With insider threats consistently named a key security risk, organizations realize that managing and monitoring user access is a top priority. Insider threats can be caused by honest employees, external contractors working for trusted third parties or a cybercriminal with access to an insider’s credentials. With so many assets and information online and accessible, organizations must take a proactive approach to defending against the insider attack, starting with implementing security tools and practices that support a trusting relationship with user communities. While no one can prevent all insider attacks, adopting a proactive, intelligence-driven approach can help reduce risk, improve compliance and enable the IT organization to better support business initiatives.

Trust, but Verify

Every day, your organization is processing business transactions, collecting sensitive data and collaborating with partners. To make all this work, the modern enterprise depends on trust — trusting employees to not divulge company secrets, trusting partners to not leak customer information and trusting suppliers to protect sensitive data. If people need access to sensitive information and critical systems to do their jobs and service customers, the organization needs to establish and enforce a level of faith associated with that access. Trusting stakeholders to use their access privileges appropriately — and verifying that they do so — can be the most critical and difficult challenge of dealing with insider threats. Another challenge is user authentication: trusting and verifying that the individuals are who they really claim to be every time they try to access information.

Best Practices for Mitigating Insider Threats

To operate efficiently and securely, organizations need to back up the trusted relationships they have with security tools and intelligence that support and validate the level of confidence they place in their business constituents. This is made easier through the application of a few strategies that focus on reducing the risk of insider threats.

1. Identity Management

Let’s face it: One of the most effective ways to minimize the damage people can do to your organization’s security is to limit their access to sensitive information. Provisioning users with access beyond what they need is an unnecessary risk and should be avoided, and their access privileges should be rescinded when they leave the organization. Automated deprovisioning can ensure that orphan accounts aren’t left open for future exploitation by external cybercriminals or malicious insiders.

It takes a sensitive touch to manage this control without impacting the trusted relationship with employees, partners and others. If security controls are too strict and block access to previously available resources, some people may be offended, feeling their own company distrusts them. Partners or suppliers may get frustrated if they are blocked from accessing information needed to complete business transactions. Therefore, attempts to reign in access are often met with resistance and should be handled carefully. But it’s worth doing. Blocking user access to assets they don’t need can reduce the risk of a security breach. Automated, policy-based user provisioning and self-service tools can help strengthen established business policies tied to user entitlements.

Watch the on-demand webinar: Why Insider Threats Challenge Critical Business Processes

2. Identity Governance

As people move about an organization, they can end up with overlapping roles and duplicated or inconsistent entitlements. This “entitlement creep” can lead to improper access to and use of sensitive information, which can contribute to business conflicts and separation-of-duty (SoD) violations. Identity governance tools can help verify and clean up existing user entitlements, building accurate role models and enacting policies and processes that ensure users have appropriate access privileges.

3. Access Management and Risk-Based Authentication

Verifying the identities of mobile users is a big challenge and should involve authenticating the device as well as the user. Device scanning, two-factor authentication and context-based access policies can all help protect applications against fraudulent and unauthorized access.

4. Security Intelligence

The sheer volume of audit and log data from users can actually impede forensic investigation and detection, preventing administrators from uncovering insider attacks or inappropriate user activities. Security intelligence practices, such as the use of security information and event management (SIEM) tools, can provide invaluable resources for validating access and highlighting user anomalies. This data can equip security teams with the insight they need, including an improved ability to distinguish malicious from nonmalicious behavior, so the bad guys can be identified and stopped.


Combating insider threats is a continuous process, but it’s an effective approach to improving an organization’s security posture and increasing protection from external attacks. User credentials, including privileged identities, are often used by attackers once they are inside the enterprise. Safeguarding users’ identities and implementing security intelligence can reduce the damage from external attacks.

More from Identity & Access

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…