Since the beginning of networked computers and the first threat of hackers, the focus of cybersecurity has been to keep external threats out. Firewalls were created to filter internet traffic, antivirus software was designed to detect malicious software that made its way onto a system, and more advanced devices such as Intrusion Detection Systems (IDSs) were developed to help companies with limited security resources to detect activity that may be caused by a hacker or malware.

With the onslaught of security breaches plaguing companies that accept and store credit card information for customer payment, a much more sinister threat has revealed itself. Worse than any external hacker trying to gain access to a system from a Starbucks, and a common proponent to malware infections that have brought down entire healthcare systems. This “new” threat to every business and organization is actually nothing new at all. It is the insider threat, and it exists in absolutely every government, business, organization, and home that has computers or devices with internet access.

What is an Insider?

In the world of cybersecurity, an insider is someone who legitimately belongs inside the network. The first thought that may come to mind is that of a spy who has earned the organization’s trust and worked their way inside to gain access to secret information. This could certainly be one scenario, industrial espionage is nothing new. Unfortunately, the truth is much scarier. Insiders also include perfectly happy employees that mean the organization no harm at all. They simply are not aware of certain dangers on the internet or how to spot social engineering tactics.

What is the Threat?

The vast majority of security measures available on the market are aimed at detecting unauthorized access to systems or files. What is not commonly available is a device or software that know how to detect inappropriate authorized access. While there are certain ways to detect it, this usually requires someone to write custom scripts for their network or devote personnel whose job is to specifically search through audit and activity logs to check for inappropriate use. Even so, there is absolutely no defense against a security-ignorant employee who decides to check their email at work and opens a malware infected attachment. Only security awareness training can help mitigate such a risk.

With minimal defenses, and expensive ones that do exist, not only is the insider threat an uncovered risk, but it exists at every level of an organization. Roughly 43% of all breaches are caused by insiders which is a pretty staggering percentage considering how many breaches there are every year. Of those breaches, about half were intentionally caused by malicious insiders, such as disgruntled employees or corporate spies, and the other half were accidental.

External attackers can even post as internal employees if employees are not careful with their passwords. This type of threat alone is estimated to cost companies $4.3 million each year. That alone should put things into perspective if you are unsure how much this kind of threat can cost an organization. Speaking of stolen passwords, Home Depot’s data breach in 2014 was caused by one of their vendors’ login credentials being stolen.

How is the Insider Threat Stopped?

To put it simply, this threat cannot be stopped. At least, not with a single solution. All the patching, updating, and hardening cannot stop an employee with legitimate access to customer credit card or the internet from their workstation. The greatest defense is simply to educate your workforce. The more employees that are aware of the dangers lurking in their own email accounts, the less likely they are to make simple mistakes that could cost their organization millions of dollars.

On the other hand, security awareness training will not do much against malicious insiders. A disgruntled worker can be fully aware of their actions and still cause damage purely out of spite. They could be more likely to be caught by other employees who have been given security awareness training, but the best way to handle these threats is to live by the rule of minimal required access and utilize audit logs as much as possible. This will help keep everyone’s access in their place, and the audit logs can be used to keep track of activities in sensitive applications or files.


In essence, there are only two truly effective defenses against an insider threat. One strategy is to focus more on security awareness training. This training can bolster the less tech-savvy workforce members against social engineering and their own ignorance of security threats on the internet. The other strategy is to ensure all levels of the organization operate on the least necessary permissions rule. This means separating file storage by department on the network, reducing read or write access to files with sensitive information, and can even include physical access to server rooms or filing cabinets. Employing both of these strategies and taking them seriously will heavily fortify an organization against the most damaging of threats.