Insider Threat: Definition, Prevention & Defense

An insider threat is a security risk that stems from your current employees, former staff members, contractors, or vendors. Anyone who has access to important and protected electronic items could pose an insider threat to your organization. 

The methods insiders use can vary. But experts say most of these people attempt to:

  • Steal your company's intellectual property 
  • Sabotage your company's current or future success
  • Commit fraud for financial gain 
  • Engage in some form of espionage 

The only way to halt all insider threats is to stop working with anyone else. But your company may not be successful if just one person owns and manages it.

Instead, learn more about what these threats look like, and you'll be prepared to stop them when you find them.

Types of insider threats 

Two main types of attacks stem from insiders. Understanding the difference is critical as you formulate plans to keep your critical assets safe. 

Your insider threat might be:

  • Malicious. Someone inside your organization hopes to use their clearance to harm you or your organization. People like this might steal your intellectual property and sell it to the highest bidder, or they might engage in fraudulent activity to steal something from you. 
  • Inadvertent. A person disregards your rules or makes errors. These steps put your company at risk, even if that's not the person’s intent. 

We know a lot about insider threats from work done at Carnegie Mellon University. The CERT Insider Threat Center within the university tracks these incidents and releases reports for business leaders to study and learn from. The group suggests that many attacks stem from so-called "insider disgruntlement," where a person within your circle doesn't get something expected.

But know that some angry people hide their feelings quite well. You may not know who the risky person in your midst is until it’s too late.

How dangerous are insider threats? 

Few companies brag about the devastating losses they've endured after an attack. But insider threats tend to produce spectacular results that are hard to hide. Wading through the statistics gives you an idea of just how worrisome this issue really is. 

  • Insider threats represent the biggest threat to the U.S. economy. Source: Security
  • Among global health care organizations, 35 percent experienced cloud data theft sparked by insider threats. Source: Infosecurity Magazine
  • Among European employees, 29 percent have purposefully sent data to outsiders. Source: Infosecurity Magazine
  • Tesla experienced an insider threat in 2018, sparked by an employee who didn't get a promotion he expected. Source: CSO
  • Concession vendor Spectra lost $268,000 in one insider threat attack. Source: Infosecurity Magazine

Are you facing an insider threat? 

Any company with employees, vendors, or both could be at risk for an insider attack. But you can learn to spot the signs. 

People planning an attack like this often:

  • Ask for data. An employee might request access to a sensitive part of your server, or you might notice an uptick in file downloads. 
  • Work undercover. The person might log in late at night or on weekends. Or the person might spend long hours in the office when everyone else has gone home. 
  • Break the rules. You may notice that the person keeps their workstation unlocked or has printed passwords available. 

Monitoring for unusual activity is an integral part of threat mitigation. Look over your user logs, and make sure you know how your employees usually act. When you spot an anomaly, you're ready to respond. 

You can also consider a least-privileged access control model. If people can't see the most delicate parts of your server, they'll have less to leverage in an attack.

Okta can help you spot unusual activity, so you can see an attack right when it starts. Learn more about enforcing least-privileged access for your Linux servers and how to leverage data to drive stronger security.


Common-Sense Guide to Mitigating Insider Threats, Sixth Edition. (December 2018). Carnegie Mellon University Software Engineering Institute. 

CERT Insider Threat Center. (2017). Carnegie Mellon University Software Engineering Institute. 

Inside the Insider Threat. (March 2020). Security. 

Insider Cloud Data Theft Plagues Healthcare Sector. (February 2021). Infosecurity Magazine. 

Employees Willing to Leak and Sell Corporate Access. (March 2017). Infosecurity Magazine. 

Insider Threat Becomes Reality for Elon Musk. (June 2018). CSO. 

Former Employee Behind Earthquakes Stadium Hack. (February 2021). Infosecurity Magazine.