Stroz Friedberg Named A Leader In The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2022 Report - Read Now

Insiders: Turning the Threat Inside Out

HomeThinking → Insiders: Turning the Threat Inside Out

Malicious insiders are motivated, resourced and persistent – countering these threats is key to establishing, defending and advancing your competitive advantages.

Global companies are in an unyielding race to innovate. From advancements in automotive and manufacturing technologies, to cutting-edge innovation in the sciences, the competitive advantage gained from the creation of high-value intellectual property (IP) is significant.

For organizations to understand what risk insiders pose to them, they should first seek to grasp an understanding of the risk and then consider appropriate responses. This document is intended to help clients understand how Aon views insider threat and how we can help clients mitigate insider risk.

Orient and Scope

Orient and Scope | Knowing where your critical assets are an who is targeting them is the first step in mitigating insider risk. Complete and accurate understanding of your insider threats enables more efficient and effective mitigation efforts.
Insiders can be considered individuals who have authorized access to business systems and data. Insiders are a threat because they can intentionally or unintentionally compromise company information as a result of their access.

For the intentional insiders, their drivers typically include motives like financial gain, ideology or vendettas. Intentional insiders are very often highly motivated,  highly  capable, and well-resourced. These insiders may exist as a result of long-term, deliberate placement, targeting and recruiting by nation-states, or they may exist as a result of perceived wrong-doing or personal troubles. In any instance, intentional insiders can be one of the most difficult threats enterprise security teams are attempting to mitigate.

For the unintentional insiders, motives may include error, omission or protocol circumvention. Unintentional insiders may be over-tasked employees whose errors result in data loss or adversely impact system uptime. These insiders may exist as a result of systemically poor adherence to policies, or as a result of rushing their duties and circumventing controls designed to mitigate risk. Either way, unintentional insiders are prevalent, and thus add to the scope and complexity of holistically countering insider threat.

In order to appropriately counter the risk posed by insiders, businesses must first understand what their critical data is, where it is stored, how it is managed, and who has access to it. They must also understand the roles and responsibilities of those who have authorized access to their data. Once businesses have achieved a sufficient level of clarity on where their insider risk exposures reside and have oriented themselves with the threat, they are then better able to more effectively augment or introduce insider controls.

Thwart and Deter

Thwart and Deter | Most businesses will already have existing security architectures that can serve as a baseline for insider threat controls.
Denying sophisticated insiders the opportunity to advance their objectives requires businesses to implement layers of well-designed and tested security controls.

Controls can be applied to many security areas across multiple disciplines. Many of these controls already exist, but some may require enhancement or outright introduction. For some businesses, enhanced due diligence is performed prior to employment, for some systems housing critical data, they may be hosted on a segmented, ring-fenced, or air-gapped network. Most businesses will have existing security architectures that are extensible to insider threat controls as well.

These controls are preventative and serve to make it more difficult for insiders to execute a successful attack and seek to discourage or dissuade potential insiders from committing a compromising act. Deterrence controls can include legally binding agreements signed during onboarding or efforts that seek to make the workforce more aware of insider threats and provide them with anonymous contact information should they witness suspicious activity.

Automated and interconnected monitoring systems are becoming increasingly more sophisticated and continue to serve an important role in a businesses’ risk mitigation strategy. Just as importantly, businesses must understand that insider activity can be detected through other, non-technical means such as anonymous sources, threat intelligence consumption, or through recognition of indicative insider behaviors.

Advanced Countering

Advanced Countering | Insiders pose a persistent threat to businesses, so introducing advanced, in-house information collection and deception capabilities can advance risk mitigation goals.
Once businesses have formalized and resourced an insider program, established and enhanced insider controls, and implemented steady-state monitoring mechanisms, opportunities to introduce more advanced mitigation capabilities can be initiated.

Sophisticated threats necessitate sophisticated defenses. In competitive team sports, there is a saying that “the best defense is a good offense.” Businesses that are faced with some of the most resourced and persistent insiders can benefit from advanced, proactive mitigation strategies and tactics such as honeypots, misinformation campaigns, and advanced behavioral profiling. Conceptually, these tactics reflect businesses moving from a purely defensive posture, to one that becomes more offensive in nature.

For many businesses, these advanced countering strategies and tactics are not yet practical, or necessarily applicable, but for those businesses that are, introducing advanced countering strategies and tactics can have a significant positive impact on insider risk mitigation goals.

Aon’s Insider Threat Capabilities Overview

Aon's Insider Threat Capabilities Overview | Insider Threat Assessment, Investigations, Insider Threat Program and Threat Intelligence.

For more information on Aon’s Insider Threat Capabilities and to learn how Aon’s Cyber Threat Intelligence team can help your organization further your insider risk mitigation goals, download the Insider Threat whitepaper:



Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.


Copyright 2021 Aon plc. All Rights Reserved.


Copyright 2021 Aon plc. All Rights Reserved.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.