Rethinking Data Loss and Insider Threats

Organizations now more than ever before rely on their employees to process voluminous amounts of data to conduct business.  Preventing data loss due to unintentional leakage or as a result of a malicious attack is a concern for almost every organization, regardless of size, especially highly regulated organizations that handle sensitive data.  Today’s hybrid and fully remote workforces, as well as the increase in security risks related to the human element continue to fuel concerns of insider-related incidents.  The data shows that loosely managed staff departures, careless and negligent employees, an insider’s compromised credentials, and disgruntled or dissatisfied employees raise the likelihood of an insider-related incident occurring.  

Insider threats are not new, anyone can be a threat, and it’s possible for some insider threats to go undetected for years.  According to the 2022 Cost of Insider Threats Global Report by Ponemon, insider threats have increased in both frequency and cost in the two years prior to the publication of the report.  Insider-related incidents included employee negligence (56%), criminal activity (26%) and user credential theft (18%).  In this article, I will discuss why it is important to rethink data loss from an insider threat perspective.    

Insider Threat Indicators  

The National Institute of Standards and Technology (NIST) describes an insider threat as one that involves an individual using his or her authorized access, wittingly or unwittingly, to do harm to an organization’s operations and assets, individuals, or other organizations.  The following behavior could be an insider threat indicator: 

  • Prolonged workplace dissatisfaction
  • Unexplained downloading of files unrelated to employee’s primary role and responsibilities
  • Unusual workplace behavior including disagreements and complaints
  • Unexpected financial gain or financial distress

While human resources, managers and team members may be able to identify unusual behavior and alert the appropriate individuals to these types of behaviors, detecting these types of behaviors in a timely fashion is challenging without technology and a mature insider threat program.      

Insider Threat Program and Data Loss Prevention

Data loss prevention (DLP) solutions help mitigate the risk of data loss, which can occur as insider-related incidents (e.g., employee theft of proprietary information), due to physical damage to computers, or as a result of human error (e.g., unintentional file deletion or sharing sensitive data in an email).  In addition to the various ways that an organization might experience data loss, mitigating the risk of loss requires the right people, processes and technology.  Meeting the technology requirement can be a challenge when it comes to selecting the right DLP solution with the right capabilities.

An important capability for monitoring employee behavior is user and entity behavior analytics (UEBA) systems, which are designed to monitor the behavior of users.  A user is a broad term and can be described as anyone using a company’s information technology asset, such as an employee or a contractor. Gartner recommends investing in a DLP solution that not only provides content inspection capabilities but also offers extra features such as data lineage for visibility and classification, user and entity behavior analytics (UEBA), and rich context for incident response.  UEBA is useful for insider-related incidents because it could help identify data exfiltration by a dissatisfied employee.  

The consequences of insider-related incidents include loss after loss – financial loss, loss of customer trust and data loss.  Therefore, it is important to develop an insider threat program using a combination of people, processes and technology with capabilities like accurate threat detection, monitoring and responses like blocking data from leaving user endpoints.

Identify Sensitive Data and Prevent Its Loss

Organizations can improve their insider threat programs by using techniques that will not only identify an insider-related incident that’s in progress, as well as the sensitivity of the underlying data, but also deploy controls to prevent the sensitive data that might be leaked or exfiltrated.

DLP policies can help prevent sensitive data from being leaked or exfiltrated as the policies describe what happens when a user uses sensitive data in a way that the policy does not allow and can be developed to align with their internal security policies, standards, controls and procedures, as well as applicable law and regulations. Once a policy violation has occurred, security teams should receive alerts for the policy violations and the alert an investigation should follow.  The violation might result in quarantining the data or blocking data entirely to prevent leakage or exfiltration. Users might receive warnings about their use of sensitive data via pop-up messages; this may prevent accidental data leakage.     


Insider-related incidents can cause devasting losses.  Companies that monitor user behavior are better positioned to prevent insider-related incidents in real time. Identifying the technology that will provide sufficient insider threat management capabilities requires an understanding of the nuances and distinctions among solutions on the market.  Spending the time to rethink data loss from an insider threat perspective, devoting the resources to evaluate the needs of your insider threat program, and identifying the technical capabilities that will improve the maturity of the program will pay dividends in the future.   

Author Bio:

Ambler is an attorney with extensive corporate governance, regulatory compliance, and privacy law background. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes about today’s most crucial cybersecurity and regulatory compliance issues with Bora Design