Insider threats are employees who leak or damage their own company’s data. Look for these seven indicators when preventing insider threats.

An insider threat is an individual with legitimate access to your data who uses their position to launch a cyberattack. For example, a disgruntled employee might leak sensitive data, or an IT professional could steal information from a company they represent.

An insider attack can come from anyone, so you need to learn the strongest insider threat indicators.

  1. Unusual online activity
    Trustworthy employees develop routines as they get more comfortable with their work environments. They find the best workflow to optimize their performance, and that workflow includes their online activity. If you notice an employee or third-party official straying from their habits, it could indicate an insider threat.

    Strange logins and excessive downloads are the two most telling signs you need to look out for. If someone is accessing their accounts and downloading more data than usual, they might be up to no good.
  2. Poor job performance
    A rapid decline in someone’s job performance might also suggest they’re an insider threat. Disgruntled workers are far more likely to harm the company than satisfied workers. Some experts even argue that unhappy workers pose the greatest threat of all security risks. Keep your eye out for these negative behaviors:
    • Conflicts with co-workers and supervisors
    • Missing deadlines and making simple mistakes
    • Voicing disagreement with company policies for no clear reason
    • An overall unpleasant attitude around the work environment

    Unhappiness at work is a powerful motivator for an insider attack. You need to closely monitor anyone who starts showing these behavioral tendencies. Instruct your HR department and other colleagues to talk with the person and try to dissolve the situation.
  3. Inconsistent working hours
    If an employee breaks from their usual work schedule and starts showing up at random hours, they might be scheming to launch an insider attack. These actions are strong indicators:

    • Arriving unusually early or late
    • Staying late without request
    • Repeatedly volunteering for extra work
    • Doing work outside the scope of their assigned roles
    • Switching between in-person and remote work at random

    Every employee has specific responsibilities and expectations. The only reason an honest employee would willingly take on more responsibility is if they want a promotion, but that goal conflicts with the other indicators we mentioned. Remote work in particular opens many pathways to your business that insider threats will be happy to utilize. When someone exhibits all of the above behaviors at once, they’re most likely planning to harm the company.
  4. Frequent travel
    Recurring travel to other cities and countries is a strong indicator of industrial espionage. Workers who frequently travel for unknown reasons could steal and sell your company’s data to competitors. Espionage accounted for 24% of worldwide data breaches in 2018, according to a Verizon investigation report.

    Location is just as important as the frequency in this situation. You’re probably safe if a worker pays multiple trips to a small town with no relevance or ties to your organization. You should feel alarmed if they visit several big cities or leave the country multiple times in a short period.
  5. Sudden financial changes
    A worker might have reason to sabotage your company if they experience sudden financial changes, for better or worse. If they find themselves in financial distress, they might feel pressured to sell your company’s data or steal personal information to commit fraud. In extreme cases, they might have been blackmailed or threatened by a third party to launch a cyberattack and hand over sensitive information.

    Similarly, unexplained financial gains could indicate malicious behavior. If a worker starts slacking off, bragging about their wealth, and buying things they previously couldn’t afford, they may have acquired that money through unethical means. This problem is rampant in Southeast Asia, as 70% of the region’s population, including most businesses, doesn’t have the proper security measures.
  6. Increased privileges
    This indicator primarily applies to third-party professionals from IT or cybersecurity companies that other businesses hire to secure sensitive information. If one of these professionals suddenly gets increased privileges and access to greater quantities of data, your company should look into their credentials.

    Usually, the professional gets their special privileges from a high-ranking administrative official. You need to investigate these higher positions to maintain their integrity and prevent them from abusing their power.
  7. Leaving the company
    Anyone leaving the company could be an insider threat. The circumstances of their departure can seem innocent, but you should stay cautious and investigate all workers who leave. Look back at their activity in the last few months and recall any strange behavior patterns or unauthorized data access.

    We know that most workers have legitimate reasons for leaving, but one mistake can compromise your business’s data. Do a thorough investigation on all departures and leave nothing to chance. A comprehensive exit interview process will also help clear the air.

Account for all insider threats

An insider threat could arise from any position in your company, from entry-level workers to top executive officials. Even third-party employees can infiltrate your business.

While most of these indicators may not definitively prove an insider threat, they are all worth watching for. Remember these seven insider threat indicators so you can account for all potential threats and proactively address them before they do serious damage.

Zac Amos loves writing about cybersecurity, artificial intelligence and all topics involving tech. You can find more of his writing on ReHack or by following him on Twitter and LinkedIn.