Addressing Insider Threats: 6 Best Practices to Secure Your Data

Define insider threats, learn who the main insider threat actors are, and uncover best practices for protecting against insider data breaches  

Sensitive data breaches are largely associated with sophisticated cyberattacks like ransomware, social engineering, and hacking, with large criminal groups staying behind them. However, threats can also come from within. While the external actors are the top catalysts for breaches at 65%, internal actors are responsible for 35% of significant data breaches in 2024. Intentionally or unintentionally, organizations’ employees, contractors, or third-party vendors may lead to data breaches or other security incidents.  

There is a tendency for insider threats to hit heavily regulated industries. For example, 70% (!) of all healthcare data breaches and security incidents result from insiders. Internal actors also caused 41% of data incidents in public administration. The other industries with a large share of insider-related data incidents include financial and insurance (30%), education (32%), and manufacturing (21%). Since these numbers increased compared to the previous year, organizations should pay more attention to how to spot and address insider threats.  

Let’s explore the topic of insider data breaches and uncover best practices for protecting sensitive data from insider threats.  

What is an Insider Threat?

An insider threat is a security risk that originates from within an organization. It involves individuals with legitimate access to the organization's systems, data, or resources. While these resources can be accessed with malicious intent, accidental actions can harm the organization, its employees, or customers. So, here are two main categories of insider threats: malicious insider threats and unintentional insider threats.

Malicious insider threats

Malicious insider threats are caused by insiders who consciously decide to act inappropriately and have some motive to benefit themselves or harm the organization. In most cases, malicious insiders are angry, discontent, or have other personal reasons for doing this. Malicious insiders are generally motivated by monetary gain (59%) and other drivers, such as organizational reputation damage, intellectual property theft, or fraud. Imagine an employee downloading the organization’s trade secrets, patents, or other intellectual property to sell to competitors. Now, think of an employee who uses customers’ financial information to commit fraud. Finally, imagine an administrative staff member snooping on medical records for personal reasons. What do all these people have in common? They are all malicious insiders because they consciously put sensitive organizations’ data at risk.  

‍An example of a malicious insider threat:

‍One of the infamous malicious insider incidents in recent years occurred in Tesla. The company fell victim to a massive insider data breach with over 100 GB of sensitive information leak. Employees’ sensitive personal information, customer bank details, production secrets, crash reports, and thousands of incidents of drivers expressing safety concerns over Tesla’s Full Self-Driving (FSD) assistance system were stolen by the company’s former employees and shared with a German journalistic organization Handelsblatt. In a subsequent investigation of the breach, Tesla found that two former employees “misappropriated the information in violation of Tesla’s IT security and data protection policiesand shared it with the media outlet.” Although the data were not disclosed publicly, there were many complaints about safety issues with the vehicles, along with a threat of a huge ($3.3 billion) fine due to data privacy violations under GDPR.

Unintentional insider threats

Insiders can pose a significant risk to sensitive data even if they do not have malicious intent. For example, these may be employees ignoring security warnings and alerts or those who fall for a phishing attack, enabling bad actors to access the organization’s networks and data. An employee leaving an unencrypted laptop unattended, also causes an insider threat to the organization. The main reasons behind unintentional insider threats are employee negligence, mistakes, lack of knowledge, or other human factors.  

‍An example of unintentional insider threat:

‍In 2020, Twitter suffered a massive data breach when hackers accessed over 100 private and corporate accounts and used those to promote a Bitcoin scam. A simple oversight of the company’s security protocols lay at the root of the attack. Hackers targeted Twitter employees working from home to carry out the attack. Relying on the employees’ negligence, tiredness, and confidence and pretending to be the company’s IT team members, the hackers tricked the employees into providing them with user credentials, thereby gaining access to the organization’s sensitive data and systems.

What are the Top Insider Threat Actors

All organizations should assume insider threats. The Insider Threat Report 2023 by Cybersecurity Insiders states that 74% of organizations are at least moderately vulnerable to insider threats. According to the report, among all potential insiders, cybersecurity professionals are most concerned about:

• Privileged users and admins (65%);
• Contractors/service providers/ temporary workers/vendors/suppliers (57%);
• Regular employees (55%)
• Privileged business users/executives (53%)
• Other IT staff (24%):
• Customers/clients (22%);
• Interns (18%)

Let’s digest the top three of them.  

Privileged users

Privilege misuse is among the top eight patterns found in data breaches, according to Verizon’s 2024 Data Breach Investigations Report. Privileged users are administrators, C-level executives, and others with high access privileges who hold the keys to the organization’s critical infrastructure. They are crucial for keeping the organization afloat, but they can also introduce an insider threat.  

In a perfect world, all employees have the organization’s best interests at heart and never make mistakes. But in reality, employees work for their own benefit. The primary motives for staying behind privileged users to cause an insider data breach include financial (88%), espionage (46%), grudge (6%), and ideology (2%). Sometimes, the relationship just isn’t working out, and the employee feels entitled to the data that would make their landing at their next employer much more attractive. Employees can simply get tired or make a severe operational mistake due to a lack of knowledge or negligence. Together or separately, all these factors may cause a severe insider threat to any organization.  

Third parties

Third parties are vendors, subcontractors, business partners, and supply chain entities with access to your IT systems or data. They may fail to follow or even violate the organization’s cybersecurity rules through malicious actions. Additionally, hackers can target a poorly secured third-party vendor to get inside the protected perimeter. The 2023 Cost of a Data Breach Report by IBM Security shows that data breaches resulting from a software supply chain compromise cost 8.3% more and take 8.9% longer to identify and contain than other data breaches.  

Regular employees

Regular employees have limited capabilities compared to privileged users but can still harm your organization. In 2023, regular users accounted for 87% of errors, while privileged users (system administrators) - for 36%. Regular employees can misuse corporate data, install unauthorized applications, send confidential emails to the wrong address, or become the victim of a social engineering attack. More than half of data breaches in 2023 resulted from misdelivery (sending something to the wrong recipient). Misconfiguration was seen in approximately 10% of breaches.  

Best Practices for Protecting Sensitive Data from Insider Threats

Insider threats have no signs of slowing down. Despite the growing cost and frequency of insider risks, most organizations (88%) devote less than 10% of their IT security budget to insider risk management.​​ To raise organizations’ awareness of proper insider threat management, we offer 6 best practices for protecting your organization from insider threats:

Know your data

Data security best practices and regulatory requirements recommend that organizations make asset inventory regularly and upon significant environmental changes. The asset inventory includes identifying all data flows, system components, segmentation controls, and connections from third parties with access to sensitive data including protected health information (PHI), personally identifiable information (PII), etc.  

By documenting their assets, organizations can ensure that they are aware of all potential risk areas and can take appropriate measures to protect sensitive data from insiders.

Minimize access

Organizations should document and assign roles and responsibilities of all personnel involved in operations with sensitive data. Clearly defined roles help employees understand their responsibility and accountability for specific tasks and actions. This accountability helps track activities and identify any unauthorized or suspicious behavior. Furthermore, roles and responsibilities help enforce the separation of duties, reducing the risk of fraud or malicious activities. Critical tasks can be divided among multiple employees, preventing individuals from having too much control over sensitive data or processes. By assigning roles, organizations can implement the principle of least privilege, granting employees access only to the data and resources necessary for their job functions.  

Implement network security controls

Implement Network Security Controls (NSCs), such as firewalls, between all wireless and wired networks to protect sensitive data from unauthorized access. Networks can be vulnerable to attacks and, if not properly secured, can provide an entry point for threat actors, including insiders, to access sensitive data.  

Segment your networks by data sensitivity to keep more sensitive data separated from everyday communications. Network segmentation is the practice of splitting a network into multiple sub-networks. These networks are usually designed around business needs, such as having sub-networks for executives, finance, operations, and human resources.  

Segmentation can reduce the attack surface because attacks on one part of a network are less likely to impact the others. It can also lead to performance improvements within each sub-network. Users are often required to re-authenticate to access other, particularly more sensitive, areas of the network. In general, network segmentation can limit how much damage a threat actor can do if they gain access to any given part of a network.

Implement strict access controls

Organizations can reduce the risk of insider threats by implementing strict access controls and MFA to ensure that only authorized personnel have access to sensitive data and systems. MFA should be implemented for all remote access to organizations’ most valuable assets. Access controls help prevent unauthorized access to sensitive data using stolen or compromised credentials. This especially includes insiders who may know about the organization’s systems and security measures.

Train workforce on data handling best practices

Train workforce members on identifying and properly storing, transferring, archiving, and destroying sensitive data. Additionally, train workforce members on clear screen and desk best practices. These include locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.

Utilise Data Loss Prevention tools

Utilize Data Loss Prevention (DLP) tools to enforce data flow restrictions and minimize the likelihood of unauthorized data exposure. DLP solutions help identify and prevent unsafe or inappropriate sharing, transferring, or using sensitive data, thereby addressing insider threats. By implementing DLP solutions, organizations can enforce data handling policies that help prevent accidental or intentional leakage.  

To conclude, all organizations should assume insider threats. Intentionally or unintentionally, insiders can pose a serious threat to organizations. However, the risk of insider threats can be minimized by implementing strict access controls, network segmentation, DLP tools, and other best practices.  

Discover more exciting topics with our blog, and feel free to contact the Planet 9 team if you have any questions. We’ll be happy to assist!