An insider threat is a data breach security risk caused by people that have legitimate access to an organization’s data. Insider threats can be either unintentional or malicious. Insider threats are on the rise and are intensified by digital workspaces, flexible and remote work, and the agile behavior of companies without strict policies.

What is Insider Threat?

An Insider threat is a malicious or unintentional threat to an organization that originates from internal operations or people who have access to an organization’s data, such as employees, contractors, or partners.

Insiders can cause harm to the organization’s security, data, systems, or reputation through their actions. Insider threats can include malicious actions like data theft, sabotage, or espionage.

Why would an insider want to steal an organization's data?

Malicious insiders misuse company data for different reasons. They may want to harm the company or to profit financially.

No matter what type of data your organization manages – whether it involves the collection of personal information such as names, contact details, security numbers, card numbers, or customer databases – there is always an interested buyer. If data is compromised and an inside actor acquires it, it can be traded on the dark web or even directly to competitors.

What is Insider Risk?

Insider risk is a broader term that covers both intentional and unintentional threats posed by individuals within an organization. It also considers the risks associated with human behavior, negligence, ignorance, and the overall human factor within an organization's security posture.

Insider risk management involves identifying, assessing, and mitigating the various risks associated with insider actions, whether intentional or accidental. It includes a proactive approach to managing the potential harm that insiders can pose to an organization's security and operations.

An example of insider risk is an employee who sends sensitive information via email to the wrong recipient or uploads it to an unofficial cloud service.

Insider Threat vs. Insider Risk

The main difference between the two terms lies in their scope. "Insider threat" focuses specifically on the malicious or harmful actions that insiders can take, while "insider risk" covers a broader range of potential risks and includes both intentional and unintentional actions by insiders. Both concepts are crucial for organizations to address in their security strategies to protect against potential internal threats and vulnerabilities.

At Safetica, we know that people make mistakes. All your data is safe with us, no matter whether you have a malicious insider or just normal humans who are not always perfect.

The Costs of Incidents Caused by Insiders

The overall costs of an insider threat incident increased from $11.45 million in 2020 to $15.4 in 2022 (Ponemon).

The longer it takes to detect an internal threat, the higher the costs. On average, it takes nearly three months (85 days) to contain an insider threat incident. Incidents that took more than 90 days to discover cost companies an average of $17.19 million; the average cost of incidents that were discovered in less than 30 days was $11.23 million.

Insider threats are on the rise due to digital workspaces, flexible and remote work, agile and BYOD approaches.

The overall number of incidents has increased by 44 percent in the last two years. Most of these threats are unintentional – 56% were caused by negligent insiders, whereas 26% were malicious.

Types of Insider Threats

Insider threats can be divided into the following categories:

  • Data reseller – an employee who is financially motivated to sell a company’s data. Such an employee might willingly harm your company. Your company’s data can be sold on the dark web (if you work with personal data), or directly to your competitors (i.e., customer databases).
  • Lazy worker – an employee who is negligent and does not follow a company’s security policies. This type of employee is only doing their job and does not comprehend all the complexity behind data security. If a company’s policies are too strict and make daily business more complicated, the risk of non-compliance increases.
  • Owner – exiting employees who think that everything they created during their employment is their own property. They may take data with them to show to future employers, or take a company’s customers to a competitor.
  • Gullible employee – an employee who is a victim of a phishing campaign. For example, an employee opens an attachment or clicks through an email sent by an external social engineer, who steals the employee’s credentials and accesses company data. This type of leak is very difficult to spot since the thief then acts under the identity of the employee. A good DLP software might help with this.


How Can I Protect Against Insider Threats (Risks)?

Keeping sensitive data secure requires a combination approach. However, it is easier than it might sound to protect your data against insider threats.


Evaluate your security policies

Make sure that your security policies are clear and easy to understand. The more complicated your policies are, the higher the chances employees will ignore them. It is also important that your employees understand why data security is important and why they should handle sensitive data with care.


Screen new hires and monitor your compromised employees

Make sure that you perform a background check on your new hires. Create a secure off-boarding process to make sure that exiting employees will not take any data with them. If you are aware of any employees who might be compromised, keep an eye on them and check what type of data they have access to and if they need it.


Educate your employees

The importance of data security might be too abstract for some employees, so it is important to constantly educate them. They should be aware of what type of data your company considers sensitive and how it can be misused. However, make sure you are also clear about the consequences of stealing your data. Your goal is to motivate people to protect your data and to not take it outside. We have covered this topic. Read about how to educate your employees about data security.


Investigate past incidents

Have you ever experienced an insider-initiated data leak? Then you know how unpleasant the process of investigating can be. When this happens, it is imperative that you investigate it properly and set appropriate measures after the incident. Also, notify fellow employees about the incident and advise them on how to comply with security policies.


Implement a data security solution

All the steps above can help you with data security, but your most powerful tool is a software solution that helps you do it all. One advantage of such software is that it will not interrupt the daily workflow or lower the productivity of your employees in any way. The solution runs in the background and keeps data secure at all times.

With Safetica, for instance, you can even label your sensitive data by context and see how your employees access and work with it. You can set specific security policies – block file operations, data capture (like screenshots), or specific email domains, restrict usage of external devices, restrict data upload to the cloud, and so on. On top of that, Safetica is super simple to implement, integrate and use. If you are interested, check out this link for more information.

Real Examples of Insider Threat Incidents

#1 Ubiquiti

Ubiquiti is one of the top worldwide producers of wireless communication devices. The company had a malicious insider among its employees. Nickolas Sharp stole gigabytes of company data and tried to ransom his employer.

Nickolas Sharp used his cloud administrator credentials to clone and steal confidential data. He tried to hide his activity and changed log retention policies so his identity would remain unknown. When he obtained the data, he demanded almost $2 million from Ubiquiti in exchange for the return of the files. However, the company refused to pay, found him and changed all of the employees’ credentials.

In January 2021, Ubiquiti issued a data breach notification, and Nickolas Sharp was arrested for data theft and extortion.

#2 Amazon

In October 2021 a few Amazon employees were responsible for leaking customer data, including email addresses, to an unaffiliated third-party. This behavior violated company policies. The company fired these employees and referred them to law enforcement. Amazon never announced how many customers were impacted.

#3 The Swedish Transport Agency (STA)

In September 2015, the Swedish government had a data leak and the data of millions of citizens were exposed. The Swedish Transport Agency (STA) outsourced the management of its database and IT services to companies outside of Sweden. STA uploaded their entire database onto these companies’ cloud servers and some of their employees received full access to the database. The leaked data included all Swedish drivers' licenses, personal details of Sweden’s witness relocation program, elite military units, fighter pilots, pilots and air controllers, citizens in a police register, details of all Swedish government and military vehicles and information about road and transportation infrastructure.

The director of the STA, General Maria Ågren, resigned and was found guilty by a Swedish court. She had to pay a fine of half of her monthly salary, which was, according to some citizens, not sufficient.

The data is still under the management of the two non-Swedish companies.

#4 Coca-Cola

In 2018, The Coca-Cola Company announced a data breach. A former employee was found to have an external hard drive that contained information stolen from Coca-Cola.

"We are issuing data breach notices to about 8,000 individuals whose personal information was included in computer files that a former employee took with him when he left the company," a Coca-Cola spokesperson told Bleeping Computer.

#5 Trend Micro

In 2019, Trend Micro experienced a leak of personal data caused by a malicious insider. The company learned that some of their customers were getting scam calls claiming to be Trend Micro support.

An investigation was launched right away, and it confirmed that it was an insider threat. An employee got access to a customer support database with names, email addresses, Trend Micro support ticket numbers and telephone numbers. The employee sold the sensitive data to a third-party malicious actor.

The employee was fired immediately, and customers were advised not to react to the scam calls.


Insider threats are on the rise due to various “new normal” ways of working. When protecting your data, keep in mind that there are two types of employees that can put your data at risk.

The first group is aware that sensitive data is a valuable commodity that can be sold to a third party. These employees are constantly trying to find ways to steal data while remaining undetected.

The second risk group may not be aware that data is an important asset and thus does not handle it properly, or they misuse it (by taking documents to a new employer). The risk of accidental data loss increases if a company does not use a DLP solution or has unclear security policies. Keep in mind that this is the largest risk group, and accidental data leaks are very common.

Protect your data by adopting appropriate measures that will help you to keep your sensitive information safe. Perform an audit of your data and check who can access it and for what purpose. Take care of your employees as well. Education about data security can help a lot, as can easy-to-understand security policies.

Your greatest data security asset is the right software. Find one that combines all the important features and protects your critical data as well as your employees. Remember that if people feel safe, your company’s data will be safe too.

Safetica offers a solution that helps you keep your data safe – from the initial (and continuous) discovery of sensitive or other business-critical data in your digital workspace through the efficient dynamic data leak and insider threat protection to easy integration with other tools and into multi-domain enterprise environment.

Finally, Safetica is super easy to implement and integrate. And this isn't just our opinion, but our customers think the same! We consistently receive badges from G2 and other peer review platforms, where customers provide feedback about the software they use.

  Let's discuss your organization's data security

Kristýna Svobodová
Content Strategist @Safetica