See if your information has been exposed in a data breach with our latest free tool Check Now
Finance glossary

What is a malicious insider?

Bristol James
4 Min

A malicious insider – sometimes referred to as an insider threat – describes any person who uses their authorised access to a company’s systems, resources, or data for malicious purposes.

Unlike the external threats that are posted by cybercriminals or hackers, malicious insiders have access to proprietary business information because they are employed by the company itself.

In some cases, the malicious insider may also be a contractor, business partner, or former employee.

Whatever the title, malicious actors share a common objective: to misuse or abuse their access privileges for personal or financial gain.

In a 2023 survey of more than 300 industry professionals, research firm Cybersecurity Insiders found that 74% believed insider attacks had become more frequent.

Motivations of malicious insider attacks

Malicious insiders can be motivated by various means and their attacks can take many forms.

Here are a few different types with real-life examples for each.

Unauthorised access

Malicious insiders may exploit legitimate access privileges to obtain confidential or sensitive information, systems, and resources.

Examples involving unauthorised access are some of the most well-known. One example is Edward Snowden, a former National Security Agency (NSA) contractor who leaked classified information to multiple journalists.

Data theft or breach

In this type, the malicious actor steals, sells or deletes sensitive data, trade secrets or intellectual property (IP). The intent here is to profit from proprietary information or harm the company by sharing it with competitors.

In 2017, an employee of health company BUPA accessed the company’s CRM system to copy the personal details of more than 500,000 customers.

The employee then deleted the information from the database and attempted to sell the personal records on the dark web.

Damage or sabotage

This occurs when the malicious insider intentionally sabotages systems to cause operational disruptions, reputational damage, and financial loss. This may involve the use of malware or simply the deletion of critical files.

In 2020, an ex-Cisco employee was jailed after deploying malware that deleted more than 16,000 user accounts and caused $2.4 million in damage.


Fraud is a malicious insider technique often motivated by financial gain. Among other forms, it may involve embezzlement, insider trading, or the manipulation of financial records.

In 2008, French bank Société Générale revealed that one of its employees had engaged in fraudulent trading activities. The employee took large, high-risk positions in European indices and concealed the trades via unauthorised and fictitious hedging transactions.

Ultimately, Société Générale lost around $8 billion.

Espionage (insider threats)

On occasion, malicious insiders may represent external adversaries or competitors and take up employment with a company to steal its sensitive information.

The insider threat may also originate from someone motivated by personal gain. Over eight years, a former General Electric (GE) employee stole over 8,000 files from the company.

The employee, who convinced an IT admin to grant him access to the files, intended to use GE’s trade secrets to start a rival company.

How can malicious insiders be detected?

Colleagues who routinely interact with the malicious insider are one of the best defences since they are most likely to notice suspect behaviour.

Potential threat indicators are sometimes easy to spot. For example, the person may publicly hold a grudge against the company or one of their superiors.

In other cases, indicators are less apparent. A malicious insider may:

  • Take on extra work with excessive enthusiasm.
  • Work at unusual times (such as accessing a network at 3 am).
  • Access unusual resources, or
  • Transfer abnormal amounts of data.

When detecting malicious behaviour, it is important to assess intent. In other words, were the employee’s actions a deliberate attempt to damage the company or its assets? Or were they accidental?

Malicious insider vs negligent and accidental insider
The delineation between malicious, negligent, and accidental intent (Source:

Some employees are deemed careless or negligent insiders because they unknowingly or unwittingly expose systems to outside threats. But each context is open to interpretation.

The most clear-cut example of a negligent insider is an employee who falls victim to a cybersecurity scam and creates a vulnerability in the company’s systems.

Protecting against malicious insiders

Most companies are well-versed in protecting themselves from external attacks.

But how can they protect themselves against malicious insiders?

Protect data wherever it is

An obvious point, but one that bears repeating.

Data security should focus on areas where data lives – whether that be on-premise, in the cloud, or hybrid environments.

In the context of malicious insiders, data leaks via email must be a priority. Some companies offer integrated, cloud-based solutions to prevent intentional leaks of IP and sensitive data.

Utilise machine learning

Machine learning (ML) applications can help organisations monitor the behaviour of their employees and look for anomalies.

Such applications fall within a category of security solutions known as User and Event Behavioral Analytics (UEBA). They establish a baseline for normal data access activity and then alert key personnel if abnormal access is detected.

Establish multiple layers of protection

In addition to email security and ML-based user behaviour analytics, there are various other focus areas for businesses.

These include:

  • Database firewalls that block unsolicited backend database manipulation.
  • User rights management to identify instances of inappropriate, excessive and unused privileges, and
  • Data masking or encryption, which obfuscates important data such that it becomes worthless to the malicious insider in the event it is extracted.

In summary:

  • A malicious insider is an individual who intentionally abuses access to a company’s systems, data, and resources for nefarious purposes.
  • Malicious insiders are invariably motivated by personal or financial gain. Different types of malicious attacks include espionage, fraud, unauthorised access, data theft, and damage or sabotage.
  • IT departments are typically capable of thwarting external attacks, but many are less prepared for the internal threat posed by a malicious insider. At the very least, the business should protect data wherever it lives, take advantage of user behaviour analytics tools, and consider multiple layers of protection.



Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.