top of page
  • Writer's pictureSara Millis

Insider Threat: What is it, how bad is it and how do you prevent it?

We have been talking a lot recently about external cybersecurity issues, crimes like phishing scams and malware, but did you know that one of the biggest threats to your business data is an internal one?

Insider threats could cost your business dearly. Here’s how to prevent and mitigate damage from potential data breaches.

Man holding device he is locked out of

What is an Insider Threat attack?

An insider threat attack is a data breach created by someone in or who has authorised access to your business networks and systems. They (the insider) are someone you trust as a business owner. They could be an employee, a contractor, or a supplier.

An insider attack is a moment when this person chooses to use their authorised access to harm your business. How is this attack commonly termed? As an act of theft, espionage, sabotage or corruption that leads to the damage of your business or its means to do business, or to enhance the competition’s business.

It can also be an unintentional threat. What do we mean by this? An unintentional insider threat attack is often due to negligence or accidental data breaches. These are cybersecurity issues that can cause leaked information to reach third parties or expose your company to third-party threats from phishing or malware scams.

How common are Insider Threat attacks?

There were over 32,500 incidents reported to the ICO between 2019 and Q2 2022. Of these data security breaches, 80% were classified as non-cyber incidents (non-malicious attempts), showing that internal threats, accidental or otherwise, are a real business concern.

How did these breaches break down into incident types? Let’s take a look

  • 15% of breaches were as a result of data emailed to the incorrect recipient

  • 10% were posted or faxed to the incorrect recipient

  • And 7% were reported as loss or theft of paperwork and data left in an insecure location

More malicious attempts were reported as data leaked by external threat activation, such as SQL injections, Man-in-the-Middle attacks MitM or ransomware. The victim’s intentions were not always malicious acts but rather poor judgement allowing third-party access to data unintentionally.

The ICO categorised most leaks with “unknown” identifiers, as in we do not know how much data was accessed. Of what they could define, breaches included customer information at 3% and a further 3% was employee information. 69% of all breaches (internal or external threats) leaked at least basic personal identifiers.

The biggest industries hit by internal threats were



Education and childcare


Finance, insurance and credit


Local government


Retail and manufacture




General business


Charity and voluntary


Overall, insider threats have risen in the last three years with average costs to business recorded at £13.4 million globally (US$15.38 million), according to research by the Ponemon Institute (2022, paper,

The ICO report backs this up from a UK perspective, where insider threats have increased by 9.17% in 2019-2020 and 0.42% from 2020-2021.

It is thought that the slowed gain in 2020-2021 was due to covid lockdowns and furloughed staff, further highlighting the potential internal threats posed by employees, contractors and suppliers who have access to business systems, databases and networks.

The largest increase in internal threat, which was interesting, but we often see, was due to hardware and software misconfiguration which grew from 2019 to Q2 in 2022 by a staggering 857%.

How to prevent an Insider Threat attack?

It is clear that most internal data threats can be avoided through accurate system configuration, better employee onboarding and continued refresher training and more definite cybersecurity protocols.

1. Accurate system configuration

As more and more of our business is conducted online and our staff have increased hybrid or remote working options it makes sense to revisit our system configurations alongside new cloud-based solutions.

We recommend using Microsoft 365 in conjunction with Microsoft Azure, giving you advanced security with all of the software applications your business is likely to need, plus a bank of apps you can integrate across multiple devices.

Need some help implementing your business-wide Microsoft programs and applications? Contact us today!

2. Better employee onboarding

Onboarding is the one area where you have total control over how your employee enters your business. It is the point at which you can give them access to the parts of your business systems that help them fulfil their job function, and it is also the point at which you lay out how you want them to use your data.

The best way to start is with your HR planning - which roles need what level of access at the start, during the job and what access levels must be revoked on leaving a role.

With this in mind, you can then build a personalised onboarding process that includes IT training and an accurate record of data access points.

3. Continued refresher training

During the lifecycle of any job function and an employee's time with a business, levels of access requirements may change. Access may also pose varying levels of threat based on changes to cybercrime activities. In both cases, it makes sense that you consider refresher training programs for IT and device proficiency, and safety.

4. Definite cybersecurity protocols

When we employ or contract someone new we are giving them a large amount of trust to perform a job function and use our data correctly. Likewise, when we implement new cloud applications or change our working models from office-based to hybrid we place a large amount of trust in software and the businesses behind them. Yet cyberattacks can still happen.

To avoid attacks and preempt them we need to create specific protocols. Here at IT Soho, we like to look at them from a preemptive and reactive stance. This means having a general protocol in place for how we protect the businesses we work with on a day-to-day basis and creating a simple protocol we can help them follow if breaches happen.

This can be as simple as implementing

  • Multifactor identification for software sign-in

  • Securing desktops and devices

  • Increasing firewall protections and segmenting LANs

  • Implementing suspicious activity reporting

  • Limiting online and app access from employee devices

  • Usage monitoring and reporting

5. Eliminate potentially malicious internal threats quickly

There are some cases where we can spot potential threats early. This can often be flagged in our HR processes for employees and regular reviews of contractor or supplier relationships.

For example, let’s imagine you have an employee called Dave. Dave manages the shipping department of your online eCommerce website. During shipping, he has access to both your customer and order database, plus your shipping partner’s system. You have a large warehouse which employs staff that Dave is responsible for, so he also has access to certain employee HR functions, such as timecards and end-of-year review data.

Dave starts showing up late to work regularly and interaction with fellow employees and senior management becomes frayed. It seems Dave is unhappy about something. After a chat with HR, it seems that Dave’s performance and general attitude are deteriorating further and he is open about his unhappiness at work to anyone who will hear. It’s time to start considering your next step as a business owner.

Being able to revoke a person’s access to your data quickly and remotely wipe their devices is imperative if you wish to eliminate any possible internal threat situation.

Likewise, let’s imagine your shipping supplier, who has access to portions of your customer data via your internal or financial systems, no longer provides a reliable service at the price you can afford to pay. You wish to cancel your account. You will also need to wipe data and remove any API access before you close your account to ensure future data leaks cannot happen.

Need help protecting your business against an Insider Threat attack? We are IT Soho and work with many businesses of all sizes in the central London area. Contact us today and let us help you set up your cybersecurity measures efficiently.


bottom of page