What is an insider threat?

An insider threat is a security risk posed by an employee, former employee, contractor, or vendor. Insider threats can result in fines, reputational damage, and loss of intellectual property.

Learning Objectives

After reading this article you will be able to:

  • Identify types of malicious and accidental insider threats
  • Understand the roles of access control and access management in mitigation
  • Evaluate options for risk reduction

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is an insider threat?

An insider threat is a risk to an organization's security stemming from someone associated with the organization, such as an employee, former employee, contractor, consultant, board member, or vendor.

These threats can be malicious or accidental. For example, a Verizon analysis of 3,950 data breaches revealed that 30% "involved internal actors."

Insiders can cause damage in multiple ways:

  • Stealing, leaking, or destroying data
  • Selling company secrets
  • Breaking systems, networks, or other IT resources
  • Misplacing company equipment
  • Sending an email attachment to the wrong person
  • Falling victim to attackers’ scams
  • Misconfiguring network or database settings

What are the motives behind insider threats?

Malicious insiders may have any number of reasons for compromising an organization’s data, including the desire to sell the data, revenge, boredom, ideology, and political allegiance.

When an insider inadvertently creates a security risk or causes a breach, there is no motive. The insider may make a mistake that causes the problem, lose a piece of company equipment, or be tricked into a data breach through social engineering, such as phishing.

What are common insider threat indicators?

Changes in behavior can be a sign of trouble. A malicious insider may be:

  • Going into the office outside of typical hours
  • Accessing different files and systems than usual
  • Downloading files en masse
  • Using storage devices
  • Suddenly sending emails with very large attachments
  • Working far more overtime

These signs are not bad in and of themselves. Many have completely reasonable explanations, especially for IT professionals.

Why is access control important for insider threat programs?

A fundamental aspect of protecting against insider threats is access control, or sets of rules and policies that decide who gets access to restricted locations, information, and systems. One approach is role-based access control, where each person’s permissions depend on their department and work responsibilities.

The principle of least-privilege access in network security means giving employees and other insiders access to only what they need to carry out their responsibilities — nothing more. For example, a human resources professional may need to view employee salary information and a programmer may need to alter the codebase, but neither needs access to the other’s files.

This is part of what makes zero trust security an effective IT security model. It involves requiring strict identity verification for every person and device seeking access to a corporate resource, even if they are already inside the network. Through limitations on user and device access, the potential fallout for all types of insider threats decreases — just as losing one credit card and losing an entire wallet differ greatly in terms of damage.

How can companies mitigate the risk of insider threats?

When fine-tuning an insider threat program, it is essential to be mindful of motivations and how they shape the threat landscape. For both malicious and accidental insiders, strict adherence to access control best practices can greatly help with data loss prevention.

Strategies include:

  • Mapping out where sensitive data is stored and who has access to it
  • Developing checklists for departing employees and other insiders, including turning off access to third-party software and apps, along with internal systems
  • Increasing vigilance during mergers and acquisitions, when permissions and access commonly change
  • Requiring targeted and comprehensive training on accidental insider risks, such as ensuring that employees know to keep passwords private, report missing equipment, and identify potential social engineering scams

In addition to using access management to protect data and systems, the IT department can set limits on company-owned or managed devices, such as locking down options for data transfer and requiring permission to download new software.

With logging and analytics capabilities, it is possible to set alerts for behaviors common to insider threats to catch potential problems early. Alert types include:

  • Visits to unapproved file-sharing applications
  • Application access from unknown or unmanaged devices
  • Downloads from one cloud storage provider followed by uploads to another cloud storage provider
  • Emails with larger attachment sizes than usual
  • Unexpected DNS or HTTP queries (a secure web gateway can help identify this)
  • Attempts to gain greater privileges than required for the person’s role
  • Making changes to many files in a short period

Learn how Cloudflare Zero Trust simplifies the process of setting up role-based access controls and speeds up remote access.