AIMultiple ResearchAIMultiple Research

Insider Threat Management in 2024: Benefits & Best Practices

Image of popularity of "insider threat indicators" in the U.S.

Interest in insider threat indicators has increased as cybersecurity incidents increased. 74% of organizations are subjected to at least moderate insider threats and the costs of insider threat incidents have increased by 44% in the last two years with nearly 1 billion leaked records by insiders in 2023.12

Considering the growing number of risks, cybersecurity costs, and the increasing complexity of organizational structures, companies should consider building a comprehensive program supported by an AI-powered (ITM) solution for assessing, detecting, and mitigating unwanted actions committed by authorized individuals who can access the organization’s sensitive data.

What is an insider threat?

Cyber and Infrastructure Security Agency (CISA) defines insider threat as the potential for an insider to use their authorized access to cause harm to that organization.3 An insider threat occurs when a current or former employee, contractor, consultant, or business partner has or had authorized access to an organization’s sensitive information or network infrastructure and uses that access to harm the security, integrity, or accessibility of those networks, whether or not maliciously.

Insider threats have two different types:

Direct insider threats: Direct indicators are often inappropriate user behavior that departs from routine job activity.

Indirect insider threats: Indirect indicators are patterns of human behavior that must indicate suspicious activity.

Figure 1. The markers of a risky persona

The markers of a risky persona

Source: McKinsey

Common insider threats may include:

  • Actions to break safety procedures
  • Poor performance on the job
  • Unnecessary requests for permission or supervisory access
  • Careless use of social media
  • Keeping sensitive data accessible after notice of termination
  • Using unapproved external storage systems
  • A drop in productivity at work

Types of insider threats

1. Malicious insiders

Malicious insiders are former employees, business associates, or contractors who consciously violate company protocols and collect data for their benefit. They may steal sensitive data, commit fraud, or disrupt computer networks. Most businesses use active data monitoring technologies and security teams to target them. 

For instance, Apple engineers who recorded the photos of autonomous vehicles for a Chinese business are malicious insiders.

  • Collaborator: Collaborators work together with competitors to launch a cyberattack. They use their privileges to steal sensitive information to disrupt corporate structures for monetary or personal benefit.
  • Goofs: Goofs are self-serving users who feel exempted from the organization’s security standards. They try to break the security rules. They consciously construct a threat to allow cybercriminals access to the organization’s data.

2. Negligent insiders

Negligent insiders may not consciously create damage, but they may put the organization in danger as a result of negligence. A vulnerability (such as phishing attacks) is an unconscious action conducted by an employee that can be subsequently utilized by cybercriminals. 

For example, a data analyst who took a hard disk with sensitive information from 26.5 million US service veterans without authorization is a negligent insider.4

  • Lone wolf: The lone wolf is a malicious insider who behaves independently and has privileged control and access over the network and organization’s infrastructure.
  • Pawn: Pawns are legitimate users manipulated into accidentally acting maliciously, frequently using social engineering tactics like phishing. These unintentional behaviors include installing spyware on their machine.

3. Third-party insiders

  • Mole: A mole is a third-party outsider who has obtained unauthorized access, they may attempt to connect to the organization’s network via a virtual private network (VPN). They may misrepresent themselves as a partner, freelancer, or user to get privileged access that they are not eligible for.

What motives an insider threat: 4 causes

Image of common insider threat vectors

Figure 2. Common insider threat vectors

  1. Financial or personal gain: Employees experiencing financial difficulties or believing they are not adequately rewarded for their work efforts may seek monetary or personal benefit.
  2. Personal offense: Employees might become threats when their emotions are elevated, such as anger over a poor performance assessment.
  3. Espionage: Corporate espionage occurs when an organization’s intellectual property is stolen and transferred to a rival, such as employees who desire to gain money or align themselves with another company for a career.
  4. Ignorance: Carelessness behavior makes up 56% of all insider threat cases—ignorant or negligent employees who consciously disregard security rules out of comfort.5

Top 3 benefits of insider threat management?

Organizations that heavily rely on AI-powered insider threat management software saved ~1.8 million USD from data breach attacks in 2023.6

  1. Quick response for data breaches: Enables a quick response for breach discovery and mitigation with AI/ML models that provide a 7/24 fast response. Organizations that use automation detected and managed a data breach 108 days quicker than organizations that did not.7
  2. Identifying high-risk profiles: Helps to build surveillance to create a comprehensive picture of a single individual based on their actions and personal characteristics. 
  3. Controlling organizational structure: Managing cyber threats allows businesses to discover how to react to an attack and follow set safety guidelines. This builds trust and defensibility through solid compliance procedures between management, legal, and IT security functions.

How does insider threat management work?

Most businesses utilize continuous AI/ML evaluation models to monitor partners, suppliers, and employees based on security and governance policies. In general, they look for deviations from what is regarded as “normal” behavior and a security team looks into anomalies that the software detects.

The features of insider threat management software are as follows:

  • Data-driven: Provides a data-centric method to collect, analyze, and report private data.
  • Multi-factor authentication: Monitors and controls online data or file management systems, USB ports, and portable hard drives, which guarantees that data accessibility is restricted and prevented.
  • Regular updates: Regularly updates software (works universally with macOS, Linux, and Windows platforms) to guarantee they are protected against risks. 
  • Quick response: Identifies sensitive data saved on machines, takes corrective action, and provides immediate data insights.

What are the challenges of insider threat management?

Only 33% of organizations detected the breach themselves. It can be challenging to distinguish between negligent or malicious insider threats.8

Typical challenges occur for four reasons:

  1. Delayed detection: Negative actions already appear before the breach becomes apparent, and organizations struggle to investigate the breach immediately.
  2. Invisibility: Monitoring the difference from routine behavior is complex and takes time, which leads the investigation team to strive and generate inaccurate results.
  3. Coverage: Serial malicious behavior may be evaluated within the norm of “normal” activity, and malicious insiders may not be detected.
  4. Privacy: Collecting data to leverage user behavior tracking requires access to employee personal information, which raises privacy challenges.

4 best practices for insider threat management

Both traditional and AI-powered techniques and insider threat management solutions can be used to better detect threats, and prevent insider risk.

1. IT security training

According to the IBM Cost of Data Breach Report 2023, user training reduced the average cost of a data breach at organizations by ~5% less than the total average cost of a breach.9

IT security user training may include:

  • Cybersecurity policies: Password protection, managing information adequately, and reporting lost hardware.
  • Cyber-attack detection: Phishing scams, internet fraud, intellectual property infringements, or identity theft.

2. User activity monitoring

User activity monitoring

Source: EY

Figure 3. Risk-based user behavior analytics system to detect insider threats

User behavior analytics (UBA) is an insider threat detection tool commonly used in insider threat management software, it leverages data analytics to predict user patterns, and suspicious activity that might lead to an insider threat. (A closely similar technology, user and entity behavior analytics (UEBA), enhances the ability to identify unusual actions in endpoint devices such as IoT devices).

Enterprises frequently use security information and event management (SIEM) solutions together with UBA to glean and analyze security-related data to assess insider threat risk.

3. Reduce risk by employee categorization

Employees can be categorized into two groups according to their authorization level: privileged and standard.

Privileged: Employees with access to sensitive data are considered to have privileged accounts. 40% of insider cyber attacks involve privileged users, these users are the most vulnerable to insider threats and should be supplied with security tools such as privileged access management (PAM) services.

Standard: The remainder of the employees who require less control can be categorized as “standard” and do not necessarily need to use PAM services.

4. Enhance transparency

Set up controls for tracking and handling shadow IT risks, create secure practices, and monitor user behavior and file movement by leveraging file transfer and end-to-end data encryption tools.

Further reading

Don’t forget to check our data-driven, transparent list of insider threat management (ITM) software vendors.

Find the Right Vendors
Access Cem's 2 decades of B2B tech experience as a tech consultant, enterprise leader, startup entrepreneur & industry analyst. Leverage insights informing top Fortune 500 every month.
Cem Dilmegani
Principal Analyst
Follow on

Drafted by
Mert Palazoğlu
Cem Dilmegani
Principal Analyst

Cem has been the principal analyst at AIMultiple since 2017. AIMultiple informs hundreds of thousands of businesses (as per similarWeb) including 60% of Fortune 500 every month.

Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE, NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and media that referenced AIMultiple.

Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised businesses on their enterprise software, automation, cloud, AI / ML and other technology related decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.

He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.

Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.

To stay up-to-date on B2B tech & accelerate your enterprise:

Follow on

Next to Read


Your email address will not be published. All fields are required.