Skip to content Skip to navigation Skip to footer

Insider Threat Definition

An insider threat is a type of cyberattack originating from an individual who works for an organization or has authorized access to its networks or systems. An insider threat could be a current or former employee, consultant, board member, or business partner and could be intentional, unintentional, or malicious.

Typically, an insider threat in cybersecurity refers to an individual using their authorized access to an organization’s data and resources to harm the company’s equipment, information, networks, and systems. It includes corruption, espionage, degradation of resources, sabotage, terrorism, and unauthorized information disclosure. It can also be a starting point for cyber criminals to launch malware or ransomware attacks.

Insider threats are increasingly costly for organizations. The Ponemon Institute’s 2020 Cost of Insider Threats research found that this form of attack cost an average of $11.45 million and that 63% of insider threats result from employee negligence.

Types of Insider Threats

Various types of insider threats can lead to an organization suffering data loss or other security exploits. These include:


An intentional insider threat occurs when an individual sets out to purposely cause harm to an organization. Many intentional insider threats aim to get even with a company over a lack of recognition or a failure to meet expectations, such as not receiving a desired bonus or promotion. 


An unintentional insider threat involves data being lost or stolen as a result of employee error or negligence. Accidental unintentional insider threats occur due to human error and individuals making a mistake that leads to data leakage, a security attack, or stolen credentials. Accidental data leaks include sending business information to the wrong email address, mistakenly clicking on malicious hyperlinks or opening malicious attachments in phishing emails, or failing to delete or dispose of sensitive information effectively. These threats can often be avoided by following security best practices.

A negligent unintentional insider threat occurs through carelessness that leads to exposing an organization to a threat. For example, ignoring security and IT policies, misplacing portable storage devices, using weak passwords, and ignoring software updates or security patches can leave organizations vulnerable to a cyberattack.

Third-party Threats

A third-party threat is typically a business partner or contractor that compromises an organization’s security. Third-party threats can be a result of negligent or malicious activity.

Malicious Threats

A malicious threat is a form of intentional insider threat that intends to cause harm either for personal benefit or as an act of vengeance. 

Malicious insider threats aim to leak sensitive data, harass company directors, sabotage corporate equipment and systems, or steal data to try and advance their careers. Many of these malicious threats are financially motivated, as employees steal corporate data to sell to hackers, third-party organizations, or rival companies.

Collusive Threats

A collusive threat is a type of malicious insider, in which one or more insider threat individuals work with an external partner to compromise their organization. Collusive insider threats often involve a cyber criminal recruiting an employee to steal intellectual property on their behalf for financial gain.

5 types of insider threats

Insider Threat Individuals

Insider threat individuals are typically split into two types of actors:

  1. Pawns: Pawns are company employees manipulated into carrying out malicious activity, such as disclosing their user credentials or downloading malware. Pawns are often targeted by attackers through social engineering or spear-phishing campaigns.
  2. Turncloaks: A turncloak is an employee who actively turns on their employer. Turncloaks often act to gain financially or to cause harm to an organization. However, turncloaks also include whistleblowers, who serve to bring public attention to the failings of their employer.

Additional insider threat individuals include: 

  1. Collaborators: A collaborator is an employee who collaborates with a cyber criminal and uses their authorized access to steal sensitive data, such as customer information or intellectual property. Collaborators are typically financially motivated or reveal information to disrupt business operations. 
  2. Goofs: A goof is an employee who believes they are exempt from their organization’s security policies and bypasses them. Whether through convenience or incompetence, goofs’ actions result in data and resources going unsecured, which gives attackers easy access.
  3. Lone wolf: Lone-wolf attackers work alone to hack organizations or seek out vulnerabilities in code and software. They often seek to gain elevated levels of privilege, such as database or system administrator account passwords, that enable them to gain access to more sensitive information.

Technical Indicators of Insider Threats

When an insider attacks, they sometimes need to hack security systems or set up hardware or software infrastructure to make it easier for them or others to access your system. By knowing how to identify the tactics and tools they use to do this, you can spot the attack and take steps to mitigate it. Here are some telltale signs:

  1. Backdoors that enable access to data: To find backdoors, perform a backdoor file scan or monitor your system for external requests from hackers who may be trying to use the backdoor.
  2. Hardware or software that enables remote access: Look out for instances of remote access software, such as TeamViewer or AnyDesk, and check for physical servers installed around your campus, such as Synology devices.
  3. Changed passwords: Any time a user’s old password does not work and they feel it may have been changed, check to see if this is true. It could have been an inside attacker changing it to enable them access to the resources that the user has rights to.
  4. Unauthorized changes to firewalls and antivirus tools: Any time the settings of a firewall or antivirus change, it could be the result of an inside attacker trying to pave an easy path to your system.
  5. Malware: If you discover malware, it is best to investigate when and where it was installed. It could have been put there by an insider.
  6. Unauthorized software: When unauthorized software gets installed, this should always raise a red flag. In many cases, the software may look innocent, but it could be a Trojan horse virus, which contains hidden malware.
  7. Access attempts to servers or devices with sensitive data: Any time someone tries to access a sensitive area of your network, this could be an insider threat, particularly because you often need credentials issued by the organization to do so.

Insider Threat Examples

There are two basic types of insider threats in cybersecurity: malicious and negligent. As mentioned at the outset, not all threats are intentional and may be due to negligent or careless decisions, but they still fit the insider threat definition because they come from within the organization. Malicious attacks, on the other hand, are often carefully planned, executed, and concealed. 

Here are some insider threat examples that involve a mix of malicious and accidental incidents:

A Fired Employee Fires Back

In 2021, Juliana Barile, an employee at an undisclosed credit union in New York, decided to exact revenge after being fired from her job. The IT team did not immediately deprovision her access to sensitive systems after termination. So within 40 minutes, Ms. Barile deleted over 21GB of data that included 3,500 directories and 20,000 files. Some of the deleted files were anti-ransomware software and mortgage applications. She was also able to access board minutes and other sensitive information.

An Insider Error Steers Data of Texas Drivers into a Hacker’s Hands

An employee at tech company Vertafore stored the data of Texas drivers in an insecure offsite location, leaving it vulnerable to a breach. The accidental leak impacted 27.7 million records. Even though the breach did not involve either financial or social security data, Vertafore still ended up covering the cost of incident response—and it is facing a class-action lawsuit as a result.

City of Dallas Files Deleted Because of an Insider’s Mistake

An errant but apparently innocent employee of the City of Dallas was fired after it was discovered they had deleted more than 22TB of data between 2018 and 2021. Among the destroyed files were 13TB of videos, photos, and case notes that belonged to the Dallas Police Department. The investigation revealed that the incident was not a malicious attack. The employee simply failed to follow internal procedures while transferring files.

What Are the Risks Caused by an Insider Threat?

Insider threat attacks can result in malware being installed on user devices, routers, and corporate networks. It can also result in organizations falling prey to data corruption, data theft, and financial fraud, while their users could become victims of identity theft. The loss of sensitive data can lead to organizations suffering reputational damage, losing business, and being subjected to fines and legal action.

How To Stop Insider Threats

Insider threats can be prevented by constantly monitoring user activity, gaining real-time insight into network activity, and taking action immediately when a security incident occurs.

Insider threat prevention relies on the following four-step security event process:


Organizations need to be able to detect malicious, suspicious, or unusual activity on their networks. Threat detection includes having real-time insight into user logins, such as where and when a user has logged in to the corporate network and the location they have accessed it from. 

Security solutions and rapid threat detection help organizations increase the visibility of their network, track employees’ actions, and get alerts regarding anomalous activity. 


Once the suspicious activity has been detected, organizations need to be able to investigate it immediately. There is no use detecting suspicious activity but not investigating it until several days after the event, as the attacker will likely have escalated their privileges and carried out their attack.


When it has been determined that the suspicious activity is malicious or unauthorized, organizations need to prevent users from gaining access to their networks and systems. They need a threat prevention solution that blocks an attacker from gaining access to data and snooping on user activity. 

Organizations can also prevent insider threats by deploying virtual private networks (VPNs), which encrypt data and enable users to keep their browsing activity anonymous behind a VPN solution.


Organizations need to protect their users and devices by enforcing security policies and securing their data. Critical assets, such as facilities, people, technology, intellectual property, and customer data need to be protected at all times with the appropriate levels of access rights and privileges. 

Policies need to be clearly documented, and all employees must be familiar with the security procedures they need to follow, their data privileges, and their intellectual property rights. This final step of the process is crucial to complying with increasingly stringent data privacy regulations.

How Fortinet Can Help

Fortinet allows organizations to proactively detect and prevent insider threat attacks. Its user and entity behavior analytics (UEBA) solution protects businesses from insider threats through automated detection and response and by constantly monitoring devices and users. 

The Fortinet UEBA solution uses artificial intelligence and machine learning to identify anomalous, noncompliant, and suspicious behavior and instantly alerts organizations of potentially compromised accounts. The Fortinet approach ensures organizations gain enhanced visibility and advanced protection regardless of whether users are on their corporate network or not.


What is an insider threat?

An insider threat is a type of cyberattack originating from an individual who works for an organization or has authorized access to its networks or systems. 

How to stop insider threats?

Insider threats can be prevented by constantly monitoring user activity, gaining real-time insight into network activity, and taking action immediately when a security incident occurs.

What are the risks caused by an insider threat?

Insider threat attacks can result in malware being installed on user devices, routers, and corporate networks. It can also result in organizations falling prey to data corruption, data theft, and financial fraud, while their users could become victims of identity theft.