How to Defend Against Insider Threats

Home / Policy / How to Defend Against Insider Threats

Not all threats to your company come from external sources. Insiders are threats to an organization that come from people within a company; such as employees, former employees, contractors or business partners. According to IBM’s 2015 Security Intelligence index 31.5% of attacks were by malicious insiders, 23.5% of attacks were by inadvertent insiders and 95% involved someone inside the company making a mistake. The key element is that they have:

1) information concerning the organization’s security practices, data or systems.

2) the means to access and tamper with company assets.

Traditional security measures such as firewalls, antivirus, physical checkpoints and others are designed to protect your company from external threats but are ineffective at protecting you from internal threat actors. In order to reduce this risk you need to take a different approach. Here I’ll outline some of the key principles and controls you can use to prevent security incidents caused from internal sources:

The Principle of Least Privilege

This concept applies to all work and simply means that any employees, contract or third party should be given the least amount of access and information needed to do their jobs. By minimizing the amount of access and information that people have it reduces their ability to perform actions that may be damaging to your business.

Segregation of Duties

Some actions or information are so important that the misuse of either can have a huge impact on the business. One way to protect against this is to use segregation of Duties, which requires that multiple people work together in order to perform a certain task. For example you shouldn’t have the same person approving an order, making the purchase for the order and doing the review of purchases for your business. If you have the same person doing all these functions it’s too easy for them to misuse money because there is no other person to review what that person is doing. 

Mandatory Vacations

Vacations aren’t always just in the interest of the employee. By enforcing mandatory vacations it helps to identify misconduct in a business because someone else will be taking over that process while the other person is gone. For example if someone is able to do a process undisturbed for three years, if they are doing something illegal it will be very hard to know that because no one is directly involved in that process, reviewing that person’s work. But if that person is forced to take two or three weeks off and someone else must take over that process, there’s a good chance that the person taking over will notice if something was not being done properly. Additionally, it also ensures that that there are multiple people trained on how to do any particular task. If only one person is trained to perform a business function, the company can become over reliant on that person and this can cause problems for the business if that person ever leaves. Mandatory vacations ensure multiple people will be able to perform that function and helps to prevent over reliance on any one individual.

Develop a good employee termination procedure

Many security problems come from recently fired employees. Obviously, being let go from a company can be a stressful and emotional experience for many people. As a result many people decide to get back at the company. This can mean physical violence against managers or co workers, destroying company property, destroying company information (through the planting of viruses or destroying documents) and many other means of revenge. According to a study by CERT insider threat center, about 85% of sabotage cases by disgruntled employees had revenge as the primary motivation.

It’s important to have a concise plan on how to properly terminate an employee. The key here is to remove access to physical facilities and company networks at the same time to ensure that they can’t perform any damaging actions. It’s also important to remember to treat people humanely and with respect so that less people feel compelled to try and get back at the company. Here you can find a list of best practices for user termination. 

Have Proper Surveillance

This includes monitoring all important areas of your company by video cameras, this is typically done with motion sensors and night vision. It’s also important to have signs letting people know they are being watched in these areas to help deter people from doing things they aren’t supposed to. Also, you can enable session screen-capture technology on all critical servers and devices owned by highly privileged users. This way you can easily get screenshots to use as evidence in the event of suspicious behavior. 

Have Proper Backups and Recovery Processes

Establishing a policy that regularly creates full backups is a good general practice and helps to ensure that if there is a major security incident, the business can be restored with minimal damage. In policies like this full backups should be performed at least once a month. 

Keep Track of Employee Access

Privilege Creep is the slow accumulation of unnecessary permissions, access rights and other privileges by a user as they remain at a company. It happens very often because many times access is granted but not removed, so over time the amount of access a user has will continuously increase. While not ideal it can be acceptable in some situations, but if that access allows the user too much freedom it should be revoked once it’s no longer needed to prevent privilege creep. 

Monitor your Network for Suspicious Activity

Using tools like SIEMs you can monitor your network for suspicious activity by employees. You can implement log management and change auditing software that will look at actions performed across the entire organization. Another important aspect of this is User Behavior Analytics (UBA) technology. This is technology that detects insider threats, targeted attacks and financial fraud by looking at patterns of human behavior and then identifying anomalies from those patterns that may indicate a threat to your company. It’s another application of machine learning with big data, which help identify threats within your network.

A splunk dashboard

Have Well Developed Policies for Proper User Behaviour

You should have policies that outline how employees should act during their employment and inform them of what type of monitoring/surveillance your company performs. Some of these related to acceptable standards of behaviour should be included in the onboarding process and employee contract. While others should be documented and made available to employees to read or sign as required. The goal here is to make sure that the expectations are established at the being of the work relationship. Some common policies that companies have include:

– User Monitoring policy

– Acceptable Use policy

– Third-Party Access policy

– Workplace Conduct policy

– Password Management Policy

It’s important to work with HR and legal teams to ensure that people are made aware of these rules, the consequences of breaking them and ensuring that all your legal requirements are fulfilled. You also want to make sure that the rules you put in place don’t violate any privacy or workplaces laws. 

Employee Training

Lastly, training employees on how to identify suspicious behaviour and giving them an anonymous way to report that behaviour is critical. You can’t be everywhere so encouraging employees to report that behaviour and even incentivizing it can be very valuable in helping to identify fraud, abuse, harassment and all sorts of negative behaviours you don’t want.


Insider threats require unique solutions because they already have access to your company. The most important things are to ensure that there are proper restrictions around the access given to employees, ensuring you have the proper means to monitor what people are doing and make sure people are aware of what they should and shouldn’t be doing. It begins with proper training and policies so that they know the expectations upfront, controlled access throughout their employment and whenever an employee does leave the company making sure their access is removed quickly to prevent any spiteful actions as they leave.