Insider Threats: The Risk Right Under Your Nose

September 6, 2022

An insider threat is a security risk originating inside an organization. It usually involves a current or former employee or business associate who has privileged access to sensitive data or privileged accounts within the network of an organization and abuses this access.


Historically, security measures have focused outward in a vigilant effort to discover external threats to applications and data. As a result, many modern security postures aren’t always capable of identifying a threat emanating from the inside. In this post, we’ll profile typical insider threat actors, offer an overview of their motivations and pass along some tips for rooting them out. We’ll also suggest fundamental actions you can take to identify anomalous insider behavior and mitigate the threat it poses.



The Insider Threat Landscape

A recent Forrester report reveals that 58% of sensitive data incidents are caused by insider threats, but 82% of companies don’t have a strategy for managing them. Almost a third of organizations don’t regard insiders as a substantial threat to cybersecurity, and another 30% cite organizational indifference and lack of executive buy-in to an insider risk management strategy as factors.



Meet the Actors


  1. The “Patsy”
    This is an “innocent bystander” who, without knowing it, exposes their organization’s data and architecture to outside threats. This is the most common insider threat and typically the outcome of mistakes, such as leaving a device exposed or falling victim to a scam. For example, an employee intending no harm may click on an insecure link and infect the system with malware.

  2. The “Traitor”
    This bad actor maliciously and intentionally abuses legitimate credentials, typically to steal information for financial or personal incentives. Examples can include an individual who holds a grudge against a former employer, or an opportunistic employee who sells secret information to a competitor. Traitors have a distinct advantage over other attackers due to their familiarity with an organization’s security policies, procedures and vulnerabilities.

  3. The “Imposter”
    This insider threat is technically an outsider that managed to gain access to a privileged network. In most cases, the impostor is someone from outside the organization who poses as an employee or partner.



How to Sniff Out Insider Threats

Anomalous data access activity at the network level may indicate danger. It’s also worth noticing when an employee appears to be dissatisfied, seems to be holding a grudge for some past slight, or even starts to take on more tasks with excessive enthusiasm. These are all behaviors that may tip you off to the existence of an insider threat. Others include:


  1. Activity at unusual times. If a privileged user suddenly starts interacting with data at 3 a.m. or on a weekend, they might be exfiltrating sensitive data.
  2. Unexpected changes in traffic volume. Be on the lookout for users with privileged access that are transferring much more data via the network than their job requires. This can be a sign of data theft.
  3. Accessing unusual resources. If a privileged user begins accessing sources within your data repository that they don’t normally access, this could be a red flag.



Make Yourself a Smaller Target

It goes without saying that there are no “silver bullets'' when it comes to stopping insider threat risk, but you can start with these activities:


Secure your critical assets. These may be physical or logical and include architectures, technology, facilities and intellectual property. They also include customer and vendor data, proprietary software and sensitive internal processes.


Gain a 360-degree understanding of your critical assets. Be sure your organization knows what critical assets you possess and how they’re prioritized. Ensure you understand the current state of each asset.


Enforce policies. Comprehensively document organizational policies so you can enforce them and prevent false alarms. Everyone in the organization should be familiar with security procedures, understand their rights in relation to intellectual property and never share privileged content.


Increase visibility. Keep track of how employees typically interact with data and correlate intelligence from several data sources. For example, develop procedures to lure a malicious traitor or imposter and gain visibility into their actions.


Promote culture changes. Make data security savvy and ensure your organization’s security core values. Combat negligence and address the drivers of malicious behavior. Provide ongoing education on security issues and work to improve employee satisfaction.



Find a Sustainable Mitigation Solution

In addition to the activities above, we recommend enhancing your insider threat detection strategy with tools to not only monitor behavior, but also filter through the large number of alerts and false positives. User behavior analytics can establish a baseline for normal data access activity, while database activity monitoring can help identify policy violations. Employing these as part of a larger overall application and data security strategy should set you on a path to continually improving your security posture from the inside, out.

Bruce Lynch
Product and Content Marketing Manager | Imperva
Bruce Lynch joined Imperva through the acquisition of jSonar, where he served as the company’s first Product and Content Marketing Manager. He has been creating content in the technology space for over 25 years as a specialized information publisher, bylined magazine and newsletter columnist, and book author. Bruce manages and is a frequent contributor to Imperva’s corporate blog, specializing in data security. He earned a Bachelor of Arts cum laude from the University of Massachusetts at Amherst.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit