By From IC Insider Thales Trusted Cyber Technologies
By Gina Scinta, Deputy CTO, Thales Trusted Cyber Technologies
One of the main cybersecurity challenges on the radar of experts in 2025 is insider threat. Federal IT professionals not only need to be aware of this threat, but to take active measures to minimize its potential damage.
A blog posted to the Cloud Security Alliance by a Microsoft security specialist listed insider threats among the top ten cybersecurity threats to watch out for in 2025. And according to the 2025 Ponemon Cost of Insider Threats Global Report, insider threat risks this year could cost organizations an average of $17.4 million. The cost of incident containment and response has been increasing, even though the average time to contain the threat has actually decreased.
There are a variety of strategies already being promoted to protect against insider threats. As far back as 2021, in a commissioned report from Forrester Research, common strategies include implementing database activity monitoring, improving incident detection, investigation and response capabilities, using AI for threat intelligence and breach investigation, and improving identity and access management tools and policies.
The Cloud Security Alliance blog mentioned earlier also notes that organizations looking for ways to address this threat “should implement strict access controls, conduct regular audits, and foster a culture of security awareness. The blog also states that “Behavioral analytics tools can also help identify unusual activities that may indicate insider threats”.
Of course, there is much more to an insider risk mitigation strategy than can be summed up in two short sentences. In this commentary, we’ll take a closer look at the problem of insider threats to cybersecurity, and provide a deeper dive into ways to minimize the risk from insider threats.
Insider threats defined
Simply put, an insider threat is a security risk that comes from an internal source of the targeted organization. It may involve a current or former employee (or business associate) who misuses access to sensitive information or privileged accounts within the organization’s network.
Unfortunately, traditional security measures focus primarily on external threats; they are not always capable of identifying threats coming from inside the organization.
There are several types of insider threats:
Malicious insider. This is a person who intentionally abuses legitimate credentials – most commonly to steal information for financial or personal gain. As an example, a malicious insider might be a person with a grudge against a former employer, or an opportunistic employee who sells secret information to a competitor. These people may have an advantage over other attackers: They are familiar with the organization’s security policies and procedures, as well as its vulnerabilities.
Careless insider. Typically, this person unknowingly exposes the system to outside threats. Unfortunately, this is the most common type of insider threat. Inadequate cyber hygiene training can result in mistakes, such as leaving a device exposed or becoming the unwitting victim to an email phishing scam. An employee with no intention of harming the organization may click on an insecure link, thereby infecting the system with malware.
A mole. Is an imposter – technically an outsider – who has gained insider access to a privileged network. It may be someone from outside the organization posing as an employee or partner.
While not necessarily the most common across every organization, malicious insiders can cause some of the greatest damage. It is important, therefore, to understand some of the key indicators of such threats.
How can an organization know that it has been exposed to a malicious insider threat? Certainly, it can be indicated by anomalous activity at the network level. Similarly, if an employee seems to be dissatisfied or holds a grudge, that also can be a sign. Unfortunately, even an employee that is enthusiastically taking on additional responsibilities could mean the potential for foul play.
Some threat indications are easier to track than others are, and they fall generally under the category of unusual behavior. For example, activity at unusual times, such as signing in to the network at 3:00 am, should throw up a red flag. Unusual volumes of traffic, or transferring large amounts of data across the network, can also be a cause for concern, as can unusual types of activity such as accessing resources not typically associated with an employee’s responsibilities.
Best practices to minimize insider threat
There are several strategies an organization can employ to reduce the risk of insider threats.
Protect critical assets. By critical assets, we mean systems, technology, facilities, and people. However, a critical asset can also refer to Intellectual property, including customer data for vendors, proprietary software, schematics, and internal manufacturing processes.
It is important to have a comprehensive understanding of what the organization considers a critical asset. What kind of critical assets does the organization have? Can the assets be prioritized? What is the current state of each asset?
Define, document and defend policies. Organizational policies must be clearly defined and documented in order to enforce them and prevent misunderstandings. Every employee in the organization must be familiar with security procedures and should understand their rights in relation to intellectual property (IP). This is cyber hygiene best practice and it ensures that privileged content is not shared improperly.
Increase visibility. Make use of solutions that can track employee actions and correlate information from multiple data sources. Deception technology, for example, might be useful in luring a malicious insider or imposters and gaining visibility into what they are doing.
Make the right kind of culture changes. Once again, this ties back to good cyber hygiene. Security is a combination of knowledge, attitudes and beliefs. To ensure employees are not being negligent, and to address the root causes of malicious behavior, it is essential that all employees are properly educated in security issues – and that they have what they need to improve their overall satisfaction.
Insider threat detection: Machine learning and other solutions
Insider threats can be more difficult to identify or prevent than outside attacks. What’s more, they often can circumvent or avoid traditional security solutions that focus on external threats, like firewalls and intrusion detection systems. If an attacker can get past an authorized login, conventional security measures may not identify any unusual behavior. Malicious insiders also can avoid detection if they are familiar with the organization’s existing security measures.
That means protecting critical assets must rely on more than a single solution. An insider threat detection strategy must be diversified. One way to do that effectively is to combine several tools, so that insider behavior can not only be monitored but also filtered through a large number of alerts to eliminate false positives.
Machine Learning (ML) applications can help analyze data streams and prioritize the most relevant alerts. Digital forensics and analytics tools, like User and Event Behavior Analytics (UEBA), help detect, analyze, and alert a security team to any potential insider threats. User behavior analytics can establish a baseline for normal data access activity, while database activity monitoring can help identify policy violations.
Insider threat risks are not going away, and in fact may become increasingly pervasive and costly in the years to come. Understanding the types of insider threats and taking proactive measures now will be essential in mitigating the consequences of this cybersecurity challenge.
What to Look for in Insider Threat Solutions
User behavior analysis is the basis of protection from insider threats. Unfortunately, that by itself is not enough. The cybersecurity industry has introduced many providers that offer a range of solutions to monitor how users move through the network, as well as protecting assets on a data level. Therefore, no matter what a malicious insider accesses, the organization remains in control.
Data security solutions must be able to protect data on premises, in the cloud and in hybrid environments. These types of solutions also give security and IT teams full visibility into how the data is being accessed, used, and moved around the organization.
Here are some of the features any organization should look for to ensure they have a comprehensive solution with multiple layers of protection:
- Database firewall: To block SQL injection and other threats, while evaluating for known vulnerabilities.
- User rights management: To monitor data access and activities of privileged users, identifying excessive, inappropriate, and unused privileges.
- Data masking and encryption: To make sensitive data useless to bad actors, even if they are somehow able to access it.
- Data loss prevention (DLP): To inspect data in motion, at rest on servers, in cloud storage, or on endpoint devices.
- User behavior analytics: To set baselines for data access behavior, employing machine learning to detect and alert on abnormal and potentially risky activity.
- Data discovery and data classification: To reveal the location, volume, and context of data on-premises and in the cloud.
- Database activity monitoring: To monitor relational databases, data warehouses, big data and mainframes, generating real-time alerts on policy violations.
- Alert prioritization: To look across all security events and prioritize the most significant ones. AI and machine learning technology are particularly helpful in this case.
Make sure your solution provider offers these types of features, and be prepared before the next insider threat comes calling.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.
