Insider Threat Detection Best Practices

The loss your company can experience from crimes committed by insider threats can total into the millions. Use this practical guide to protect your data from the most common threat: people with access within your organization.


How to Detect Insider Threats

Knowing the general profile of an insider threat may be of assistance in preventing malicious activity. According to a study by Carnegie Mellon University the average insider threat is:

  • Someone highly technical
  • Holds or held a system admin position or other position with privileged access
  • Is a former employee

According to the research, “over half of the insiders were perceived as disgruntled, and most of them acted out of revenge for some negative precipitating event” including:

  • Termination of job
  • Arguments with employer
  • Having a new supervisor
  • Receiving a transfer or demotion
  • Dissatisfaction with salary or bonus structure

Knowing who the typical insider is and the reasons why they become a threat can be helpful in employee behavior and computer monitoring.

How to Stop Insider Threats Before They Cause Damage


According to research by Carnegie Mellon, “insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures and technical controls.”

Policies: Having policies in place to prevent insider threats from taking action against the company is key. The study by Carnegie Mellon found that:

“The majority of insiders who committed IT sabotage did not have authorized access at the time of their attack”:

  • 30% used their own username and password
  • 43% used a compromised account
  • 24% used another employee’s username and password
  • 16% used an unauthorized (backdoor) account they had previously created

These insiders also used shared accounts – including testing accounts and training accounts.

Using password management software can help prevent insider threats because it enables you to share login information within an organization without ever disclosing the actual password.

Procedures: It sounds so simple but a step often skipped is having a procedure for how to deal with potential insider threats. For example, when an employee is fired or otherwise leaves the company, his or her IT access must be immediately revoked and all shared passwords should be changed. The Carnegie Mellon study found that many insider threats used shared accounts “that had been overlooked in the termination process.”

Technical Controls:  Deploying basic technical controls like user authentication, restricted access based on user type and the use of a firewall are key. Beyond your security basics, you should have a method for detecting insider threats before they cause harm to your organization. The use of computer monitoring software is paramount to receiving real-time alerts of malicious activity allowing you to stop the threat before he or she causes damage.

Having software in place to prevent insider threats is important because “Approximately 30% [ of employees ] took technical preparatory actions prior to the attack, particularly in cases where they anticipated termination. For example, they wrote, tested and planted logic bombs, sabotaged backups and created backdoor accounts” according to the study by Carnegie Mellon.

Additionally, “Most logic bombs were designed to delete massive amounts of data; however, at least one was designed to disrupt business operations surreptitiously, six months following the insider’s termination.”

Employee Monitoring, the most advanced computer monitoring software on the market, does what no other software can do: continuously record the screen of each computer it’s installed on. This allows you to go back in time and see exactly what an insider threat did and what you need to do to counter it.

Getting Started

When it comes to preventing insider threats from committing malicious acts under your watch it’s best not to go it alone. Work with your HR department to set the right policies and expectations in place.

Communicating the rules and procedures for computer usage and data access with employees is the first step towards protecting your data without worrying employees that you’re trying to spy on them.

Next, get in touch with the Pilixo team today to see a demo of Employee Monitoring and how it can help you stop insider threats in their tracks.


© Pilixo. All Rights Reserved