Insider Threats: Identification, Detection and Protection

insider threats

What are insider threats?

Nothing has the potential to unravel a company’s hard work and success quite like an insider threat.

Insider threats are any vulnerabilities that exist as a byproduct of human factors originating from within an organization. According to many authorities on the subject, including the U.S. Government’s Cybersecurity and infrastructure Security Agency, these threats are best defined as the potential for an insider to abuse their access to information, people, and networks in a way that might bring serious harm to the company, its staff, or its stakeholders.

Threat types are multifaceted.

Insider threats take many forms. Yet despite the seemingly countless examples of security breaches possible from among the rank and file, most instances fall neatly within one of three categories.

Intentional Actors

Intentional actors are those who work within a company and actively seek to disrupt it. Many of these individuals develop ill will against their employers over matters related to pay, lack of recognition, denial of benefits, or similar issues. An intentional actor’s motivation is hardly ever random and is often traceable back to a single upset or small list of grievances. These individuals are highly susceptible to outside influence, which could drive them toward vindictive activities, such as corporate espionage. A famous example is the 1997 Kodak case, during which a former employee was convicted of having stolen several million dollars’ worth of equipment and documents from the photography tycoon, compromising Kodak’s reputation an

d bottom line in the process.

Unintentional Actors

Unintentional actors are those who work within a company but do not harbor malicious intent. In fact, most unintentional actors become a risk to their parent organization simply out of carelessness, recklessness, or negligence. This type of insider threat is best characterized by the employee who loses their access badge, holds open the door to a secure area for a stranger, or falls victim to any number of social engineering tricks. Unintentional actors are often used as accessories to crimes; they are rarely the perpetrators themselves. A famous, historical example of the fallout from an unintentional actor took place in 2015, when both Facebook and Google were subject to a massive phishing attack. Employees – the unintentional actors – unknowingly opened malware-clad links that led to several, massive cybersecurity breaches, ultimately costing both tech giants upwards of 100-million dollars.

Fringe Actors

Fringe actors are the wild cards of the insider threat world. They are the catch-all cohort for corporate partners (e.g.,

 vendors, contractors, etc.), occasionally comprised of more than one individual. Fringe actors are hard to detect given their limited degree of interaction with security, middle management, and other company gatekeepers. Nonetheless, their impact can be just as devastating as intentional and unintentional actors. An infamous example of a fringe threat is Edward Snowden. A contractor for the National Security Agency, Snowden stole untold numbers of documents from the Federal Government and leaked many highly classified pieces of information to the press. The ramifications of his actions are still felt throughout the world today.

Managing a breach takes a village.

Although types differ, any insider threat’s potential for catastrophe is the severe. A company’s goal should always be to prevent a threat from happening in the first place. But should that line of defense fail, then an agile response and recovery is key. The steps are straightforward: Recognize, Respond, and Recover.


Learning how to spot indicators of insider threats is step one. The Center for Development of Security Excellence suggests the tell-tale signs of an ongoing threat might include factors like an employee’s sudden and unexplained affluence, security protocol breaches, drastic changes in behavior, unauthorized software detection on company equipment, and more. The most frequently observed factors at play when considering someone’s risk as an insider threat are money, ideology, compromise, and ego, colloquially referred to by the mnemonic device, “MICE.”


Once an insider threat is identified, time is of the essence. Response should be both urgent and deliberate, to ensure an incident is handled in a proper, controlled manner. Depending upon the severity of the breach, an organization might choose to involve local or federal law enforcement to augment their existing resources. They might also reach out to public sector partners for a coordinated response. For example, federal agencies like the Defense Counterintelligence Security Agency provide insider threat response support for private entities aligned with the U.S. Department of Defense mission.


Once an impacted company has subdued the insider threat and assessed any consequent damage, recovery comes next. Companies should have a clear, tabletop-tested, recovery plan already in place.

No two incidents are ever alike, and neither are any two organizations. Some might choose to handle the matter internally, while others might hire specialized consultants experienced in corporate security. Regardless of how a recovery strategy unfolds, it is essential that the entire company and all those effected work together in close collaboration.

The best defense is a good offense.

A strong proficiency in responding to internal corporate security breaches is imperative, but even more vital is knowing how to defend against them ahead of time. While there are numerous tactics an organization might leverage to keep their business safe from insider threats, two of the easiest to enact quickly are access management and offensive security measures.

Identity, Credentialling and Access Management

Knowing who is who can mean the difference between a benign day at the office and an all-out emergency. Identity, credentialling and access management (ICAM) have become standard practice across organizations, worldwide. Badging, employee databases, facial recognition technology, and physical security are all routine ways to foster a company culture where ICAM is at the forefront of any insider threat detection and prevention strategy.

Offensive Security

Reactive security measures ought to be a thing of the past. Fortunately, many companies are adopting proactive, offensive security (OffSec) practices to test their organization’s fortitude against potential insider threats. Red teaming, penetration  testing, and threat, risk, and vulnerability assessments are all examples of OffSec, and each can play a major role in helping businesses create and maintain a security posture to defend against security breaches from within.

Take the Time to Prepare.

Even with the best defensive measures at the ready, organizations are likely to be confronted with an insider threat scenario of one kind or another. However, the better trained and prepared a company is, the less severe the consequences are likely to be.

Chameleon Associates specializes in helping organizations stay secure and offers comprehensive insider threat awareness training. Click here to learn more about how we can help your organization stay resilient in the face of internal risk factors.

Leave a Comment