What Is an Insider Threat and the 5 Things You Should Know?

Gone are the days when our greatest inklings of insider threats were employees who never wanted to take vacation and did everything to avoid letting others see the financial records they were maintaining. Today, insider threats come in a concerning variety of forms with consequences often exceeding millions of dollars. As time passes, more industries than ever before are feeling the sting of security incidents and breaches stemming from their very own trusted employees and partners.

According to a 2018 Ponemon Institute report, of those surveyed, ove 3k known insider threat incidents were reported with an average cost of about $238k. The report also reveals that it took companies upwards of 2 monthsto contain incidents relating to insider threats.

What makes insider threats so concerning, is that they challenge our typical way of thinking when it comes to protecting our assets. Think of keeping burglars out of a home. Even if you invest in the strongest security system, put burglar bars on all windows and more, this will only keep people outside. For someone you trust, like a family member, maid, or the security vendor who understands the solution you purchased and has the security codes, your system likely will not stop them. That is an insider threat.

Similar to protecting a home from burglars, a fundamental component to protecting any company from cyber-attacks is to secure the network perimeter. Essentially, you create a wall to keep the bad guys out. But what happens when your own employees with authorized system access, have the same malicious intentions of the very people you are fighting to keep out? They often know the technology well, which increases their capability to traverse the network without setting off alarms. And because of their internal knowledge, they’re ability to cover their tracks becomes even greater.

Though alarming, this does not mean corporations should breed cultures of distrust in their employees. It simply means that there is a threat, like many others in the cybersecurity space, that can be mitigated with the right level of awareness, people, processes and technology. To get started, here are five important things every company should know about insider threats:

1. Insider threats are not always malicious in nature, but can still have pretty significant consequences regardless of intent.

When most people hear of insider threats, they think of the disgruntled employee who decided to sabotage their company by leaking confidential information after being fired – or – the employee who writes invoices and then pays the funds to their own account. A stark reality is that often times, insider threats can be inadvertent. Common examples include employees who click on phishing emails, developers who quickly release code plagued with security holes to meet a deadline, and more. Though the intention is not malicious, the outcome can still put companies at the same level of risk. One of the best ways to prevent this kind of insider threat is through training and awareness. Employees who are educated on cyber security best practices and proper cyber hygiene, are less likely to make these avoidable mistakes.

2. Monitoring technology can help you detect and respond to insider threats.

Detecting insider threats as early as possible is critical to limiting the amount of damage caused by the incident. This can be done by constantly monitoring user activity for any anomalies. In order to know what can be considered abnormal user behavior, you must have some sense of what normal user behavior looks like. Once you have a baseline to compare against, you can begin to alert on suspicious behavior. For example, if you have an employee of 5 years who has worked a pretty standard schedule of 9 to 5 Monday through Friday and you notice that at 3am they are exporting tons of data from your system – that’s a red flag that you may want to investigate.

3. All insiders are not created equal.

Many companies struggle with keeping track of who has access to their networks and what levels of access they have. Whether employees, retirees, dependents, contractors, third parties or trusted partners, anyone can become an insider threat. When you factor in privileged and super account users, the accounts cyber attackers love the most, the potential impact becomes even greater. In the wrong hands, these accounts can be used to further elevate access, create backdoors, cover tracks, and more. When defending against insider threats, these accounts become extremely important to monitor for suspicious activity.

4. Monitoring technology is a great start, but we can do more!

Insider threat detection and response technologies continue to evolve and advance. With the growth of artificial intelligence and other emerging domains, the ability to conducted deeper analysis and proactively uncover insider threats hiding in organizations has increased exponentially. Sometimes detecting incidents is not as simple as noticing an employee working during odd hours or some of the more obvious signs. A report from Carnegie Mellon on insider threat within the federal government found that most internal fraud was committed during normal working hours, with losses from some incidents exceeding $1 million each. Furthermore, 50% of these threat actors were with the company for at least 5 years. They likely knew the systems well and had insider knowledge on how to circumvent security features. This is where artificial intelligence and User Behavior Analytics technologies can become a game changer for all companies, but especially for those where the stakes are high and the likelihood of insider threats even higher. (e.g. financial services, banking, technology, healthcare, and government institutions)

5. Your employees can also help defend against insider threats.

While technology is a great way to automate detection, there are many signs your own employees can pick up on as well. Creating awareness and having a process where employees can safely report suspected foul play can add another layer of insight. Some indicators employees can look for, according to (US CERT), include ethical flexibility, reduced loyalty, compulsive or destructive behavior, greed or financial need, and working odd hours.

Whether malicious or accidental in nature, insider threats can lead to breaches that cost companies millions of dollars. Advancing technology and cyber awareness efforts are helping companies prevent, detect and respond to these threats. Trusting your employees and your partners is a critical part of doing good business, but maturing your ability to manage insider threats, is doing smart business.


Internal Threat Game Plan

Without an internal threat game plan, corporations leave a gaping hole in their security strategy. The average time it takes for a corporation to detect a data breach is over five months! If you have critical data to protect, having an incomplete internal threat strategy puts your corporation in significant jeopardy.

Proactive Endpoint Visibility & Analysis

With up to 60% of breaches coming from internal threats, it’s critical that corporations proactively monitor all endpoints for the rapid detection of internal breaches. ITIP agents can be deployed on Windows, MAC, Android devices as well as Windows servers (prime targets for attackers posing as insiders, utilizing compromised credentials). ITIP protects both physical and virtualized endpoints.

Detection Alone Is Not Enough

Data Breach Response (DBR) is critical to minimizing the impact of a breach. Once the alarm is sounded, how quickly can you react? ITIP Time-Capsule DVR lets see video of the incident, as it unfolded. This visibility allows you to immediately delineate false alarms from a real threats and take immediate action with 100% confidence.


Integrated & Intelligent

User Activity Monitoring (UAM) + User and Entity Behavior Analytics (UEBA) + Data Breach Response (DBR)


ITIP provides an end-to-end integrated internal threat intelligence platform that maximizes both security and efficiency while providing the concrete proof to take legal action.

Watching – Analysing – Alerting – Seeing – Reacting


monitors all user activity at the endpoint, including:

Web Activity

Significantly more sophisticated than browser history, SITS software records and maintains information about web activity, including web mail usage, file uploads and how long a user was engaged or active on a site.

Compromised Credentials

ITIP watches access to workstations and servers for unusual access by IP addresses, geolocation and more.

Email Activity

Capture and analyze communication activity in traditional email clients as well as many popular webmail services. A searchable system of record that can be alerted and reported on.

Chat & IM Activity

Capture, scan, alert and report on communications activity occurring on commonly used messaging apps; creates a definitive record for compliance and investigative uses.


Using computational linguistic analysis, SITS can identify and categorize opinions expressed in email text, to determine the writer’s sentiment and sentiment changes that can point towards disgruntled workers and possible security risks.

Network Activity

Autonomously captures connections made by applications, including ports used and bandwidth consumed as well as time and location of connection. 

File & Document Tracking

Tracks activities on local, removable, and cloud storage, as well as print operations. See when files are created, edited, deleted, or renamed.

Keystroke Logging

When needed, the option to record every keystroke, including “hidden” characters and combinations, insures you have the visibility you need into the activity of highly privileged users.

Application Activity

Captures all application usage to provide true reporting on what application are being used, by who, and for how long.


Data on the location of a mobile device can be tracked as well as configured to alert security when a user device enters a restricted location or moves outside a specified geographic area.

User Status

Produces an accurate record of session time and activity. Tracks log-on and log-off but does not rely on log-off to identify when session activity ends.

Dark Web Tracking

Be alerted when employees access .onion sites.



Second by second information gathering for all users on the network creates a big data scenario that not even the best security team could sift through. It’s like looking for a needle in thousands of everchanging haystacks.

SITS AI (UEBA) continually scrutinizes all users’ activity and sentiment, watching for anomalies in behavior compared with their personal baseline or that of the group.

Additionally ITIP will watch for outsiders trying to access the network with stolen credentials.



When ITIP identifies a possible threat, it immediately notifies the security team. With an extremely low false positive rating (<2%). ITIP alerting maximizes the efficiency of the security team by eliminating  the need to have people constantly monitoring employees, hoping to find an issue.

With the average time of breach detection reaching over five months, it’s obvious that many companies are not receiving breach alerts. With the ultimate goal of keeping the compromised data securely in house, alerting is critical to rapidly locking down the breach.



Once an alert is received, ITIP’s Time-Capsule DVR gives you the ability to look directly at a video of the user’s screen.

The ability to see the user move their mouse across the screen as they open files, download data or surf the internet is invaluable in rapidly determining whether the user’s actions are benign, a hazardous mistake or deliberately malicious. You can scroll back and see what the user did 5 minutes, 5 hours or 5 weeks ago, letting you:

  • Act rapidly with 100% confidence
  • See the extent of the breach
  • See the attack strategy
  • See who their internal or external accomplices are



Respond With Speed & Confidence

Once a breach is identified ITIP’s video playback allows you to react immediately and with 100% confidence. There are no more lengthy investigations to determine what a network alert actually means. You can react in minutes, notifying HR, management, operational security and even law enforcement. Additionally, the ability to look at video from days, weeks or months ago allows you to investigate the attack strategy as well as identify accomplices, outside and inside the organization..

Taking Legal Action

Pictures are worth a thousand words, and nowhere is this more true than in the legal system. The ITIP screen recordings can be exported as timestamped image or video files, creating vital evidence in inter-company disciplinary action as well as in legal proceedings. SITS detailed logs, reports, images and video evidence have been used in hundreds of cases worldwide to successfully prosecute malicious insiders.

The Human Factor

Humans are always the weakest link in any security strategy, therefore user endpoint monitoring is crucial for insider threat security.

ITIP agents can be deployed on Windows and Mac workstations, Windows Servers, as well as Android devices. They can be deployed in physical or virtualized environments.

Because it’s the users’ activity that we’re really concerned with (not the device), ITIP will follow users from device to device, creating a cross platform, network wide analysis of all users.

Light, Fast & Self Aware

ITIP endpoint agent is very light and will not impact performance of the endpoint device or network traffic. The agent is intelligent and self-aware, slowing its processing and transmissions when it detects heavy workloads on the endpoint or traffic on the network. Additionally, if the agent health monitor encounters any issues on the endpoint, it will report back to the ITIP management console.


Finding the Needle In a Haystack

Monitoring each endpoint is critical in the detection of insider threats. However, monitoring all endpoints creates a stock pile of data that is inefficient (if not impossible) for a security team to sift through manually. Imagine a company with 1,000 employees. Now imagine those 1,000 employees represented by 1,000 ever changing haystacks… and it’s your job to find the needle.

Without AI watching all endpoints, at all times… 
you simply don’t know, what you don’t know.


User & Entity Behavior Analytics (UEBA)

Powered by advanced machine learning, statistical analysis, and natural language processing, SITS autonomously creates an integrated user view, by analyzing both structured and unstructured data aggregated from various sources. This data is then used to rank risky users in a watch list which prioritizes, predicts and prevents potential threats.

Creating a Digital Finger Print

Self-learning of behavioral patterns for both individuals and groups, driven by advanced machine learning, enables no-touch understanding of what normal looks like in your environment.


Import groups from Active Directory, or let the software autonomously identify groups within your organization through pattern analysis of resource and application usage.

Low False Positives

SITS tests against the CERT data-set and consistently has <2% false positives.

Predicting Future Threats

Disgruntled employees are not born overnight. ITIP Sentiment Analysis uses computational linguistic analysis, to identify and categorize opinions expressed in text. ITIP determines whether the writer’s sentiment towards the company is changing in either a positive or negative direction and can alert security of a possible risk. Sentiment analysis gives you the ability to intervene at an HR level; long before their actions reach an unethical or criminal level.

Anomaly Detection

ITIP takes into consideration statistical anomalies and applies machine learning to them to find unique deviations from the baseline anomalies.  Detecting deviations from established patterns enables early warning of insider threats. An outside attacker, no matter how sophisticated, will cause a deviation from normal behavior.

Risk Scoring

Actions and activities all play a part in building a comprehensive Risk Score for each employee on your network. The score’s are based on all online behaviors, from files downloaded to geolocation. Once an employee reaches a certain threat threshold set by your security team, an alert is sent and action can be taken.

Investigational Efficiency

Risk scores and alerts not only provide immediate notice to threats that may never have been noticed, but they also bring massive efficiencies to a security department. Security teams no longer need to continually sift through mountains of data trying to deduce if a breach occurred in the past. Efforts can be concentrated on investigating actual breaches real time or even preempting breaches through early intervention.

End Point Data is Big Data

SITS continually monitors all the actions on every endpoint, including files, applications, network use, email, web, geolocation, psycholinguistics, signs of compromised credentials and more. The volume of data that needs to correlated, analyzed, cross analyzed against dynamic baselines and group behaviors is enormous.

To continually assimilate this dynamic data stream coming from every user and pick out fluctuating patterns of behavior and signs of threat isn’t possible by even the best security teams. A mature insider threat strategy requires machine learning and AI.