Protect Your Business from Insider Attacks

When we discuss cyber-attacks it often refers to those that come from the outside – the ones that are typically high profiles cases, such as malware, hacking, DDOS and ransomware.

However, the reality is that insider attacks can be just as disruptive to both business operations, and organisational reputation. Insider attacks typically lead to corporate data breaches and identifying high risk employees first, and then strategies to reduce the risk, are both important.

Identifying high risk employees

There are some four key groups of employees to pay extra attention to:

1) Terminated employees – In the weeks prior to exit, employees are at a high risk of taking corporate data with them. This might be emailed to a personal email address, saved to an external drive, or even printed out. Therefore it is sensible to introduce restricted access, or at least additional checks on the activities of those employees.

2) Users with extensive privileges – Do not forget that data misuse is not always intentional. Regardless of intent, the more privileges a user has, the greater the consequences of a breach.

3) Off-site users – Organisations these days are more complex than ever, with remote workers, subcontractors, and so on. The access they require to the corporate infrastructure inevitably introduces risk as data has to be transferred. If it can be transferred, it can be intercepted.


Part of identifying at risk employees and/or groups is considering motives. The most common ones are:

- To make a statement - think Edward Snowden
- To take revenge
- To provide something of perceived value to a future employer
- To set up as future competition - for example by stealing client lists or trade secrets

Avoidance Strategies

Once you have built a picture of your at risk areas you can design specific strategies to mitigate the these risks. There are some prudent measures that we would suggest implementing:


Where a lot of organisations fall short is they do not undertake robust vetting of new employees. It is crucial to take time to perform a range of checks such as references, employment gap checks, education verification, address check, criminal checks, and even credit checks. The level of vetting should reflect the access the employee will have to systems and data.


We said earlier that breaches are not always intentional. Therefore one important way to avoid an insider attack is to have robust policies and procedures in place. Be clear with employees what is acceptable use and what is not. Be explicit about restrictions over taking data off site.

Common issues that leave the door open for insider attack are sharing passwords, not locking computers, sharing user profiles, personal use of systems, and not adhering to a clear desk policy. A policy needs to be a living, breathing document that employees receive training on both at induction, and periodically thereafter.

Regular audit

Systems and controls are put in place, but many organisations do not regularly review them. As employees leave the organisation, their access must be removed immediately to avoid them logging on after they no longer are in employment. Furthermore, the data and systems employees need access to will undoubtedly change during their employment.

In Summary

Whilst insider attacks tend to hit the news less often than outsider attacks, they tend to be far higher in frequency and produce an ongoing stream of corporate data leakage. There are some systems and controls that can be implemented to reduce the risk of insider attack, as described above.

Many organisations also choose to engage the services of a specialist organisation who can advise them of vulnerabilities and recommendations to close weaknesses.

At Grant McGregor, we have a team of dedicated security specialists who are experienced in guarding against insider attacks. To contact our team, please call us on 0808 164 4142.



see all