All insider threats started as an insider risk, but not all insider risks turn into an insider threat. An insider risk happens when a trusted insider such as an employee handles sensitive company data in a risky way. Maybe they copied a file to their personal Dropbox, or emailed it to their personal email. Exposure or theft may be one step away, but until it happens it’s just a risk.

Insider threats are fewer in number. They happen when data that’s at risk falls into the wrong hands or is weaponized in some way that negatively impacts the organization. An employee copying company data to a USB drive is a risk. When that same employee shares the data with a competitor, leaks it to the media, or accidentally exposes it, an insider threat has happened.

Common examples of insider risk

Insider risks are quite common. Our research team found that over a six-month time frame, more than 9% of employees created an insider risk incident. Common examples include:

• Storing data in a personal cloud storage service. Personal cloud storage services such as Dropbox and Google Drive are the most common exfiltration vector trusted insiders use to move sensitive data outside the company. They’re a convenient way to share files across devices, but they shouldn’t be used unless controlled by the company.

• Emailing company using personal webmail. Sometimes an employee has their personal Gmail open on their work computer side by side with their corporate email, making it easy to upload a file and send it from the wrong email. Or maybe they email documents to themselves to view them on another device. They could also be trying to circumvent security controls on the company’s corporate email.

• Copying sensitive data to a USB drive. If the employee can’t bring their company computer home with them, they sometimes copy files to a USB drive to take with them to finish at home. Or they could be transferring large files to a colleague. But USB drives can also be used to steal data or they could be misplaced or fall into the wrong hands.

• Accidentally sharing a file with the wrong person. Who hasn’t been sharing a file with someone else, and when typing in their name the computer automatically fills in the recipient to the wrong person who happens to have the same first name? In a moment of haste, they click send and then the data could be in the wrong hands.

When a risk becomes a threat

An insider threat happens when an insider’s malicious or negligent handling of data impacts the company in a negative way. Common insider threat examples include:

• A former employee takes company data to a competitor – Whether it’s a sales rep bringing sales contacts to a competitor, or an engineer taking a key algorithm to another software company, there’s a wide range of sensitive information that in the hands of a competitive company can materially impact you financially.
• An insider leaks company secrets to the news media – There are many recent high profile examples of whistleblowers who have shared sensitive internal company research or communications with reporters. In some cases, these incidents happen years after they departed their employer, showing the long half life of an insider risk.
• Customer data exposed online triggers a compliance violation – Employees putting company data in personal cloud storage services can easily overlook the permissions on the data, inadvertently exposing regulated data like patient health records to the internet. When a third party discovers the data, the company can incur fines and investigations.
• An employee shares unreleased announcements to trade stocks – Employees or contractors looking to cash in on their privileged access to company information sometimes share unreleased financials or press releases with friends and family, who in turn buy or sell stock before the news is made public.