Typically the most common class of insider, employees naturally need access to sensitive data and systems in order to do their jobs. Additionally, employees may have access to assets that they do not need or may have unauthorized data shared with them by other users.

In some cases former employees can retain access to an organization’s data and systems even after they have left the company. Additionally, former employees may have access to data or information that they took with them prior to leaving.

Executives are employees, but deserve extra attention as they will typically have access to highly sensitive information due to their job role. This can include corporate secrets and intellectual property that would be highly damaging if lost

Like executives, board members will have access to highly privileged information including insight into organizational strategy and performance.

Organizations routinely work with a wide range of external contractors and service providers who require access to the company’s systems. These privileges can be highly dynamic particularly in the case of a service provider which may have several users service the account over time. As with employees, access and privileges for these users are often accidentally left in place even after the user’s contract is complete.

Many organizations work with a variety of partners who need or share access to systems and data. Not only must partners be treated as trusted insiders, they have also been the source of many data breaches in recent years.

Organizations must also be aware of anyone who has privileged access to their environments. This can include non-employees who may have badged access to a building to provide services such as custodial, HVAC, or other facility services.

Unlike traditional external threats, insider threats typically don’t require exploits, malware, or vulnerabilities in order to access to sensitive data. This removes many of the traditional opportunities to detect and prevent an attack. While many external threats must go through a complex multi-step attack chain in order to steal data, insider threats often begin at the very late of phase of attempting exfiltration. This means that defenders often have far fewer opportunities to stop the threat and many of the traditional threat prevention tools will not apply.

Organizations are at high risk from insider threats when an employee is planning to leave the company. In most cases, users will know their plans before they officially inform the company. While many organizations will step up monitoring or restrict access of users who have given notice, a malicious insider can take malicious actions before this phase. For example, a user may slowly acquire data or create accounts that they can use to access data after they leave.

Data often has a long life even after it is intially accessed. Users collaborate on projects, share data and files from user to user, copy/paste data from one file to another, and transform and share data in countless other ways. An insider threat may not be as simple as a user downloading large amounts of data from an application, then immediately trying to upload that data to the internet. However, organizations often struggle to follow the complex flows of data as it moves between users and applications.

Organizations often look for malicious insiders based on abnormal or anomalous behaviors such as accessing data at unusual times or access large amounts of data. However, users can easily aggregate data over time often in the course of their valid work activities. In the case of accidental insiders, their behavior is often almost identical to their normal work behavior.

Insider threats have many ways to hide the data they are stealing from security tools. For example, many data loss tools rely on inspecting the content of data leaving the company. Insiders can hide this content by encrypting the data or burying it within compressed archives. Once again, this can even be done without malicious intent as many applications use encryption and certificate pinning as a way of protecting user data. While this can benefit the user, it can also allow data exfiltration to fly under the radar.

Legal, financial, and other professional services firms are entrusted with highly sensitive customer data that must remain protected. Any exposure of this information can have serious financial and reputational impacts to the firm. These forms of data are also often dynamic, with many team members contributing to and collaborating on a file or an account. In fact, the IBM X-Force Threat Intelligence Index 2022 found that professional services organizations had over 2.5 times the rate of insider threats compared to the industry average.

High-tech firms typically succeed based on their unique innovations. These companies are at pronounced risk of damage if engineers and key employees take proprietary information with them when they move to a competitive company. Once again, this data can come in many forms, which can make the data harder to control.

Much like technology firms, bio-tech firms succeed or fail based on the unique products that they develop. In the case of biotech companies this often translates to product formulas and processes tied to new pharmaceutical products. These products require very high investments in time, money, and talent, and it is critical for organizations to protect this substantial investment.

Media companies regularly deal with assets such as movies, music, and shows that are highly confidential before they are publicly released. However, fans and leak sites will do anything they can to get materials before the official release date, both creating a market for malicious insiders as well as external users who are ready to pounce on any employee mistakes.

Organizations are at pronounced risk of insider threats whenever an employee leaves a company. In recent years, most industries have experienced higher than normal rates of turnover both due to macroeconomic events such as the Great Resignation and a highly competitive employment market. These cases make it even more important for organizations to be able to clearly and continuously know and control what sensitive information is in a user’s possession.