Definition & Types of Insider Threats in Cyber Security

Definition & Types of Insider Threats in Cyber Security

Jun 27, 2021 / Kron

Data breaches caused by insider threats are one of the most significant problems encountered by companies in the digital transformation process of the business world. Violations resulting from various vulnerabilities in data security and cyber security systems or conscious/unconscious human errors make it significantly more difficult to protect critical data stacks of companies in particular. Hence, you need to fully configure in-house access management.

Threats in Cyber Security

There are many different threats that companies encounter in the field of cybersecurity. Ransomware, malware, social engineering studies and phishing are among the main factors that threaten data security. On the other hand, breaches and human-induced errors that may occur during remote access are some of the significant data breach types encountered in cybersecurity.

One of the notable security problems in the relevant field is insider threats. Insider threats, which are a serious problem in terms of data and access security for many different sectors, can be defined as security risks arising from the company where a cyberattack is planned. In other words, insider threats can also be expressed as cyber security problems that arise when people who have access to critical data of companies deliberately or unintentionally abuse these powers.

The source of the insider threat does not have to be a professional currently working at your company. While you may experience data breaches from your current employees, former employees, business partners, board members and professionals who provide consultancy services to you can also get you in trouble by creating an insider threat. For this very reason, regardless of whether you are in active corporate communication or not, it is recommended that you keep the limits and access methods of data accessible to all professionals affiliated with your company under control with measures consisting of several different steps.

Insider Threats and Their Types

A person who has direct access to your company data, other than your employees or people with whom you have a professional relationship, is also considered an insider threat. The suppliers and vendors that you are in contact with due to your business model also draw attention among the important sources that can create insider threats.

Insider threats are divided into different groups in terms of motivation, awareness, level of access and intention. IBM's work, the Ponemon Institute, defines insider threats using the concepts of negligent, criminal, and phishing. Gartner, on the other hand, prefers to deal with insider threats under four different groups. According to Gartner, insider threats consist of pawns, goofs, collaborators and lone wolves. It should be noted that the Ponemon Institute and Gartner are independent organizations and they submit reports they prepare in different fields to government institutions.


The pawns, which form the first part of insider threat groups, include company employees who are unwittingly manipulated to engage in malicious activities that could lead to a data breach. By downloading malware, pawns can damage your company's data security, as well as reveal credentials as a result of phishing and social engineering attacks. Both methods build the groundwork for the relationship between the cyber attacker and the pawns. Pawns generally stand out in the category of insider threats in the IT and finance sector.


Goofs who are a significant insider threat think they are exempt from in-company data security policies. The main reason why the relevant group, which can be defined as ignorant or arrogant, creates an insider threat is that they try to avoid security protocols due to their lack of convenience or incompetence. Hence, in-company data becomes vulnerable and attackable. Due to hardware deficiencies, this group is mostly encountered in the public domain under the heading of insider threats.


Employees who cooperate with your company's competitors or foreign states to commit cybercrime are called collaborators. Collaborators often use their privileged in-company access to steal intellectual property and customer information. Moreover, the relevant group causes deliberate interruptions in company operations for the benefit of the company/state with which it is partnered or for its own personal gain. It is possible to encounter collaborators frequently in the financial sector.

Lone Wolves

Lone wolves can be quite dangerous, particularly if they are people with high access privileges such as network or database administrators. Lone wolves, which exhibit malicious behavior without needing to be manipulated for direct financial gain, can be seen a lot in research on insider threats in the health sector, as they can also aim to sell personal health data.

Insider Threat Indicators

Indicators of insider threats that may arise in your company are examined under two different headings: digital and behavioral.

Digital Indicators

  • Significant data downloads and data access
  • Access to sensitive data except for job descriptions
  • Access to data out of behavior profiles
  • Multiple requests for access to resources outside of in-company tasks
  • Using unauthorized storage devices
  • Network Browse
  • Data packing
  • Email sensitive data to a noncorporate network

Behavioral Indicators

  • Attempts to avoid security protocols
  • The frequent office stays except working hours
  • Negative behavior towards colleagues
  • Violation of corporate policies
  • Discussions about resignation and new job opportunities

For instance, it is possible to speak of an insider threat if an employee is trying to obtain administrative approval for accessing unauthorized data,or is attempting to stow data that he/she has access to or to send it through e-mail to a non-corporate network.

As a matter of fact, according to the report "Cost of Insider Threats: Global Report 2020" published by IBM Security, the frequency of data breaches caused by insider threats has tripled since 2016. Furthermore, the average loss from leaks by insider threats increased from $493,093 to $871,686 in 2019.

Research conducted on 964 IT department employees at 204 different companies asserts that 2962 of the 4716 violations reported were due to negligence or unwitting action. Again, the same research indicates that 1105 violations were directly caused by malicious data breach attempts, while identity information was stolen in 649 incidents. Another significant issue in the report is that the identity information of users with privileged access was stolen in 191 incidents.

In the report, it is stated that 63% of the insider threat problem in cybersecurity is caused by negligence, 23% is caused by intentional harm attempts by company employees and 14% is caused by the manipulation and stealing of users' identity information.

When it comes to sensitive data and cybersecurity applications, you need to identify insider and external threats by conducting threat analysis in your company. As the research by IBM demonstrates, supervising, controlling and managing authorized accounts is very essential for companies. At this stage, Privileged Access Management (PAM) applications play a significant role in reducing insider threats. Products such as Authorized Session Manager that will allow you to record authorized sessions and report, Central Password Management with password safe feature by eliminating password sharing among employees, Two-Factor Authentication (2FA) with geo-location feature by generating one-time passwords will assist you to eliminate insider threats.

Single Connect, our platform developed in the field of Privileged Access Management (PAM) with our expert and experienced team, is also included in the Magic Quadrant for Privileged Access Management report prepared by Gartner, in which the best PAM practices are shared with the business world, proving that it is one of the prominent Privileged Access Management systems in the world.

In our next article, we will discuss how you can take precautions against insider threats by using the Privileged Access Management (PAM) approach, which provides end-to-end data security with its structure aimed at reducing insider threats and the PAM modules that offer high-level security.

You can contact us to find out the answers of your questions about Single Connect. You can also find various information about cybersecurity on the Kron Blog, which we regularly update and has current content.

Other Blogs