Mitigating the risk of malicious insiders in the hybrid era

The threat is coming from the inside

Most internal security incidents are the result of an honest mistake. But sometimes, for one reason or another, an employee deliberately steals or tampers with corporate resources for some gain. Whether exploiting a vulnerability or stealing data that might benefit them in the future, the average cost of these malicious insider attacks is $648,062 per a Ponemon Institute research study on insider threats. These costs stem from a variety of factors, including the loss of data and systems, the effort required to restore said data and systems, and ransoms paid to attackers. In addition to the financial impact, these attacks can be damaging to an organization from multiple perspectives; reputation, competitive advantage, customer trust, etc.

A few recent headlines demonstrate how no organization is safe from the risk of malicious insiders and makes evident the need to implement appropriate security measures for mitigation:

  • Pfizer claimed an employee uploaded 12,000 files to a Google Drive account, including data related to COVID-19 vaccine trade secrets. The employee allegedly had an offer of employment from another company.

  • A Connecticut company alleged that a departing employee conducted a ransomware attack on the company’s systems on his way out, by encrypting files and issuing an anonymous demand for payment.

  • A senior developer in New York was arrested for allegedly stealing data via VPN and trying to extort his employer while pretending to be an external hacker.

Malicious insiders have existed for decades, however, the risk posed by these attackers has increased with the shift to remote work. With many employees, contractors, and partners now working outside the office and the traditional corporate network, differentiating between a malicious insider and normal behavior is far more difficult.


Forrester Research describes the pandemic-related surge in remote work as part of a “perfect storm for malicious insiders.” As with many other attack types, the pandemic created an environment that makes it easier for malicious insiders to conceal their actions, but the risk does not stem from the pandemic alone. Several contributing factors include:

  • Lack of physical visibility: Remote users are harder to monitor — for example, they could take photos of confidential information displayed on a computer screen without leaving a trace or risking observation by a colleague. In addition, past warning signs of potential data theft — such as accessing corporate resources at unusual hours, or leaving work at unusual times — are harder to notice on remote teams, and may not even be suspicious at all due to “flexible” work schedules.

  • Personal device use: More organizations are supporting bring-your-own-device (BYOD). But, it’s harder to control data and application access on personal devices, creating another access point for data theft. If the security team lacks endpoint software that grants some visibility and control into access on personal devices, they may not notice that unintended data access is taking place.

  • Increased adoption of SaaS applications: SaaS applications are hosted in third-party cloud infrastructure, outside of the traditional corporate network. Employees often access these applications over the public Internet, and if the organization is not monitoring public Internet usage through a secure web gateway, they will be unable to track who is accessing what data.

  • The “Great Resignation”: Some employees, unfortunately, see resignation as an opportunity to take confidential information with them to their next role. In a survey by Tessian, 45% of people claim to have downloaded files before departing from a job or after being let go. For the IT department, specifically — a recent Gartner survey found that a mere 29% of employees in IT “have high intent to stay with their current employer.” As this trend continues, theft of sensitive information by departing employees becomes a bigger potential risk.

In addition to these trends, the tactics used by malicious insiders have rapidly evolved. A recent Insider Risk Report found that 32% of malicious insiders used “sophisticated techniques” including using burner email addresses, concealing their identity, acting slowly over time, saving files as drafts within personal email accounts, and using existing approved tools within the organization to find and exfiltrate data.


Operational steps for mitigation

Code42’s Annual Data Exposure Report notes that 39% of companies do not have an insider risk management program. For those companies, implementation will be an important first step. To establish some immediate safeguards, consider incorporating some operational best practices like:

  • Reducing access to the most sensitive applications and data as soon as an employee gives notice.

  • Immediate lock-out of corporate resources for terminated employees.

  • Mandatory re-login during idle time.

  • Requiring the use of a password manager program.

  • Educating employees on suspicious behavior.

  • Implementing an anonymous process for reporting suspicious behavior.


Zero Trust for threat prevention

Malicious insiders are by definition familiar with their organization’s security practices. This means the previously mentioned operational protocols will never fully prevent the risk. Rather, prevention requires a more comprehensive, modern security framework like Zero Trust. A core principle of Zero Trust is that no user or request is trusted by default, even when already inside the network.

Zero Trust security can help organizations reduce the vulnerability of malicious insiders by requiring:

  • The deprecation of VPNs: VPNs often give carte-blanche network access to users. This excessive privilege creates an unnecessary risk for malicious insiders to spread threats laterally and exfiltrate data. Phasing out VPNs is a common early step towards longer-term Zero Trust adoption.

  • The monitoring of and applying security controls to Internet browsing: This means increasing visibility into user activity on the Internet, and applying controls to prevent malicious insiders from inputting sensitive data in, for example, suspicious websites or personal tenants of cloud storage sites. These controls can be achieved via Secure Web Gateways (SWGs) and Remote Browser Isolation (RBIs).

  • Authenticated access based on identity and other contextual signals: By setting least privilege access policies that only allow users to reach resources after first checking identity, multi-factor authentication (MFA), and other contextual signals like device posture. Layering these contextual signals can help catch malicious insiders. Checking for these contextual signals can help detect suspicious, untrusty activity from potential malicious insiders.

Cloudflare helps organizations accomplish comprehensive Zero Trust security that enforces identity-, posture-, and context-driven rules to protect applications, ensuring that users access only the applications and data they need for their work — minimizing the potential for data exfiltration.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.



Key takeaways
  • How remote work makes spotting insider threats more challenging

  • Contributing factors that make it easier for malicious insiders to act

  • Advanced techniques that insiders are using to exfiltrate data

  • How Zero Trust security can prevent lateral movement



Dive deeper into this topic

Learn more about Zero Trust Network Access with the 7 ways to work from anywhere eBook.

Get the eBook!

Receive a monthly recap of the most popular Internet insights!