documents, thus revealing extensive surveillance programs. Snowden had privileged access to sensitive information and used his insider status to expose what he believed to be privacy violations. The incident exposed the vulnerabilities of insider access and led to significant changes in government surveillance practices.

WikiLeaks Disclosure

Chelsea Manning, a former U.S. Army intelligence analyst, leaked classified diplomatic cables and military documents to WikiLeaks in 2010. Manning’s actions resulted in one of history’s most significant leaks of classified information. She exploited her authorized access to expose what she saw as evidence of wrongdoing and human rights abuses.

Samsung ChatGPT Leak

In April 2023, Samsung engineers inadvertently leaked sensitive company data when they uploaded code and other information into ChatGPT. Samsung has since temporarily restricted generative AI tools on company-owned computers, tablets, mobile phones, and non-company-owned devices running on internal networks.

Tesla’s Intellectual Property Theft

In 2018, a former employee named Guangzhi Cao was accused of stealing trade secrets related to Tesla’s Autopilot technology. Cao, who had accepted a job with a Chinese autonomous vehicle startup, allegedly downloaded sensitive files and transferred them to his personal storage devices. The incident highlighted the risks of intellectual property theft through insider actions.

Healthcare Data Breaches

In 2015, a former employee of a New York hospital accessed patient records without authorization. This breach compromised the personal information of thousands of patients and underscored the importance of monitoring insider activities.


These examples demonstrate the diverse nature of insider threats and how easy it is for an insider to intentionally or unintentionally leak or expose classified or confidential information and allow unauthorized access to sensitive data. They emphasize the need for organizations to implement robust security measures, such as a Zero Trust model and proactive monitoring to detect and prevent insider threats.

Key Motivators of Insider Threats

Motivators for insider threats can vary widely depending on the individual and the circumstances involved. Some common motivators for insider threats include:

Financial Gain: Money is a significant motivator for insider threats. Employees may be enticed by monetary bribes from external parties to steal or sell sensitive information. Economic pressures, greed, or the desire for a particular lifestyle can drive individuals to exploit their access privileges for personal or financial gain.

Revenge or Retaliation: Disgruntled employees who feel wronged or mistreated by their current or former employer may seek revenge by exposing highly sensitive company data. Their goal is to intentionally disrupt operations, leak confidential information, damage a company’s reputation, or sabotage systems as a form of retaliation.

Ideology or Beliefs: Insiders motivated by ideology, political beliefs, or personal convictions may view their actions as a means to further their cause or expose what they perceive as unjust, corrupt, or illegal. Their actions may be driven by a sense of moral righteousness or a desire to create public awareness.

Espionage or Competitor Advantage: In some cases, insiders may attempt to steal proprietary information, trade secrets, or intellectual property to benefit a competitor or foreign entity.

Negligence or Lack of Awareness: Not all insider threats are nefarious. Unintentional insider threats can occur due to negligence, lack of cybersecurity awareness, or inadequate training. Employees may unknowingly fall victim to phishing attacks, inadvertently disclose sensitive information, or unintentionally violate security protocols.

Intentional vs. Unintentional Insider Threats

Intentional insider threats are conducted by individuals with malicious intent to harm an organization. Their actions are driven by personal or financial gain, ideology, revenge, or coercion.

On the other hand, unintentional insider threats involve individuals who inadvertently compromise security by clicking on malicious links, falling prey to social engineering attacks, mishandling data, or violating security policies due to a lack of awareness or training.

Preventing and Dealing with Insider Threats 

To mitigate insider threats, organizations should implement a comprehensive strategy that includes the following measures:

Security Awareness Training

Conduct regular training programs to enhance employee awareness about cybersecurity best practices, the importance of data protection, and the potential consequences of insider threats.

Continuous Monitoring and Alerting

Monitor user activities and promptly detect suspicious behavior or policy violations. Establish mechanisms for real-time alerting to help supervise activities and learn about suspicious behavior before it becomes a breach.
Develop an incident response plan that outlines the steps to be taken in the event of an insider threat. Establish a dedicated team to investigate incidents and preserve evidence for legal purposes.
Deploy advanced technologies to monitor and analyze user behavior to detect anomalies, unusual patterns, or suspicious activities that may indicate an insider threat/

Separation of Duties

Implement a system of checks and balances by separating critical tasks among individuals. This protocol prevents a single insider from completely controlling sensitive systems or processes.

Cybersecurity Software and Solutions

Deploy and properly configure security tools such as endpoint protection, managed detection and response, intrusion detection and prevention systems, and ransomware protection. 
Never trust, always verify. Zero Trust assumes that all individuals, devices, and services with access to company resources threaten organizational security and cannot automatically be trusted. Only allow employees the necessary access needed to perform their job functions.
Zero Trust Security should be the goal of every security team. The methodology is ready to address the flexibility and challenges of modern hybrid work. Assessing and implementing Zero Trust entails an expert technology partner, which is why organizations choose BlackBerry® Cybersecurity powered by Cylance® AI to protect their people, data, and networks.