Rainbow Secure
About Us
Follow Us


Insider Threats: A Growing Risk to Cybersecurity for Modern Organizations

External attackers aren’t the only threats modern organizations need to consider in their cybersecurity planning. Malicious, negligent, and compromised users pose a significant risk to modern businesses. According to the 2022 Cost of Insider Threats Global Report by Ponemon Institute, insider threat incidents have increased by 44% over the past two years, with costs per incident up more than a third to $15.38 million. 

Here are some highlights from the report: 

  • Credential theft costs for organizations have increased by 65% from $2.79 million in 2020 to $4.6 million at present. 
  • The time it takes to contain an insider threat incident has increased from 77 to 85 days, with containment being the most expensive aspect for organizations. 
  • Between 21 and more than 40 incidents per year are experienced by 67% of companies. 
  • Negligent insiders are the root cause of most incidents. 
  • Malicious insiders have caused 26%, or 1,749 incidents, with an average cost per incident of $648,062. 
  • The most significant costs of insider threats are disruption or downtime and investment in technologies. 
No alt text provided for this image
Image Courtesy: 2022 Cost of Insider Threats Global Report by Ponemon Institute

Despite the growing recognition of the dangers posed by insider threats, insufficient resources are being allocated to mitigate the risks. As threat actors become increasingly sophisticated and attacks continue to target employees, both human and technological defenses within organizations need to keep up. By understanding how insiders can facilitate an attack and where the threats exist, companies can work to proactively prevent, stall, or mitigate potential damage. 

In this article, you will read about:

What is an insider threat? 

Types of insider threats 

Recent incidents

How to mitigate insider threats?

Insider Threat Detection: Strategies and Tools

How can Rainbow Secure help? 

What is an insider threat? 

When it comes to cybersecurity, insider threats are a major concern. These threats originate from within an organization and can be attributed to current or former employees, contractors, and partners. Such individuals may misuse their access to networks and assets, intentionally or unintentionally, resulting in the disclosure, modification, or deletion of sensitive information. This could include confidential data about customer and employee records, login credentials, and financial information. Insider threats are difficult to tackle using traditional security measures, making them particularly challenging to prevent. 

Insiders typically possess elevated levels of access and knowledge of where sensitive data is stored, irrespective of their intentions. This makes insider attacks potentially devastating for companies, their employees, and customers alike. 

Insiders, whether knowingly or unintentionally, can compromise confidential customer information, intellectual property, and financial resources, making it essential to protect against access abuse and cyber attacks. 

Types of insider threats 

Current employees, former employees, contractors, business partners, or business associates are all insiders that could pose a threat.  

No alt text provided for this image
Image Courtesy: 2022 Cost of Insider Threats Global Report by Ponemon Institute

Malicious Insider 

Malicious insiders are employees or contractors who intentionally seek to steal information or disrupt operations. They may be opportunistic individuals looking to sell information for personal gain or advance their careers, or they may be disgruntled employees seeking revenge on their employer. A notable example of a malicious insider is the group of Apple engineers who were charged with data theft for stealing driverless car secrets for a China-based company. 

Negligent Insider 

An employee’s failure to adhere to proper IT procedures can have serious implications. Examples include neglecting to log out of a computer or an administrator who overlooks changing a default password or applying a security patch. A prime example of a negligent insider is a data analyst who, without authorization, takes home a hard drive with personal data from 26.5 million U.S. military veterans. Unfortunately, the hard drive is stolen in a home burglary, highlighting the need for strict adherence to IT protocols. 

Compromised Insider 

Employee computers that have been infected with malware are a common issue, and the most common causes are phishing scams or malware downloads from clicked links. Cybercriminals can use these compromised computers as a “home base” to infiltrate other systems, scan file shares, and gain escalated privileges. The recent Twitter breach is an example of this, where attackers used a phone spear phishing scam to obtain employee credentials and access to the internal network. This breach allowed cybercriminals to learn more about Twitter’s processes and target employees with access to account support tools. As a result, they hacked high-profile accounts and spread a cryptocurrency scam that generated $120,000. 

Insiders vary in motivation, awareness, access level, and intent. Ponemon Institute identifies insiders as negligent, criminal, or credential. And Gartner groups insider threats into four categories: pawns, goofs, collaborators, and lone wolves. Note: Ponemon Institute and Gartner generate and provide independent research, advisory and educational reports to enterprise and government organizations. 

Recent incidents of Insider Threats  


In May 2022, Yahoo was hit by an insider threat attack. Qian Sang, a research scientist at the company, received a job offer from a competitor called The Trade Desk. Minutes later, Sang downloaded about 570,000 pages of Yahoo’s intellectual property to his personal devices, including information about Yahoo’s AdLearn product.  

It took Yahoo several weeks to realize that Sang had stolen company data, including a competitive analysis of The Trade Desk. Yahoo sent Sang a cease-and-desist letter and brought three charges against him, including intellectual property data theft, claiming that Sang’s actions divested Yahoo’s exclusive control of its trade secrets. 


In 2022, Microsoft experienced a data leak due to employee negligence. Cyber security firm spiderSilk discovered the leak – several Microsoft employees exposed their login credentials to the company’s GitHub infrastructure. This information could allow access to Azure servers and possibly other internal Microsoft systems.  

Microsoft refused to divulge which systems these credentials protected. An internal investigation determined no one attempted to access the sensitive data, and the company took action to prevent this from occurring again. However, if this mistake exposed EU customer information, Microsoft could have faced a GDPR fine of as much as €20 million 


What happened to Proofpoint proves that no one is immune to cyberattacks, including cybersecurity firms. In July 2021, Samuel Boone, an ex-employee, stole Proofpoint’s confidential sales enablement data right before starting working at Abnormal Security, a competitor.  

Unfortunately, Proofpoint’s data loss prevention (DLP) solution could not prevent the employee from downloading high-value documents to a USB drive. It took Proofpoint several months to discover that Boone had taken these files. By that time, Boone could have achieved significant headway in sales at Abnormal Security. Proofpoint sued Boone in federal court for unlawfully sharing battle cards that could give him and his new employer an unfair advantage. 


In July 2020, hackers compromised several high-profile Twitter accounts by launching a phone-based spearphishing campaign targeting Twitter employees. The campaign lured them in through a Bitcoin scam.  

The attackers started by looking for information about internal processes and systems. Once they found the right employees to target, the attackers accessed account support tools that enabled them to break into 130 Twitter accounts.  

This scam had a relatively minor financial impact on Twitter, and the victims received their money back. However, this incident exposed Twitter’s significant role in the information market and the company’s vulnerability to attacks. 

How to mitigate insider threats?

There are different technical and non-technical controls that organizations can adopt to improve the detection and prevention of each insider threat type. 

Each type of insider threat presents different symptoms for security teams to diagnose. But by understanding the motivations of attackers, security teams can approach insider threat defense proactively. To mitigate insider threats, successful organizations use comprehensive approaches. They might use security software that: 

  • Maps accessible data 
  • Establishes trust mechanisms—granting access, revoking access, and implementing multifactor authentication (MFA) 
  • Defines policies around devices and data storage 
  • Monitors potential threats and risky behavior 
  • Takes action when needed 

In a 2019 SANS report on advanced threats, security practitioners identified significant gaps in insider threat defense. The report found that the gaps are driven by a lack of visibility in two areas: a baseline of normal user behavior and privileged user accounts management. These gaps become attractive targets for phishing tactics and credential compromise. 

Know your users  

  1. Who has access to sensitive data? 
  2. Who should have access? 
  3. What are end-users doing with data? 
  4. What are administrators doing with data? 

Know your data  

  1. What data is sensitive? 
  2. Is sensitive information being exposed? 
  3. What risk is associated with sensitive data? 
  4. Can admins control privileged user access to sensitive data? 

Insider Threat Detection: Strategies and Tools

Organizations must prioritize detecting and remediating insider threats and security breaches once an effective threat model is in place. This can be challenging as insider threats are often harder to identify and prevent than external attacks and traditional security solutions such as firewalls and intrusion detection systems are ineffective against them. Attackers who exploit an authorized login can go unnoticed by security mechanisms, while malicious insiders who are familiar with an organization’s security measures can avoid detection more easily. 

To protect all assets, organizations need to diversify their insider threat detection strategy instead of relying on a single tool. An effective insider threat detection system combines several tools to monitor insider behavior and filter through alerts to eliminate false positives. Machine Learning (ML) applications can help prioritize the most relevant alerts, while User and Event Behavior Analytics (UEBA) can detect, analyze, and alert the security team to any potential insider threats. 

Organizations must distinguish between normal and potentially malicious activities to detect insider threats. To do this, security teams must first close visibility gaps and then aggregate security data into a centralized monitoring solution, such as a security information and event management (SIEM) platform or a standalone UEBA solution. Access, authentication, and account changelogs are common starting points, with the scope expanding to additional data sources, such as virtual private networks (VPN) and endpoint logs, as insider threat use cases mature. 

Adopting a privileged-access-management (PAM) solution and feeding data about access to privileged accounts from that solution into the SIEM is necessary. Once the information is centralized, user behavior can be modeled, and risk scores can be assigned. Risk scores are tied to specific risky events, such as user geography changes or downloading to removable media. This gives security operations center (SOC) teams the ability to monitor risk across the enterprise, creating watch lists or highlighting the top risky users in their organization. 

With enough historical data, security models can establish a baseline of normal behavior for each user, indicating the normal operating state so that deviations can be flagged. Deviations should be tracked for individual users and compared to other users in the same location, with the same job title, or job function. 

By adopting a user-focused view, security teams can quickly spot insider threat activity and manage user risk from a centralized location. User behavioral analytics can detect abnormal login attempts at an unusual time of day or from an unusual location or multiple failed password attempts and generate an alert for an analyst’s validation. Any behavioral anomalies will help identify when a user has become a malicious insider or if an external attacker has compromised their credentials. 

Once validated, a security orchestration, automation, and response (SOAR) system can create an insider threat remediation workflow. Potential remediation could include challenging the insider with MFA or revoking access, both of which can be done automatically in an identity access management (IAM) solution. 

How can Rainbow Secure help? 

Right amount of data and system access to right person or role at the right time is the key to organizations being able to use digital tools and platforms to serve the customer base and stay compliant. 

Next Generation Rainbow Secure platform is a modern identity authentication (MFA) and single sign-on (SSO) solution for your business across on-premises and cloud environments. It’s backed by an experienced team of cloud and security experts, years of innovation, and partnerships with leading cloud platforms. Rainbow Secure is a Leader in Smart and Secure Digital Solutions that work for you.  

Insider Threats: Rainbow Secure assists in mitigating insider threats by implementing access controls, user monitoring, and privilege management solutions. Also, if the user leaves behind unlocked devices, saved passwords in the password manager or browser can be misused by malicious insiders. Interactive login security from Rainbow Secure helps prevents unauthorized access and protects against data theft or misuse by privileged users. 

ChatGPT Security for business: Secure your ChatGPT login and Data with Rainbow Secure MFA Plugin.  

Secure AI Integration: Consult Rainbow Secure Team to integrate AI in your business workflows powered by Azure, and Rainbow Secure API. 

Secure Workforce & Customer Login: Use Authentication Plug-in by Rainbow Secure to secure workforce and customer logins. In this plug-in, you get a multi-dimensional password, passwordless login solutions with AI monitoring, Risk Analytics, and location fencing.  

IoT Friendly Security: IoT platform developers can secure their cloud endpoints, and user logins (both admin and customer) against unauthorized access and scripted malware attacks using easy-to-adapt and support multi-layer interactive rainbow secure authentication solutions and services that include but are not limited to security assessment, API Security, secure user onboarding, and risk analytics. 

Secure Data and its Backups We provide Cloud-based data vault and data archive solutions backed by Microsoft Azure and secured by our authentication plugin and industry best practices to give you ransomware protection and help with data governance and disaster mitigation.  

Database Security We provide technical consulting services to Secure Databases in the cloud and on-premise. You get the best protection for your data in databases using native and third-party security tools. 

Meet Compliance Requirements: Use Authentication Plug-in by Rainbow Secure with your business application and in SSO (Single Sign-on) and meet industry standards and compliance regulations such as NIST, ISO, FTC, SOX, SOC2, CMMC, CMMI, HIPAA, PCI, and others.  

Securely communicate and Collaborate: Use Secure Business Email by Rainbow Secure and get protection against account takeover, phishing, ransomware, and automated login cyber frauds. In this email, you get options to send encrypted emails, single sign-on with Office 365, and Google, and 1 TB one drive storage.  

Connect Business applications: Get one unified login using Rainbow Secure Single Sign-On   

Manage User Onboarding / Offboarding using Rainbow Secure IAM  

Verify User using Smart Multi-factor MFA. Smart Multi-Factor Authentication from Rainbow Secure which adjusts to your use case, reduces the cyber liabilities of a business from stolen credentials and improves productivity, and enhances user experience.   

Do you have more questions about how innovative, patented Rainbow Secure helps in mitigating insider threats? Contact us today. Email us at hello@rainbowsecure.com 

No Comments

Leave a Comment