Guarding Against Insider Threats

When you see or hear the term “data breach” in the media, is the first thought that there must have been a hacker involved? It may surprise you to know that hackers actually aren’t the main cause of data loss and data breaches within organizations. Most can actually be attributed to insider threats, mainly by employees just trying to do their job who make a negligent error, such as sending an email to the wrong person. So what makes insider threats dangerous? What are the types of insider threats, how do they happen, and how can data classification bolster your security ecosystem to help prevent these kinds of threats?

The dangers of an insider threat

In order to understand and ultimately mitigate insider threats, let’s first look at what makes them such a danger to organizations. While insider threats are dangerous for many reasons, an article by Techradar identifies four primary reasons why organizations must take insider threats seriously:

  • They are hard to identify

Since insider threats already have access to the network with authorized credentials, their access does not flag on a traditional monitoring system. They also often already have access to sensitive data and awareness of the existing security measures in place and how to get around them. Combine this all with a lack of visibility into user access and data activity, and the difficulty of identifying threat actors is incredibly challenging.

  • They are expensive

Like a traditional threat actor, the longer they go undetected and are free to roam the network, the more damage they can do. Even with baselining, often threat actor activity can get caught in a baseline, making it much more difficult to identify their rogue behavior. The fact that they are not raising alarms means you are talking some serious potential damage. The 2022 Ponemon Cost of Insider Threats Global Report revealed that the total average cost of activities to resolve insider threats over a 12-month period is $15.38 million.

  • They risk compliance

Data protection and compliance should also be considered because an insider threat will often make the exfiltration of data their objective. In 2018, Coca Cola suffered an insider threat attack which saw the personal information of about 8000 of its employees leave the building. Not only this, but the dwell time of the incident was extended.  They didn’t realize it had happened until law enforcement informed them of the data breach.

  • They cause operational disaster

As seen with Tesla, an insider threat can sabotage operations and risk an organization’s competitive edge. In this instance, a disgruntled employee who lost out on a promotion made ‘direct code changes to the Tesla Manufacturing Operating System under false usernames and exported large amounts of highly sensitive data to unknown parties’ according to a letter addressed to employees.

Types of insider threats and how they happen

There are many types of insider threats, and they can happen for any number of reasons, from honest mistakes, to disgruntled employees, or for personal financial gain. IBM cites the four categories that Gartner groups insider threats into as:


Pawns are employees who, unaware, are manipulated into performing malicious activities. Whether downloading malware or disclosing credentials to fraudsters through spear phishing or social engineering, pawns harm an organization.

Goofs are ignorant or arrogant users who believe they are exempt from security policies. Out of convenience or incompetence, they actively try to bypass security controls. And against security policies, goofs leave vulnerable data and resources unsecured, giving attackers easy access. The 2022 Cost of Insider Threats Global Report by the Ponemon Institute found that 56% of insider incidents were related to negligence and cost an average of $484,931 per incident.

  • The Collaborator

Collaborators cooperate with outsiders, like a company’s competitors or nation-states, to commit a crime. They use their access to steal intellectual property and customer information or cause business operation disruptions, often for financial or personal gain.

  • The Lone Wolf

Also, often for financial gain, lone wolves act independently and maliciously without external influence or manipulation. Lone wolves are especially dangerous when they have elevated levels of privilege, such as system administrators or database admins.

How data classification can mitigate insider threats

Now that we know why insider threats are dangerous and how they occur, what can be done to mitigate them and protect your organization’s valuable data?  The use of a data classification solution within your organization directly addresses common causes of insider threats by:

  • Preventing sensitive data from leaving the organization

One of the easiest ways for a data breach to occur is by an employee accidentally sending an email containing sensitive information to the wrong recipient. For example, a user could have document that they meant to send internally to but in their haste, accidentally selected from their contact list. This simple mistake results in exposing sensitive data to the incorrect recipient. Data classification solutions assign categories to data (automatically or manually) according to sensitivity, and classification policies can be designed to prevent sensitive information from leaving the organization, or even the department, as required. If the document in the example above was classified as “Confidential”, and company policy determined that “Confidential” information was not to be sent externally, when the user tried to send the email to the wrong recipient, a simple classification dialogue box would appear to let the user know that they cannot send a “Confidential” document to that recipient and prompt them to either remove the document or choose a different contact. Not only does this prevent sensitive data leakage, but involves users directly in the security of the data they are creating and handling.


  • Limiting access to only those who need it

With hybrid working at an all-time high, many employees have been given full access to all data they may need to efficiently do their job from home. The problem here is that the more employees who have access to sensitive data, the more likely it is that data will get exposed. A 2021 study conducted by IBM found that “in 100% of the incidents where the insider was confirmed or likely had administrative access, having this elevated access (to more data than they should) played a role in the incident itself.”  Data that is effectively classified allows you to easily identify the sensitive categories of data by which access should only be granted for those who absolutely need it. This limits the amount of people accessing sensitive data, thus helping mitigate insider threats.

  • Increasing data visibility

You can’t protect data that you don’t know you have! Data visibility is rising challenge for organizations, and in HelpSystems’ recent CISO Perspectives: Data Security Survey 2022, 63% of CISOs said data visibility is the biggest challenge facing organizations today. Data identification and classification solutions allow an organization to establish where all sensitive data resides, and classify that data based on predetermined levels of sensitivity. Once data has been identified and classified, appropriate action can be taken when needed, including deleting data it if it isn’t needed, labeling it, and deciding who has access to it.


  • Monitoring and reporting data access

Insider threats can be difficult to detect as their actions in the network can go undetected for quite a while. Monitoring and reporting features give you visibility into who is accessing what data, and what is being done with that data (such as downloading it to a third-party system). Monitoring and reporting logs enable you to detect an insider threat quickly, allowing you to take action as soon as possible.

Recent rapid digital transformation has unintentionally set the stage for insider threats to grow, states the Ponemon Institute’s 2022 Cost of Insider Threats Global Report. It is much easier to take the proper precautions to protect your data now, and by bolstering your security ecosystem with a best-of-breed data classification solution, your organization can stay ahead of and mitigate insider threats.

This post was first first published on Titus website by HelpSystems Webmaster. You can view it by clicking here