Insider Threat Indicators

Unveiling the Hidden Dangers Within: A Deep Dive into Insider Threats and Strategies to Safeguard Your Organization
Flip Vermeersch
9 min

In today's interconnected world, the concept of security extends far beyond the digital realm, encompassing a spectrum of risks that threaten organizations from within. The term 'insider threat' has become a buzzword in corporate corridors, not just as a cybersecurity issue but as a comprehensive security challenge. Startlingly, 74% of companies acknowledge feeling vulnerable to insider threats, a concern that's validated by the average cost of an insider threat incident reaching a staggering $15.38 million in 2023. This vulnerability is a manifestation of various factors, ranging from employee or contractor negligence (56%), criminal and malicious insiders (26%) and credential theft (18%).

The impact of insider threats is multifaceted, affecting both the cyber and physical aspects of organizations. Between 2018 and 2020 alone, insider attacks have surged by over 47%, a trend influenced by technological advancements and changing workplace dynamics. This rise in insider threats is a wake-up call for organizations to reassess their security posture, not just in the digital space but across all facets of their operations.

Financially, the burden is heavier for larger companies, with an excess of $10.24 million spent on addressing insider attacks compared to smaller firms. This disparity highlights the need for a balanced approach that integrates both cyber and physical security measures. Global Security and Risk Management Spending is projected to reach a remarkable $188.1 billion in 2023, reflecting the growing awareness and response to these threats.

As we explore the complex landscape of insider threats, it's clear that the issue transcends cyber vulnerabilities. It calls for an inclusive approach that considers physical security, employee behavior, organizational culture, and technological safeguards. Understanding and addressing the multifaceted nature of insider threats is not just about protecting data and systems; it's about safeguarding the very integrity and resilience of organizations in an increasingly unpredictable world.

What is an insider threat?

An insider threat arises when individuals within an organization, such as employees, contractors, or business partners, misuse their authorized access to harm the organization. This could involve stealing sensitive information, sabotaging systems, or facilitating external attacks. Insider threats are particularly dangerous because they come from within and can bypass many traditional security measures. They can be intentional, where the insider has malicious intent, or unintentional, resulting from carelessness or ignorance. Effectively managing insider threats requires a combination of robust security policies, employee training, and technology that monitors and controls access to sensitive data. The impact of such threats is substantial; for instance, the average cost of a security breach, often exacerbated by insider incidents, reached $4.45M in 2023, underlining the financial stakes at play.

3 famous examples of insider threats

3.1 The Great GE Heist: A Seven-Year FBI Investigation into Stolen Trade Secrets

Jean Patrice Delia and his business partner, Miguel Sernas, former employees of General Electric Company (GE), pleaded guilty to conspiring to steal trade secrets. Over seven years, the FBI's Albany Field Office meticulously unraveled their scheme, which involved stealing a computer program and mathematical model crucial to GE's turbine calibration services. Delia, a GE performance engineer, downloaded thousands of GE files, including those containing trade secrets and sensitive bidding information. The duo's theft came to light when GE faced an unusually low competing bid from a company incorporated by Delia for a project in Saudi Arabia. Sernas, caught with the stolen files on a company laptop during a business trip, and Delia, facing up to 87 months in prison, illustrate the FBI's commitment to protecting American corporate innovation and holding criminals accountable, even over extended investigations.

Read the whole story.

3.2 Tesla's Data Breach Saga: How Two Ex-Employees Leaked Thousands of Staff Records

Two ex-Tesla employees have been accused of leaking the personal details of over 100,000 individuals to a German newspaper, an incident that came to light when Tesla was approached by Handelsblatt journalists on May 10 about possessing confidential information. An internal probe identified the former employees as the leak source, who had flouted Tesla's security and data protection protocols. Despite the breach, the German publication, bound by stringent privacy laws like the GDPR, has indicated it will not publish the data. In response, Tesla has initiated legal action to secure the implicated electronic devices and prevent further misuse of the data, involving law enforcement and forensic experts to address the situation. However, specifics regarding the former employees' departure and their post-departure access to Tesla systems remain undisclosed.

Read the whole story.

3.3 Corporate Espionage Unveiled: Yahoo's Legal Battle Over Stolen Ad Tech Secrets

Yahoo has filed a lawsuit against a former employee, Qian Sang, for allegedly stealing approximately 570,000 pages of sensitive company data, including proprietary source code and advertising algorithms, right after receiving a job offer from The Trade Desk, a direct competitor. The stolen information pertains to Yahoo AdLearn, a crucial part of Yahoo's ad tech platform. Sang, a senior research scientist and team leader at Yahoo, reportedly downloaded these files to personal devices without authorization. Yahoo's internal investigation, following Sang's resignation, revealed the extent of the data theft, which included critical algorithms and competitive analyses. The lawsuit accuses Sang of violating trade secrets, breaching fiduciary duty, and theft, seeking over $5 million in damages. Yahoo's representation by McGuireWoods underscores the seriousness of the case, which involves significant intellectual property and competitive advantage concerns in the online advertising space.

Read the whole story.

7 Insider Threat Incidents Stemming From Negligence

Inadequate Physical Access Termination

Failing to deactivate an ex-employee's physical access in a timely manner can lead to unauthorized entry and potential breaches.

Neglect in Controlling Removable Media

Not monitoring or restricting the use of removable media such as USB drives allows for easy theft or loss of data.

Poor Password Hygiene

Many security breaches occur because employees use weak passwords or reuse passwords across multiple accounts, making it easier for attackers to gain unauthorized access.

Poor Password Hygiene makes it easier for attackers to gain unauthorized access.

Unattended Devices

Leaving devices unsecured in public or poorly guarded places can lead to loss or theft, with potential access to sensitive information.

Phishing Scams

Falling for phishing emails is a common form of negligence that can lead to credential theft or malware infections.

Neglecting Security Training

Companies, Employees and contractors who do not take security awareness training seriously may not recognize or properly respond to potential security threats.

Misuse of Administrative Privileges

Negligent use of admin accounts can lead to accidental changes or deletions of critical data, or it could provide an attack vector if these credentials are compromised.

6 (easy) things to start monitoring in 2024

Shadow IT Proliferation

The use of unsanctioned software and hardware, often termed 'shadow IT,' can signal negligent or malicious intent. Whether it's a project manager using unauthorized apps or an individual encrypting files to send to their personal email, these actions create gaps in data security.

Privilege Creep

Privilege creep occurs when employees accumulate additional permissions over time without losing outdated ones, resulting in an unnecessary expansion of access to sensitive systems and data.

Access Beyond Necessity

Employees attempting to access information irrelevant to their job function is a red flag. While some job functions require expanded access, an uptick in these requests, especially to sensitive data, poses a substantial risk and may point to data harvesting or accidental leakage intentions.

File Renaming

Malicious actors may rename files, mismatching file extensions to content, in an effort to conceal their exfiltration of data. Tools that can detect such anomalies are crucial in identifying such behavior.

Departing Employees

Both voluntary and involuntary departures can trigger insider threats. Monitoring file movements from high-risk individuals is more effective than relying solely on data classification in preventing data leaks.

Behavioral Red Flags

Behavioral shifts like deteriorating job performance, erratic work schedules, accessing the premises at unusual hours, uncharacteristic disputes over policies, or unexpected displays of affluence and exotic vacations may signal an insider threat, especially when the individual involved has access to sensitive information.


The landscape of insider threats, as illustrated by high-profile cases like those at GE, Tesla, and Yahoo, is a stark reminder of the multifaceted nature of these risks. They underline the critical need for organizations to adopt a holistic security strategy that encompasses both digital and physical realms. 

Insider threats are not just a matter of external breaches but also involve internal factors such as employee negligence, misuse of privileges, and behavioral indicators that often go unnoticed. As businesses move forward into 2024, it is imperative to focus on proactive measures: from stringent monitoring of shadow IT and privilege creep to recognizing subtle behavioral changes and managing departing employees effectively. A pivotal step in this process is conducting physical penetration testing to identify and address any vulnerabilities, an essential practice for robust security management.

The key lies in a vigilant, educated, and well-equipped workforce, coupled with robust security and access protocols, to safeguard the integrity and resilience of organizations against the ever-evolving and complex threats from within. In doing so, companies can not only protect their critical data and systems but also fortify their standing in an increasingly unpredictable and interconnected business world.

Flip Vermeersch

Head of Marketing

About the author:

"Don't shoot the messenger!" While Flip might not claim to be an expert himself, he's the bridge between you and the industry's best minds. He dives deep, chatting with specialists to bring you the freshest insights on everything from biometrics to business continuity. He deciphers the complex, making it relatable and digestible. Beyond insights, Flip's also the voice behind NineID's updates. Always eager for a chat, he's open to collaborative content ventures. If you're keen on the latest in security or teaming up, Flip's your guy.