Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside

Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside
Cyber Resilience

05 of 07

This insight is part 05 of 07 in this Collection.


03 of 07

This insight is part 03 of 07 in this Collection.

March 7, 2023 10 mins

Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside

Mitigating Insider Threats: Your Worst Cyber Threats Could be Coming from Inside Banner

Some of the worst cyber incidents come from the inside. Use these tips to recognize and mitigate insider threats.

Key Takeaways
  1. Insider threats, both inadvertent and malicious, have risen 44 percent over the last two years, with costs per incident up more than one-third to $15.5 million globally.
  2. Common reasons insiders act out include political or personal beliefs, frustration or anger with the organization or its personnel, or a desire for recognition or financial gain.
  3. Look for signs your business may be at risk and take steps to mitigate their risk before an incident emerges in your organization.

Ransomware attacks and major data breaches from external threat actors often grab the headlines, but organizations must continue to look inward for cyber incidents that can deliver some of the worst financial consequences. Consider that these incidents often arise through those entrusted with access to and within the organization itself.

Insider threats, both inadvertent and malicious, have risen 44 percent over the last two years, with costs per incident up more than one-third to $15.5 million globally. An average of $184,548 is spent to contain insider threats, with business interruption costs (23 percent of total) typically being the greatest expense.1

In a study of 6,803 insider incidents reported over a 12-month period:

  • 56 percent arose out of negligence, with examples of conduct such as failures to secure devices, follow company security policy or to patch and upgrade devices.
  • 26 percent were due to criminal insider activity– malicious insiders, including employees or authorized individuals who use their data access for harmful, unethical or illegal activities.
  • And 18 percent of incidents involved credential theft to granting access to critical data and software. While credential theft represents the lowest number of incidents, it is the costliest, amounting to an average of $804,997 per incident.

“Insiders” are any individuals – including employees, contractors and vendors, among others -- with authorized access to business systems, data and assets, whether physical or electronic. They pose a threat because they can intentionally, negligently or unknowingly harm an organization as a result of their actions. These actions may include the exposure or theft of assets or proprietary or confidential information resulting in damage to the organization’s operational ability, integrity or reputation, and other financial, business or social consequences.

Our Uncertain Economy Is Not Helping the Situation

The number of companies experiencing insider incidents has risen in each of the past three years. In 2022, 67 percent of companies indicate they experienced between 21 and more than 40 incidents per year, according to a Ponemon study. And the situation is not predicted to improve in 2023.

The current increase in corporate layoffs, reduced compensation and benefits, and widespread economic uncertainty could raise the likelihood that otherwise well-meaning employees may be more likely to act negligently or maliciously in response to layoffs or other adverse changes to their jobs. Disgruntled or resentful workers may find their precarious work situation a rationalization for such activities as intellectual property theft or other criminal acts.

Nearly seven in 10 employees were more likely to take data right before they resigned from their company. Further, there is a 23 percent increase in unauthorized data transfers from employees the day before they were fired, and a 109 percent increase the day they lost their jobs.3

Insider Threat Motivations

Insiders who act contrary to an organization’s interests may do so with a wide range of motives, but common reasons include:

  • Political or personal beliefs
  • Frustration or anger with the organization or its personnel
  • Desire for recognition or financial gain

Insiders who cause harm to an organization do not always act with the intent to so. An insider may unknowingly aid an external actor who uses social engineering – through business email compromise -- to create a false belief through a phishing message asking that funds be rerouted to a different account.

Insiders may act negligently or recklessly, in another manner, when they fail to respect the organization’s security policies or controls, such as using a personal device or account to conduct business, or by allowing unidentified persons into restricted areas.

Additionally, insiders may act with malicious intent. An example of this is the departing employee who takes confidential information with the intent to use it at, or sell it to, a competitor organization.

Nation states may seek to place personnel within an organization, or compromise ones already there through greed, loyalty or extortion, to aid efforts at espionage, theft of trade secrets or other proprietary information, or to cause damage or other harm. They often, target innovative intellectual property or critical infrastructure including energy, manufacturing and water systems or other industries. Nation states use more sophisticated methods to hide their activities and maintain and improve long-term access to the organization.


Companies that experienced between 21 and more than 40 insider incidents in 2022.

Source: 2022 Cost of Insider Threats Global Report | Ponemon

Recognizing Insider Threats — Signs Your Organization is at Risk

An organization may be at risk when insiders:

  • Are not trained to fully understand and apply laws, mandates or regulatory requirements related to their work and how that impacts the organization’s security
  • Lack training about the dangers and proper responses to social engineering, such as phishing emails
  • Are unaware of the steps they should take to ensure that the devices they use — both company-issued and Bring Your Own Devices (BYOD) — are secured at all times
  • Are sending highly confidential data to an unsecured location in the cloud
  • Break the organization’s security policies to simplify tasks
  • Do not keep devices and services patched and upgraded to the latest versions at all times

Three Steps to Mitigate Insider Threat Risk

1. Orient and Scope:
To appropriately counter the risk posed by insiders, businesses must first practice good information governance, and understand about their critical data – what it is, where it is stored, how it is managed, and who has access to it. They must also understand the roles and responsibilities of those who have authorized data access. Once businesses have achieved a sufficient level of clarity on where their insider risk exposures reside, they are better able to more effectively augment or introduce insider controls.

2. Thwart and Deter:
Denying sophisticated insiders the opportunity to advance their objectives requires implementation of layers of well-designed and tested security controls to security areas across multiple disciplines.

For some businesses, enhanced due diligence is performed prior to employment. Deterrence controls can include legally binding agreements signed during onboarding and offboarding, or efforts that seek to make the workforce more aware of insider threats and means of reporting suspicious activity.

Most businesses also have existing security architectures that are extendible to insider threat controls. These controls are preventative and serve as an obstacle to insiders attempting to execute an attack and discourage or dissuade insiders from committing a compromising act.

Automated and interconnected monitoring systems are becoming increasingly more sophisticated and continue to serve an important role in a businesses’ risk mitigation strategy. Just as importantly, businesses must understand that insider activity can be detected through other, non-technical means such as: anonymous sources, threat intelligence consumption, or tracking indicative insider behaviors.

3. Advanced Countering:
Once businesses have a formalized policy, fully resourced insider program, established and enhanced insider controls, and implemented steady-state monitoring mechanisms, they can choose to introduce more advanced mitigation capabilities. Businesses faced with some of the most resourced and persistent insiders can benefit from advanced, proactive mitigation strategies and tactics such as: honeypots, misinformation campaigns and advanced behavioral profiling.

Conceptually, these tactics reflect businesses moving from a purely defensive posture, to a more offensive one. For many businesses, these advanced countering strategies and tactics are not yet practical, or necessarily applicable, but for those businesses that are, introducing advanced countering strategies and tactics can have a significant positive impact on insider risk mitigation goals.


Increase in insider threats over last two years.

Source: 2022 Cost of Insider Threats Global Report | Ponemon

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner