What are insider threats?
Subscribe to the IBM newsletter Explore IBM Security QRadar
Closeup of pensive man with computer screen reflected in his glasses

Insider threats are cybersecurity threats that originate with authorized users—employees, contractors, business partners—who intentionally or accidentally misuse their legitimate access, or have their accounts hijacked by cybercriminals.

While external threats are more common and grab the biggest cyberattack headlines, insider threats—whether malicious or the result of negligence—can be more costly and dangerous. According to IBM’s Cost of a Data Breach Report 2023, data breaches initiated by malicious insiders were the most costly—USD 4.90 million on average, or 9.5 percent higher than the USD 4.45 million cost of the average data breach. And a recent report from Verizon revealed that while the average external threat compromises about 200 million records, incidents involving an inside threat actor have resulted in exposure of 1 billion records or more.1

Click-through demo

See how IBM Security® QRadar® SIEM identifies and investigates anomalous behavior.

Types of insider threats
Malicious insiders

Malicious insiders are usually disgruntled current employees—or disgruntled former employees whose access credentials have not been retired—who intentionally misuse their access for revenge, financial gain, or both. Some malicious insiders ‘work’ for a malicious outsider, such as a a hacker, competitor or nation-state actor—to disrupt business operations (plant malware or tamper files or applications) or to leak customer information, intellectual property, trade secrets or other sensitive data.

Some recent attacks by malicious insiders:

Negligent insiders

Negligent insiders do not have malicious intent, but create security threats through ignorance or carelessness—e.g., falling for a phishing attack, bypassing security controls to save time, losing a laptop that a cybercriminal can use to access the organization’s network, or emailing the wrong files (e.g., files containing sensitive information) to individuals outside the organization.

Among the companies surveyed in the 2022 Ponemon Cost of Insider Threats Global Report, the majority of insider threats—56 percent—resulted from careless or negligent insiders.2

Compromised insiders

Compromised insiders are legitimate users whose credentials have been stolen by outside threat actors. Threats launched via compromised insiders are the most expensive insider threats, costing victims USD 804,997 to remediate on average according to the Ponemon report.3

Often, compromised insiders are the result of negligent insider behavior. For example, in 2021 a scammer used a social engineering tactic—specifically a voice phishing (vishing) phone call—to gain access credentials to customer support systems at the trading platform Robinhood. More than 5 million customer email addresses and 2 million customer names were stolen in the attack (link resides outside ibm.com).

Weapons in the fight against insider threats

Because insider threats are executed in part or in full by fully credentialed users—and sometimes by privileged users—it can be especially difficult to separate careless or malicious insider threat indicators or behaviors from regular user actions and behaviors. According to one study, it takes security teams an average of 85 days to detect and contain an insider threat4, but some insider threats have gone undetected for years (link resides outside ibm.com).

To better detect, contain and prevent insider threats, security teams rely on a combination of practices and technologies.

Employee and user training

Continuously training all authorized users on security policy (e.g., password hygiene, proper handling of sensitive data, reporting lost devices) and security awareness (e.g., how to recognize a phishing scam, how to properly route requests for system access or sensitive data) can help lower the risk of negligent insider threats. Training can also blunt the impact of threats overall. For example, according to Cost of a Data Breach Report 2023, the average cost of a data breach at companies with employee training was USD 232,867 less—or 5.2 percent less—than the overall average cost of a breach.

Identity and access management

Identity and access management (IAM) focuses on managing user identities, authentication and access permissions, in a way that ensures the right users and devices can access the right reasons at the right time. (Privileged access management, a sub-discipline of IAM, focuses on finer-grained control over access privileges granted to users, applications, administrative accounts and devices.)

A key IAM function for preventing insider attacks is identity lifecycle management. Limiting the permissions of a departing disgruntled employee or immediately decommissioning accounts of users who have left the company are examples of identity lifecycle management actions that can reduce the risk of insider threats.

User behavior analytics

User behavior analytics (UBA) applies advanced data analytics and artificial intelligence (AI) to model baseline user behaviors and detect abnormalities that can indicate and emerging or ongoing cyberthreats, including potential insider threats. (A closely related technology, user and entity behavior analytics or UEBA, expands these capabilities to detect abnormal behaviors in IoT sensors and other endpoint devices).

UBA is frequently used together with security information and event management (SIEM), which collects and correlates and analyzes security-related data from across the enterprise.

Offensive security

Offensive security (or OffSec) uses adversarial tactics—the same tactics bad actors use in real-world attacks—to strengthen network security rather than compromise it. Offensive security is conducted typically by ethical hackers—cybersecurity professionals who use hacking skills to detect and fix not only IT system flaws, but security risks and vulnerabilities in the way users respond to attacks.

Offensive security measures that can help strengthen insider threat programs include phishing simulations and red teaming, in which a team of ethical hackers launch a simulated, goal-oriented cyberattack on the organization.

Related solutions
Insider threat security solutions

Insider threats can be difficult to detect—most cases go unnoticed for months or years. Protect your organization from malicious or unintentional threats from insiders with access to your network.

Explore insider threat security solutions
Threat hunting with IBM Security QRadar SIEM

Give security analysts the tools they need to significantly improve detection rates and accelerate time to detect and investigate threats. QRadar SIEM normalized event data lets analysts use simple queries to find related attack activity across disparate data sources.

Explore threat hunting with IBM QRadar
Threat management services

Protect critical assets and manage the full threat lifecycle with an intelligent, unified threat management approach that helps you detect advanced threats, quickly respond with accuracy, and recover from disruptions. 

Explore threat management services
Resources Cost of a Data Breach 2023

Be better prepared for breaches by understanding their causes and the factors that increase or reduce costs. Learn from the experiences of more than 550 organizations that were hit by a data breach.

What is SIEM?

SIEM (security information and event management) is software that helps organizations recognize and address potential security threats and vulnerabilities before they can disrupt business operations.

IBM Security X-Force Threat Intelligence Index 2023

Know the threat to beat the threat—get actionable insights that help you understand how threat actors are waging attacks, and how to proactively protect your organization.

IBM Security Framing and Discovery Workshop

Understand your cybersecurity landscape and prioritize initiatives together with senior IBM security architects and consultants in a no-cost, virtual or in-person, 3-hour design thinking session.

What is threat management?

Threat management is a process used by cybersecurity professionals to prevent cyberattacks, detect cyber threats and respond to security incidents

Keep current on insider threats

Read the latest insider threat trends and prevention techniques at Security Intelligence, the thought leadership blog hosted by IBM Security.

Take the next step

Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.

Learn more about QRadar SIEM Request a QRadar SIEM demo

Verizon 2023 Data Breach Investigations Report (link resides outside ibm.com)

2, 3, 4 2022 Ponemon Cost of Insider Threats Global Report (for Proofpoint; link resides outside ibm.com)