Internal attack: 4 employee identikits that could prove to be a threat to your company

7 min

“A third (33%) of former employees say they still have access to files from a previous job” is what emerged from research conducted by Kaspersky Lab. This reveals there are still organizations that act superficially. In fact, it wouldn’t be surprising if those same companies that have left access to former employees have also invested large sums of money in excellent Cyber Security solutions. So how do you recognize when the threat is coming from an internal resource? Here are four identikits of employees who could be an insider threat, i.e., committing an internal attack against the company they work for. 

Cyberattack: when the threat is internal

In reality, when we talk about cybersecurity, we often think about how to protect the company from external threats. However, sometimes it happens that the enemy is at home and, knowing how to move, acts undisturbed until the damage is so severe as to be evident. Just like what happens when thieves break into an apartment, the alarm does not ring if they have the keys and know the codes. The same is true for firewalls in cybersecurity systems that do not activate without a breach in progress.

In addition, it can happen that the employee who allowed an intrusion is not even aware of what they did. Such carelessness is related to a lack of proper training, and the resource does not understand the risks of certain online activities. When working with relevant information, such as patents, strategic data, and personal data, it’s critical to educate all employees on how to handle them, even those in seemingly secure jobs.

We’ll see, for example, that oblivious employees get fooled by phishing or scams that arrive in their email inboxes. On the other hand, more serious is revenge in the form of a cyber attack in which the fired resource retaliates by destroying information or creating irreversible damage to systems. In short, to protect ourselves, we must learn to know the hallmarks of “masked employees.”

Here is an infographic that shows 4 identikits of resources that could pose a risk to the company.

Insider threat

The oblivious insider

How do we recognize them?

The oblivious insider does not recognize the value of their data and does not understand the importance of password protection. So they have access to valuable business data but don’t know the responsibilities it creates. The resources that manage the valuable data in the firm have been adequately trained not to make mistakes. The problem is created by employees momentarily accessing data to find the information they need in another business context.

Example. Giulia manages a database that contains all sensitive client data. She created it and therefore knew the value of the information it contains. On the other hand, Marco needs access to that database only to get the shipping address since he works in the logistics department. Marco will have the same accesses as Giulia to enter the database, and without proper training, he could casually write them on his cell phone. If he were to lose his cell phone, the accesses could get into the wrong hands. But the risks increase when we talk about routine activities, such as webmail platforms. The frequency of use of email and its being transversal with all work activities makes it an easy target for both internal and external cyber-attacks.

What damage can this type of insider threat do?

As it also happens in private life, the damages of an unconscious behavior can be light as well as very serious. It all depends on how well the company protects its valuable data. Oblivious employees are often caught up in social engineering, meaning they fall into the trap of someone asking for company login information through a fake message or email.

How to stop it in time?

In general, when you have information that, for privacy reasons, cannot be managed internally, it is advisable to train not only those who will have to manage it but also those who will have to use it. It is also essential to make your employees aware of the risks associated with IT security from their very first day in the company to ensure peer control. I’m unsure if the email I received is fake or is secure? I can ask my deskmate.

The negligent insider

How do we recognize them?

Negligent insiders can be those who have not received adequate training in data processing on the one hand and those who knowingly bypass controls to speed up work on the other. Some data protection procedures require steps that appear to be unnecessary but instead serve to prevent doors from being left open. Choosing not to follow security protocols can turn into much more severe damage than the efficiency generated by the omission. One estimate found that the average cost caused by a single negligent insider exceeds $300,000.

Example. Mattia works as a social media manager and uses platforms to publish and manage posts across multiple company profiles. As part of his routine work, Mattia finds it unnecessary to log in every day (a time-consuming activity), so he stores his credentials and disables two-factor authentication. The insertion of the security code, on the other hand, serves to identify the person accessing the platform, preventing unwanted intrusions. All it takes is a moment of distraction, and any other employee can publish posts in the company’s name, ruining the organization’s reputation (not the employee).

What damage can this type of insider threat do?

The negligent insider may allow others to access company data by simply not logging out of company systems. Or he may write passwords on public electronic diaries to reduce search time. Or he may use unauthorized devices and applications that minimize work time but put the IT system at risk.

How to stop it in time?

In fact, the negligent insider, compared to the oblivious one, can be unmasked more easily because bypassing security protocols triggers alarms. By monitoring the activities taking place in the company, it is possible to notice the alert in time and talk about it with the affected employee.

Subscribe to our newsletter

The malicious insider

How do we recognize them?

The malicious insider acts out of revenge or to thwart colleagues who might steal their job or promotion. In this case, the payback is only personal, and there is both insight and awareness of the damage they are doing to the company. The malicious employee already knows the passwords and knows how to access relevant data, which gives them the power to retaliate.

Example. Paolo is part of a research and development team working on designing the following cell phone for a well-known phone manufacturer. Rumors have reached his ears that his boss is unhappy and would like to fire him at the end of this project. Paolo immediately starts interviewing and is contacted by the competition. However, during the interview, he lets slip in some information about the project he is working on.

The company plays dirty and assures the future employee the job and a considerable increase in the gross annual salary in exchange for the confidential data of the project. Paolo accepts and returns to the company. After the project, as expected, Paolo is fired but a few days into the marketing campaign to promote the new cell phone, the competitor company puts a cell phone with the same performance on the market. Thanks to Paolo’s suggestions, the competitor realized the product in half the time, as they went directly to the design phase, skipping the R&D phase.

What damage can this type of insider threat do?

The risks with the malicious insider are very high, as it is a conscious act. The intention is to do damage to the company through deletion, theft, or publication of data.

How to stop it in time?

When they dismiss an employee who works with confidential data, many large companies communicate this immediately. That is, the moment the person receives the dismissal letter, they must leave. Leaving the workstation right away is precisely to avoid creating damage in the meantime. In general, when the dismissal takes place without the consent of both parties, it is always advisable to modify the accesses and inhibit those of the person concerned.

The professional insider

How do we recognize them?

Here, the recognition becomes more complex because the professional insider knows the game rules, knows how to move, and knows how to pass unobserved.

Moreover, the stake to put in action a plan so elaborate and complex will have to be very high. The insider, in this case, will have to evade controls designed to protect data from internal and external intrusions. Usually, a professional insider does not act quickly but builds up ground over time. Perhaps they get hired or collaborate as outsiders. They try to gain the trust of superiors and colleagues and then try to put the plan into action. The return from doing so is not always only personal, as in the case of the malicious insider. Often the data or information to be seized or destroyed has been commissioned by competitor companies or criminals operating on the dark web, the dark side of online.

What damage can this type of insider threat do?

A pro can cause significant damage that is not always reversible. An example might be patent theft. A company that wants to emulate a product or service covered by intellectual property may send an insider to the competition. The professional will need access to the content of the patent to allow the client to reproduce it with minor modifications so as not to risk plagiarism.
Usually, the most frequent causes of threats from professionals concern the theft of data to sell to the client. This action is not easy to unmask because the person could copy the information not to trigger alarms or alter security parameters.

How to stop it in time?

The chances of discovering a professional insider before they commit a crime or cause significant damage to the company are low. A well-designed plan is not easy to stop. Nevertheless, the greater the investment made by the organization to protect valuable data, the better the chances of stopping an attack.


The insider threat is when the cyberattack comes from internal company resources. Here are 4 sketches to identify the culprit. Click To Tweet

How to thwart the insider threat? Here are some helpful tips:

  • Invest in training to make sure all resources know the risks of sharing information online.
  • Establish roles and permissions for accessing confidential data and documents. By adopting Identity and Access Management (IAM) logics, each employee will have specific permissions to access the information they need to do their job.
  • Never underestimate the importance of having security systems that identify threats and predict possible attacks using Artificial Intelligence.
  • Always be on the lookout for alerts generated by platforms and suspicious movements, such as much higher bandwidth consumption at abnormal times or data passes from a source that does not have the permissions to do so.

Insider threat is one of the possible cyber threats that a company must learn to protect itself from. But when it comes to cybersecurity, other, equally essential risks are increasing with digitalization. On this topic, I recommend you read “Cyber Security: the opportunities and risks of digitalization.”

How useful was this post?

Click on a light bulb to rate it!