Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Oct 29, 2023   |   Fergal Glynn

Insider Risk v. Insider Threat

Go back

Understanding the Difference Between Insider Risks and Insider Threats

As wave after wave of layoffs are announced, organizations are rightfully concerned about their intellectual property leaving with former employees. They feel this way for 
good reasons. One study found that 85 percent of employees admitted to taking company documents and information when they left. However, while all insiders present 
risk, not all insiders are threats. 

What is an Insider? 

An insider is an individual with access to an organization’s data. While this can include individuals with access to physical copies of data left on printers or in unsecured file 
cabinets, from a Data Loss Prevention perspective the focus is on credentialed users who can access sensitive electronic data.

This can include:

  • Engineering staff working with design documents or source code
  • Financial professionals with access to sales and profitability statements
  • Sales teams working with customer and prospect lists
  • Product management teams developing product roadmaps and strategic plans

Insiders can also include non-employees including partners and vendors who may require access to internal systems to provide their services.  

What is an Insider Risk? 

Every individual that can access sensitive data presents a risk of data loss. Insider risk does not require malicious intent. It is inherent with being a user. It can be caused by 
negligence; a careless user may mistype an email address and send confidential information to an unauthorized person.

It can also be from a lack of knowledge of good security practices, such as when a user uploads a document to a personal cloud drive when the file is too large to email.  

  • Poor training was cited when a Dallas, Texas IT worker accidentally deleted over 20 terabytes of the city’s data, including over 13 terabytes of 

  • Dallas police files, while trying to move them from online storage. A report found the technician “appears to have been attempting to carry out the 

  • data migration consistent with his sincerely-held understanding, although flawed, of the Commvault software.”

  • Non-employees, too, can make mistakes with data, often with good intent. A service provider experiencing trouble solving a problem may forward it to colleagues who are not authorized to view the material for assistance. 

What is an Insider Threat? 

An insider changes from a risk to a threat when malicious intent is present. Insider threats have an objective of compromising data security. Common insider threats 

Departing employees: As noted, an employee leaving their role often takes information they believe will be helpful to their new job. This can include material 
they have created or information that would demonstrate a “quick win” to their new employer. 

  • Credit Suisse reported that an employee copied data on other personnel to an external device – including salary information and banking details – prior to quitting.   

Malicious insiders: The motivations of an insider threat can include personal gain, including industrial espionage for a competitor or providing criminals with access to Personally Identifiable Information on consumers.  

  • A former Amazon Web Services engineer allegedly created an application to detect which AWS customers had misconfigured firewalls, then extract privileged account credentials. She used this to steal sensitive data from Capital One’s systems, including “106 million credit card applications, which included names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers.”

  • An employee in China stole sensitive information from Dutch chip equipment maker ASML Holding. There are reports that the employee had ties to a “Beijing-backed spy ring.” In addition to losing IP to a potential competitor, ASML reported that the loss may also have violated export control regulations.   

Disgruntled insiders: Another insider threat motivation is sabotage. The individual may seek to release sensitive information and publicize a breach to prompt 
regulatory penalties or damage an organization’s reputation.  

  • After being fired via a text message, a former employee of Penn South Cooperative Federal Credit Union in New York deleted more than 20,433 files and 3,478 directories from the credit union’s IT system.

How to Address Insider Risk and Threats 

Stopping insider risks requires better security hygiene. Employees who understand when data is at risk and self-correct contribute to a security-positive culture and provide organizations with a “human firewall.”   
Annual training events simply don’t work. A better approach is contextual training as data is put at risk. Reveal provides users with incident-based training as they interact 
with data. If an action puts data at risk, Reveal automatically provides policy reminders and safe alternatives. It can even require acknowledgement of company policies before proceeding. 
Stopping malicious threats requires visibility to sensitive data and contextual intelligence on the user’s actions. Next Reveal agent delivers continuous protection with Machine Learning on the endpoint. Next DLP’s smart agent identifies and categorizes data as it is exposed to risk. It begins baselining activity at installation and multiple behavioral analytics algorithms monitor user, entity, and network behavior, to model and define typical and anomalous behavior. Because the behavioral analysis works autonomously on the endpoint, protecting data does not rely on a connection to a separate analysis engine and all personal data remains on the device.  


See how Next protects your employees and prevents data loss