Companies must take action now against the growing menace of insider threats

The post-pandemic era can aptly be described as a golden era for cybercriminals, with a monumental rise in the number of cybercrimes across the globe. Cybercrime gangs are firing on all cylinders, launching a barrage of sophisticated cyber threats that cause major damage to organizations of every size across all sectors. But some threats are grown a little closer to home. In a recent survey by Cybersecurity Insiders, more than 60% of companies experienced an insider attack in 2022, and many of those attacks had expensive, damaging outcomes. In fact, three-quarters of survey respondents said that they feel moderately to extremely vulnerable to insider threats, an increase of 8% over 2021. The growing problem of insider risk is something every business needs to address immediately.

Malicious insider threats aren’t the biggest cyberattack vector for businesses. In the 2022 Unit 42 Incident Response Report by the Palo Alto Networks, insider attacks comprised only 5.4% of the reported incidents. However, even this tiny percentage made a more significant dent for organizations as insiders have a better understanding of sensitive data and have access to privileged information. That small percentage of reported incidents can lead to major damage fast. According to Verizon’s 2022 Data Breach Investigations Report, malicious employees are behind about 20% of data breaches, and the attacks that insiders are involved in are, on average, 10 times bigger than those conducted by external actors.

Looking at a recent example of how much damage a malicious insider can do quickly helps illustrate the danger. In November 2022, news broke out about a hacker group, WhiteInt, whose mastermind was an associate director at Deloitte’s cyber unit. The hacker group had operations across India and offered paid services of accessing emails, personal data, and phone numbers of VIPs for private investigators globally. After being exposed in a sting operation conducted by The Sunday Times and the Bureau of Investigative Journalism, the mastermind Aditya Jain was terminated from Deloitte. But the damage had already been done to the company’s reputation.

What are the motives behind insider attacks?

Malicious insider attacks can come from anyone with the right access to a company’s computer systems and data, including current employees, former employees, contractors, business partners or business associates, suppliers, and vendors. Over 90% of malicious insider incidents are preceded by employee termination or layoff, and if that employee still has a valid access credential they can wreak havoc quickly. Like most other cyberattacks, a malicious insider’s prime motive is financial gain. However, malicious insider threats can also result from espionage, retaliation, or a grudge toward the employer. Stealing data or proprietary information is the top malicious insider action, but disgruntled employees make other damaging moves too.

The Top Malicious Insider Actions

Exfiltrating Data 62%
Privilege Misuse 19%
Data Aggregation/Snooping 9.5%
Infrastructure Sabotage 5.1%
Circumvention of IT Controls 3.8%
Account Sharing 0.6%

Source: Statista

Even non-malicious insider actions can lead to a data disaster

However, it’s important to remember that not all insider threats are malicious attacks. Some bad outcomes like a data breach can happen because of employee negligence or ineptitude. Many of those threats can be neutralized through security awareness training. For example, over 65% of accidental insider threats come from employees interacting with a phishing message. But with regular training using phishing simulation, companies can dramatically reduce the likelihood of an employee falling for a phishing trap. Whether malicious or accidental, insider threats come from an array of employee actions and behaviors. A Gartner study classifies insider threats into four categories: pawn, goof, collaborator, and lone wolf.

The pawns: Pawns are those employees who fall for social engineering lures and give up their sensitive information to the hackers by downloading malware or disclosing credentials on a spoofed website.

The goofs: Goofs are ignorant or arrogant employees who do not follow an organization’s security protocols. In their ignorance, they bypass an organization’s security controls, leaving data and other sensitive information vulnerable and giving threat actors easy access to systems and data. These are generally non-malicious acts. Gartner report found out that the goofs cause 90% of insider incidents.

The collaborators: Collaborators, also known as turncloaks, collaborate with outsiders, such as the company’s competitors or nation-state actors, to steal privileged information. They misuse their access to steal intellectual property that could lead to business operations disruptions, financial losses, and reputational damages.

The lone wolf: A lone wolf acts independently without any external influence or manipulation to harm their employers. Often, the lone wolf has elevated levels of privilege and access within the company, enabling them to steal information without getting caught. Lone wolves primarily work for financial gains.

These tips can help you prevent and remediate insider threats

Perform risk assessments: organizations, at all times, should be aware of the location of their critical assets, vulnerabilities, and threats that could affect them. The risk assessment should include all the risks caused by insider threats. After that, prioritize the risks and enhance your cyber defense according to risk priority.

Continuously update and enforce security policies: The threat landscape evolves continually; therefore, you must update your security policies regularly to thwart the threats. Additionally, work harder to implement these security policies for all employees interacting with your IT environment.

Employ a security operations center (SOC): An SOC monitors your critical attack vectors and alerts you upon finding any suspicious activities. SOC experts proactively detect and eliminate an attack before it could harm your organization.

Deploy intrusion detection and prevention systems: Intrusion detection and prevention systems help you monitor and control remote access from all endpoints. It can flag any unusual activities, allowing you to remediate the issue quickly. Also, ensure all remote access to ex-employees is terminated immediately when they leave the organization.

Enable surveillance: Not all insider attacks are conducted through digital means. Hence, you should have 24/7 surveillance of your critical facilities to prevent theft of your critical resources.

Monitor the dark web: Most of the stolen data and sensitive information lands on the dark web forums for sale these days. If it falls into the wrong hands, the future of your organization might be in jeopardy. That’s why you should keep an eye on the dark web for credentials and other information exposure through dark web monitoring. Finding the exposure early can help you prepare for any eventualities.

Add a cybersecurity component to offboarding. Former employees are a security threat, even if they leave on good terms. Removing their access to systems and data is critical. A study showed that 83% of former employees surveyed said they continued to access accounts at their previous place of employment and 89% could still access sensitive company data after leaving the company.

Eliminate sophisticated threats with Managed SOC and Dark Web ID

Get the top Managed SOC that leverages our Threat Monitoring Platform to give you access to an elite team of security veterans who hunt, triage and work with your team when actionable threats are discovered

  • Detect malicious and suspicious activity across three critical attack vectors: Endpoint, Network & Cloud
  • Patent-pending cloud-based technology eliminates the need for on-prem hardware
  • Discover adversaries that evade traditional cyber defenses such as Firewalls and AV

Dark Web ID offers best-in-class dark web intelligence, reducing credential compromise risk.

  • 24/7/365 monitoring using real-time, machine, and analyst-validated data
  • Fast alerts of compromises of business and personal credentials, including domains, IP addresses, and email addresses
  • Live dark web searches find compromised credentials in seconds
  • Create clear and visually engaging risk reports


Click here to schedule a quick 10-minute call