COMMENTARY: From
Coinbase's bribery scandal to corporate espionage between
Deel & Rippling or organizations hiring people who aren’t who they claim to be, insider threats are making headlines. Whether these incidents are growing more frequent or just more visible, it’s now clear organizations face a rising tide of insider risk.
Insider risks reflect the intersection of human beings and their environment. Today's threat landscape has been shaped by global economic uncertainty, mass layoffs, and rapid AI adoption, creating a perfect storm of inescapable emotional, financial, and ethical pressures.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Meanwhile, the proliferation and widespread adoption of
AI tools, often without approval from IT or security teams, has resulted in a sprawling digital environment for businesses. It’s increasingly difficult to discover and monitor these tools within enterprises, throughout software supply chains and where they exist across
Software-as-a-Service (SaaS) apps. Data ecosystem complexity has follow-on impacts across governance, privacy, IP protection, and ultimately impacts strategies to defend against data loss.
Not all insiders are alike
When thinking about insider threats, both the outcome and the intent matter. Common outcomes associated with insider threat center around loss and harm to organizations, data, and even people. The intent leading to these outcomes, however, varies widely, but generally falls into three categories:
Unintentional Insiders make mistakes that result in risk or damage, such as falling victim to phishing attacks, misdirecting sensitive emails, or leaking data via various channels including AI tools.Well-Intentioned-Insiders are often highly-driven to get things done, but to get there, they workaround rules in ways that increase risk. These employees frequently use shadow IT and unsanctioned communication channels.Malicious Insiders intend to cause harm. These insiders may cover their tracks and have a long-term strategy or engage in extreme one-time behaviors. Malicious insiders engage in sabotage, fraud, theft, espionage or workplace violence, often for personal gain. There’s no straightforward way to understand malicious insiders. However, malicious insiders are often understood through a combination of predispositions and pressures building over time along with organizational actions that either agitates or quells the malicious behaviors.
The Critical Pathway to Insider Risk by Eric Shaw and Laura Sellers helps illustrate this complex relationship, where predispositions like a tendency to break rules or maintaining connections across risk social networks can offer meaningful context for insider risk practitioners. However, personal predispositions alone are weak predictors of malicious behavior.
The tipping point often comes when predispositions interact with personal and professional stressors, such as job loss, financial distress, a personal crisis, or even a breakdown in alignment with company values. Sometimes this takes years; sometimes it happens in weeks.
Either way, the signals are there—they’re just difficult to detect in isolation.
Why traditional security methods fall short
Most detection systems focus deeply on external technical threat indicators, and on identifying threats like malware, network intrusions, or suspicious IP addresses. Insiders operate within normal permissions and access boundaries. For example, if an employee accesses a file they have permission to view, but don’t typically need, no alert would be triggered. It’s usually a good thing, as alerting on file access patterns that are permitted would create a barrage of unwarranted alerts for security teams. Similarly, if data gets transferred through a method that’s generally accepted, but uncommon for that individual, it’s unlikely to raise concern.
Behavioral indicators such as shifts in communication topics or sentiment are rarely integrated into standard detection strategies for similar reasons, as topics and sentiments vary so widely that it’s a challenge to use these factors in a way that offers meaningful information to security teams. Closely monitoring subtle behavioral changes across an entire workforce costs money, and disruptive to business operations because of frustrating high-friction controls that may inadvertently promote “workaround” behaviors while simultaneously adding to alert fatigue issues that plague security operations teams.
Smarter detection calls for behavioral understanding
To get ahead of insider threats, organizations need a sophisticated understanding of behavior across their organization that balances deep contextual understanding with precision and meaning. Teams should use peer group comparisons that help identify behaviors that are unusual for individuals with specific roles or levels of permission.
Other questions to consider include: What deviations from this behavior might signal risk? Are there abrupt requests for elevated privileges? Is an individual suddenly interacting with unfamiliar data?
Behavioral anomalies can serve as early warning signs, especially when these types of grouping are not pre-determined by static rulesets. Organizations must find ways to integrate disparate data sources that can be used to track behaviors—such as data movement, login habits, and application usage—to enable advanced AI models to produce high confident signals of anomalous risky behaviors.
Teams also need to develop dynamic risk profiles for employees. Not every employee carries the same level of risk. Contractors, people flagged as potential leavers, or those in highly sensitive roles may require more tailored oversight. Understanding various organizational factors such as bonus pay out periods and layoffs can also provide contextual information for time periods where the risk of data exfiltration or frustrations might be heightened.
While technical indicators can help security teams monitor risks, they often fail to fully describe the context surrounding malicious insider behaviors. Retrospective analyses of insider threats almost always include non-technical factors such as signs of stress, disengagement, disgruntlement or communication breakdowns preceding concerning negative behaviors.
Build trust into insider threat programs
Ethical considerations must guide the detection and mitigation of insider threats. Data represents one of the most powerful tools for advancing an insider threat program. However, the type of data that can support a nuanced understanding of social interactions and personal sentiment is inherently more sensitive than the types of data that help us understand the behavior of a computer or a device.
Techniques such as role based access control, anonymized usernames in UI/UX, and other types of masking can help companies protect against inadvertent exposure of individual employee behavior that is falsely flagged as malicious.
Cross functional partnership between human resources, legal, security, and executive teams are critical components of a healthy insider risk program and can help teams navigate the need to deeply understand their workforce with protective factors for employees who are concerned about invasive monitoring and privacy.
Insider risk is complex—but not unmanageable. By understanding the spectrum of insider behaviors and connecting technical and human signals, organizations can shift from reactive defense to proactive resilience.
Margaret Cunningham, director, security and AI strategy, DarktraceSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
