60%
Of insider threat incidents involved data theft, not sabotage: departing employees taking customer lists or proprietary data (CERT 2024)
77 days
Average time to contain an insider threat incident (Ponemon Institute 2024 Cost of Insider Threats Report)
$16.2M
Average annual cost of insider threat incidents for organizations with 1,000+ employees (Ponemon 2024)
30 days
The window before an employee's last day when data theft activity most commonly occurs (CERT)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Insider threats are the hardest category of attack to detect because the attacker is authorized. A departing employee downloading the customer database looks identical to a customer success manager doing their job: until you compare it to what they normally download and when they normally do it.

Detection requires behavioral baselines, not signatures. The indicators are deviations from normal: accessing systems they have not touched in months, downloading data volumes they have never downloaded before, or establishing forwarding rules that have no business purpose.

The Three Insider Threat Categories

Malicious insider (intentional misuse): An employee who deliberately steals data, sabotages systems, or commits fraud using their authorized access. The most common scenario is a departing employee taking customer lists, product roadmaps, or proprietary code to a competitor. Motivations include financial gain, grievance against the organization, competitive recruitment, and coercion.

Negligent insider (accidental exposure): An employee who exposes data through poor security hygiene: sending sensitive files to personal email, uploading corporate documents to personal cloud storage, falling for phishing, misconfiguring a shared file permission. The CERT study consistently finds this is the largest category by volume, though often with lower per-incident impact than malicious insider events.

Compromised insider (account takeover): An external attacker who has obtained an employee's credentials and is operating as that employee. Detection looks identical to malicious insider detection: the distinguishing factor is often geographic impossibility (the employee's credentials used simultaneously from two locations) or behavioral anomaly (an account suddenly accessing systems it has never touched).

Why this matters for detection strategy: Malicious and compromised insider detection focuses on intentional behavioral anomalies. Negligent insider detection focuses on DLP policy triggers and risky configurations. Both require different monitoring approaches.

The Four Highest-Signal Detection Controls

Control 1: DLP policy on bulk downloads and sensitive data transfer

Data Loss Prevention tools inspect content leaving the organization and alert on or block high-risk transfers. The highest-signal DLP policies:

  • Bulk file download: Any user downloading more than X files from SharePoint/OneDrive in a single session (threshold depends on your environment: calibrate to 2-3 standard deviations above average)
  • Personal email forwarding: Any work email forwarded to a personal email domain (gmail.com, yahoo.com, personal domains)
  • Sensitive data classification upload to external destinations: Documents tagged as Confidential or higher being uploaded to any external destination
  • USB/external storage write: Files written to removable storage from endpoints (if managed devices are in scope)

For Microsoft 365:

# Review recent DLP policy matches
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations DLPRuleMatch |
    Select-Object -ExpandProperty AuditData | ConvertFrom-Json |
    Select-Object UserKey, PolicyDetails, Severity | Sort-Object Severity

Control 2: HR system integration: departing employee monitoring

The CERT data consistently shows insider data theft spikes in the 30 days before an employee's last day. Integrating HR departure dates with your security monitoring: even informally via a weekly list: allows you to apply enhanced monitoring to employees in notice periods.

Enhanced monitoring for departing employees:

  • Flag any DLP policy match for manual review (not just high-severity)
  • Alert on SharePoint or OneDrive downloads exceeding 50 MB from any account in the departure list
  • Review email forwarding rules for the account
  • Check for new OAuth grants or external sharing of sensitive documents

Control 3: Access anomaly detection

Authenticated users accessing systems, files, or data they have never accessed before: or accessing at unusual times or from unusual locations: are a behavioral anomaly worth investigating.

Microsoft Sentinel UEBA (User and Entity Behavior Analytics) provides automated baseline building and anomaly scoring:

// Find users accessing resources significantly outside their baseline
BehaviorAnalytics
| where TimeGenerated > ago(7d)
| where ActivityInsights contains "UnusualResources"
| project TimeGenerated, UserName, ActivityType, ActivityInsights, InvestigationPriority
| where InvestigationPriority > 7
| sort by InvestigationPriority desc

Control 4: Endpoint activity monitoring for specific exfiltration channels

For managed Windows endpoints with Microsoft Defender for Endpoint or equivalent:

// Detect USB storage device writes
DeviceEvents
| where ActionType == "UsbDriveMounted"
| join kind=inner (
    DeviceFileEvents
    | where FolderPath startswith "E:" or FolderPath startswith "F:"  // common removable drive letters
    | where ActionType == "FileCreated"
) on DeviceId
| project Timestamp, DeviceName, AccountName, FileName, FolderPath
| sort by Timestamp desc
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Indicators by Scenario

Departing employee data theft indicators:

  • Bulk downloads of file categories they do not normally download (sales data, customer lists, HR records)
  • Email forwarding rules created in the last 30 days
  • Large uploads to personal cloud storage (Google Drive, Dropbox, OneDrive personal) from a corporate device
  • Printing or scanning of physical documents (relevant where physical document monitoring exists)
  • Access to systems or data repositories outside their functional role at unusual hours

Disgruntled employee sabotage indicators (pre-incident):

  • Access to production systems they do not normally access
  • Mass deletion of files or records
  • Schedule changes: accessing critical systems outside business hours without a known reason (emergency, on-call)
  • Disabling logging or monitoring where they have permissions to do so

Compromised insider indicators (account takeover):

  • Impossible travel: login from New York and London within 2 hours
  • Authentication from an IP not previously associated with the account, particularly from a VPN or proxy service
  • Access to systems the account has never touched in its history
  • Password change followed immediately by MFA method change (attacker taking over the account)

Negligent insider indicators:

  • DLP triggers for sending sensitive documents to personal email
  • Files shared with external recipients who are not in the organization's trusted domain list
  • Sensitive files uploaded to personal cloud storage services
  • Failed MFA attempts suggesting the user shared their credentials

Legal and HR Considerations

Insider threat monitoring requires legal and HR alignment before deployment: particularly in jurisdictions with strong employee privacy laws (GDPR in the EU, various US state laws, labor regulations).

Before deploying insider threat monitoring:

  • Consult legal on what employee monitoring is permitted in your jurisdiction
  • Update acceptable use policies to disclose monitoring of company systems, devices, and communications
  • Define in writing what data is monitored, how long it is retained, and who can access monitoring alerts
  • Establish a process for alert investigation that involves HR: security should not unilaterally act on insider alerts

The investigation process when an alert fires:

  1. Security documents the alert and associated evidence (do not contact the employee yet)
  2. Security escalates to HR and legal
  3. HR and legal determine whether investigation is warranted and the appropriate response
  4. If the evidence supports it, HR leads the investigation with security support
  5. Legal determines whether law enforcement notification is appropriate

Unilateral security investigation of employees without HR and legal involvement creates legal exposure: both for wrongful termination if the finding is incorrect and for evidence admissibility issues if criminal charges are pursued.

The bottom line

Insider threat detection requires behavioral baseline monitoring rather than signatures, because insider access is legitimate. The four highest-signal controls are: DLP policies on bulk downloads and personal email forwarding, HR-integrated enhanced monitoring for departing employees in the 30-day pre-departure window, UEBA-based access anomaly detection for accounts accessing systems outside their baseline, and endpoint monitoring for USB writes and large personal cloud uploads. All insider threat investigation must involve HR and legal before contact with the subject employee.

Frequently asked questions

How do you detect an insider threat?

Insider threat detection requires behavioral baselines, not attack signatures. Key indicators include bulk file downloads above a user's normal baseline, email forwarding rules to personal accounts, access to systems or data outside the user's functional role, and large uploads to personal cloud storage. Integrate HR departure dates to apply enhanced monitoring during the 30 days before an employee's last day: when data theft most commonly occurs.

What are the warning signs of an insider threat?

Behavioral red flags include: downloading unusually large volumes of files (especially customer lists, product data, or financial records), creating email forwarding rules to personal email addresses, accessing systems or repositories the employee has not used before, logging in at unusual hours without a known business reason, and attempts to disable or circumvent monitoring tools.

What is the difference between a malicious insider and a negligent insider?

A malicious insider intentionally steals data, sabotages systems, or assists external attackers for personal gain, revenge, or ideological reasons. A negligent insider causes damage unintentionally: clicking phishing links, misconfiguring cloud storage, emailing sensitive data to the wrong recipient, or reusing weak passwords. Negligent insiders account for the majority of insider-related incidents (approximately 55-62% by most estimates). Both are insider threats but require different controls: malicious insiders require behavioral monitoring and access control; negligent insiders require security training and technical guardrails.

What technical controls detect insider data theft?

Four layered controls: DLP policies on endpoints and email to detect and block sensitive data leaving approved channels; UEBA (User and Entity Behavior Analytics) to baseline normal access patterns and alert on deviations like unusual file downloads or off-hours access; privileged access management with session recording for high-value system access; and cloud access controls with OAuth grant auditing to detect personal cloud storage being used for corporate data transfer. Alert on: email forwarding rules created, large SharePoint or OneDrive downloads, USB device writes on managed endpoints, and new OAuth grants with broad data permissions.

How do you investigate an insider threat without tipping off the employee?

Preserve evidence before taking any visible action: collect and preserve logs from all relevant systems (email, SIEM, endpoint) with legal hold status before any conversation with the employee or manager. Conduct the investigation through IT and Security without involving the subject's team members who might inadvertently alert them. Involve HR and Legal before any investigation steps: insider threat investigations often lead to employment action and must follow a defensible process. Only access to systems and logs the employee was aware could be monitored is permissible without additional legal review: check your acceptable use policy before pulling data.

What role does data classification play in insider threat prevention?

Data classification is a prerequisite for effective insider threat controls: you cannot protect what you have not labeled. Without knowing which files contain sensitive data, DLP policies cannot target the right content, access controls cannot be scoped appropriately, and anomaly detection cannot distinguish a bulk download of public marketing materials from a bulk download of customer PII. A practical classification scheme for most organizations uses four tiers: Public (intended for external distribution), Internal (general business use), Confidential (limited to specific roles), and Restricted (subject to regulatory requirements, minimum necessary access). Apply classification at creation using Microsoft Purview or Varonis labeling tools integrated with Office 365, SharePoint, and cloud storage. Once data is classified, DLP policies can trigger on Confidential and Restricted label transfers to personal storage or external email. Access reviews become scoped: quarterly review of who has access to Restricted data is a manageable audit task. The classification system also shapes the insider investigation: when a departing employee downloads 2,000 files, the severity of that event depends entirely on whether those files are labeled Internal or Restricted. Classification provides the context that makes anomaly detection actionable rather than noisy.

Sources & references

  1. CISA: Insider Threat Mitigation
  2. CERT Insider Threat Center: Common Sense Guide to Mitigating Insider Threats
  3. NITTF: National Insider Threat Policy

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.