The enemy is already inside: how to prevent damage from insider threats.
An employee leaves the company after a year in the role. He wants to start a similar business of his own. But along with his experience, he also takes the customer database, sales strategies and technical blueprints home with him. No one notices or stops him. It is only a year later, when the first customers begin to leave, that the alarm bells ring. Insider threats are one of the most underestimated risks in cybersecurity. Yet a few basic measures can significantly reduce the risk.
When people think about cyber threats, they think of hackers, ransomware groups and state-sponsored attackers trying to break in. That picture is correct, but incomplete. In a large proportion of cases, the threat comes from someone who already had access to the network. Someone on the inside.
That is what makes insider threats so deceptive. There is no break-in. There is no phishing email to forward, and no vulnerability to exploit. The threat simply walks through the front door every morning, logs in as usual and does what has always seemed normal.
4 forms, 1 common denominator
Insider threats are not all the same. Broadly speaking, there are four types that we see time and time again in practice.
1. Theft of intellectual property
This is the most common type. For example, two developers decide to set up a competing company. They hand in their notice, are given a three-month notice period and use that time to systematically copy source code, customer lists, documentation and pricing strategies.
Three months after they leave, customers start moving to the new business. Only then does the original employer discover what has happened. The forensic investigation that follows is complex: the laptops containing the digital traces of the theft have already been handed over to colleagues. Even so, the investigation team builds a watertight case against the former employees.
2. Financial fraud
This form often involves collusion. In one of the most striking cases investigated by Orange Cyberdefense, a CFO and a financial controller working at two different companies collaborated. One created false invoices, the other approved them. Together, they stole more than six million euros over a ten-year period.
The scheme unravelled through carelessness: the controller left a credit card statement lying on a colleague’s desk. Hundreds of thousands of euros spent on lingerie, all charged to the company. That immediately raised suspicions. After an internal investigation, both individuals came under scrutiny. The case was solved, and the fraud, which had remained invisible for years, could ultimately be reconstructed in detail through the financial systems.
3. Abuse of power by administrators
This type of threat is difficult to detect, but the damage is often enormous. In one case, an IT administrator strictly enforced security rules for colleagues while creating a separate network segment for himself with an ‘allow everything’ firewall rule.
Through this digital back door, he freely downloaded illegal films and software packages, including infected key generators. These eventually infected the corporate network with ransomware. The forensic investigation following the attack identified the administrator’s private network segment as the source of the infection. The bitter irony: the person hired to protect the business turned out to be the cause of the damage.
4. Data exfiltration by departing employees
This category is the most common and psychologically complex. In many cases, it is not a classic spy but employees taking work such as presentations and contact lists home with them. Because they created these documents themselves, they see them as personal property. Although this is legally still theft of company assets, there is often no malicious intent. Even so, these ‘digital souvenirs’ pose a major risk because sensitive business information leaves the organisation's protected environment.
What all of these examples have in common is that they remained invisible. Sometimes for months, sometimes for years. Not because the organisations were negligent, but because they simply did not have the means to see what was happening.
Why the problem is growing
The digitalisation of the workplace makes it increasingly easy for insiders to access and move large amounts of data. At the same time, the value of that data is increasing. Customer records, source code and financial forecasts are easy to copy, but difficult to recover once they are gone.
On top of that, trust is the default setting in most organisations. People who perform well for years are given broad access rights. That is understandable, but it also creates blind spots. A familiar face can collect data unnoticed for years because no one thinks to monitor their behaviour.
And when insider threats are discovered, it is often not through technology but through coincidence. A forgotten bank statement. A customer who leaves. An anonymous tip-off. That is not a defence strategy; it is luck, and far too late.
From months to minutes: what is possible today
The good news is that the tools for detecting insider threats have improved dramatically in recent years. Three developments deserve particular attention.
1. Behavioural baselines
Behavioural baselines are the foundation of modern detection. Machine learning learns what normal behaviour looks like for each user: which systems they access, at what times and from which locations. If someone suddenly downloads the entire customer database or tries to access folders outside their normal role, an alert is triggered.
2. Data Loss Prevention (DLP)
Data Loss Prevention focuses on the many channels through which data can leave an organisation, such as personal email, USB drives, cloud storage, printers, screenshots or file transfers. DLP software monitors all of these channels, can block exfiltration or send an alert to IT and HR. The sales manager who has been copying customer data unnoticed for years is quickly exposed.
3. Just-in-time access
Just-in-time access changes the way access rights are granted. Instead of giving users permanent access to critical systems, they receive temporary credentials for specific tasks. Every action is logged. This makes it impossible to build a private kingdom in the organisation's shadows, as happened with the IT administrator who created his own network segment.
The impact of these technologies is very real. Where incidents used to come to light months later through customers, auditors or even the police, the process now looks very different. Minute zero: an alert appears. Five minutes later: automated containment. Fifteen minutes later: a human reviews the case. Within an hour: the scope is clear. Within four hours, a decision is made. The action window between incident and response shrinks from months to minutes.
Where to start: 3 steps for this week
The technology exists. But even without extensive tooling, there are practical steps every organisation can take right now.
Step 1: Identify your five most valuable assets
This could be a customer database, source code, financial forecasts or trade secrets. Document who has access, how that access is protected and whether you would notice if someone made a copy. This becomes your monitoring priority list.
Step 2: Choose one high-risk scenario
Define one specific action that should never happen unnoticed in your organisation, such as exporting the entire customer list to Excel. Then create an alert that triggers when this happens, and assign one person to review those alerts every day. By starting small with one critical process, you can learn the patterns without being overwhelmed by data.
Step 3: Make a list of everyone with administrator rights
Do they still need those rights? When did they last use them? Can access be made temporary? Start with the ten most privileged accounts and review their activity logs for the past thirty days. The results are often surprising.
The question is not if, but when
At a company with 1,200 employees, Orange Cyberdefense found, within ten minutes of arriving on site, an Excel file containing the salary history of every employee over the past thirty years. It was available to everyone on a shared drive. Two hours later, they found a folder containing XML files with the company’s full financial inflows and outflows, readable as plain text. Four hours earlier, this company had said it was secure.
The threat does not always come from a sophisticated external attack. Sometimes it is simply sitting in a folder on a shared drive, in the hands of someone leaving the organisation, or in the behaviour of someone who has had access to everything for years. We now have the tools to see it. The question is whether you are looking.