<!DOCTYPE html> <html lang="en-us" dir="ltr" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# schema: http://schema.org/ sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema# " class="page-en"> <head> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-MGR7P8X');</script> <script async src="https://www.googletagmanager.com/gtag/js?id=G-B1V8SZE3GL"></script> <script>window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-B1V8SZE3GL');</script> <script>(function(){var a=window.mutiny=window.mutiny||{};if(!window.mutiny.client){a.client={_queue:{}};var b=["identify","trackConversion"];var c=[].concat(b,["defaultOptOut","optOut","optIn"]);var d=function factory(c){return function(){for(var d=arguments.length,e=new Array(d),f=0;f<d;f++){e[f]=arguments[f]}a.client._queue[c]=a.client._queue[c]||[];if(b.includes(c)){return new Promise(function(b,d){a.client._queue[c].push({args:e,resolve:b,reject:d})})}else{a.client._queue[c].push({args:e})}}};c.forEach(function(b){a.client[b]=d(b)})}})();</script> <script data-cfasync="false" src="https://client-registry.mutinycdn.com/personalize/client/d454424c4514a20a.js"></script> <meta charset="utf-8" /> <meta name="description" content="Learn what an insider threat is, how to detect it, and best practices for prevention to protect your organization from internal security risks." /> <link rel="shortlink" href="https://www.proofpoint.com/us/threat-reference/insider-threat" /> <link rel="canonical" href="https://www.proofpoint.com/us/threat-reference/insider-threat" /> <link rel="icon" href="/themes/custom/proofpoint/apps/drupal/favicon.ico" /> <link rel="mask-icon" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon.svg" /> <link rel="icon" sizes="16x16" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-16x16.png" /> <link rel="icon" sizes="32x32" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-32x32.png" /> <link rel="icon" sizes="96x96" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-96x96.png" /> <link rel="icon" sizes="192x192" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-192x192.png" /> <link rel="apple-touch-icon" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-60x60.png" /> <link rel="apple-touch-icon" sizes="72x72" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-72x72.png" /> <link rel="apple-touch-icon" sizes="76x76" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-76x76.png" /> <link rel="apple-touch-icon" sizes="114x114" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-114x114.png" /> <link rel="apple-touch-icon" sizes="120x120" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-120x120.png" /> <link rel="apple-touch-icon" sizes="144x144" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-144x144.png" /> <link rel="apple-touch-icon" sizes="152x152" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-152x152.png" /> <link rel="apple-touch-icon" sizes="180x180" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-180x180.png" /> <link rel="apple-touch-icon-precomposed" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-57x57.png" /> <link rel="apple-touch-icon-precomposed" sizes="72x72" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-72x72.png" /> <link rel="apple-touch-icon-precomposed" sizes="76x76" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-76x76.png" /> <link rel="apple-touch-icon-precomposed" sizes="114x114" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-114x114.png" /> <link rel="apple-touch-icon-precomposed" sizes="120x120" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-120x120.png" /> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-144x144.png" /> <link rel="apple-touch-icon-precomposed" sizes="152x152" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-152x152.png" /> <link rel="apple-touch-icon-precomposed" sizes="180x180" href="/themes/custom/proofpoint/apps/drupal/images/favicons/favicon-180x180.png" /> <meta property="og:site_name" content="Proofpoint" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://www.proofpoint.com/us/threat-reference/insider-threat" /> <meta property="og:title" content="What Is an Insider Threat? Definition, Detection &amp; Prevention | Proofpoint US" /> <meta property="og:description" content="Learn what an insider threat is, how to detect it, and best practices for prevention to protect your organization from internal security risks." /> <meta property="og:image" content="" /> <meta property="og:image:url" content="" /> <meta property="og:image:secure_url" content="" /> <meta property="article:published_time" content="2021-06-09T05:30:28-07:00" /> <meta property="article:modified_time" content="2024-10-24T07:49:13-07:00" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:description" content="Learn what an insider threat is, how to detect it, and best practices for prevention to protect your organization from internal security risks." /> <meta name="twitter:title" content="What Is an Insider Threat? Definition, Detection &amp; Prevention | Proofpoint US" /> <meta name="twitter:site" content="@proofpoint" /> <meta name="twitter:url" content="https://www.proofpoint.com/us/threat-reference/insider-threat" /> <meta name="twitter:image" content="" /> <script data-cfasync="false" type="text/javascript" id="vwoCode">window._vwo_code=window._vwo_code || (function() { var account_id=767242, version=1.3, settings_tolerance=2000, library_tolerance=2500,z use_existing_jquery=false, is_spa=1, hide_element='body', /* DO NOT EDIT BELOW THIS LINE */ f=false,d=document,code={use_existing_jquery:function(){return use_existing_jquery},library_tolerance:function(){return library_tolerance},finish:function(){if(!f){f=true;var e=d.getElementById('_vis_opt_path_hides');if(e)e.parentNode.removeChild(e)}},finished:function(){return f},load:function(e){var t=d.createElement('script');t.fetchPriority='high';t.src=e;t.type='text/javascript';t.innerText;t.onerror=function(){_vwo_code.finish()};d.getElementsByTagName('head')[0].appendChild(t)},init:function(){window.settings_timer=setTimeout(function(){_vwo_code.finish()},settings_tolerance);var e=d.createElement('style'),t=hide_element?hide_element+'{opacity:0 !important;filter:alpha(opacity=0) !important;background:none !important;}':'',i=d.getElementsByTagName('head')[0];e.setAttribute('id','_vis_opt_path_hides');e.setAttribute('nonce',document.querySelector('#vwoCode').nonce);e.setAttribute('type','text/css');if(e.styleSheet)e.styleSheet.cssText=t;else e.appendChild(d.createTextNode(t));i.appendChild(e);this.load('https://dev.visualwebsiteoptimizer.com/j.php?a='+account_id+'&u='+encodeURIComponent(d.URL)+'&f='+ +is_spa+'&vn='+version);return settings_timer}};window._vwo_settings_timer = code.init();return code;}());</script> <meta name="facebook-domain-verification" content="l349mr2tyecyl7w3a1146378lqxru1" /> <meta name="MobileOptimized" content="width" /> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/proofpoint.woff2" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/RobotoCondensed-Regular-webfont.woff" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/fjalla-one-v7-latin-regular.woff" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/fjalla-one-v7-latin-regular.woff2" as="font" crossorigin="anonymous" /> <link rel="preload" href="/themes/custom/proofpoint/dist/app-drupal/assets/fonts/RobotoCondensed-Bold-webfont.woff" as="font" crossorigin="anonymous" /> <link rel="alternate" hreflang="en-us" href="https://www.proofpoint.com/us/threat-reference/insider-threat" /> <link rel="alternate" hreflang="en-gb" href="https://www.proofpoint.com/uk/threat-reference/insider-threat" /> <link rel="alternate" hreflang="de" href="https://www.proofpoint.com/de/threat-reference/insider-threat" /> <link rel="alternate" hreflang="es" href="https://www.proofpoint.com/es/threat-reference/insider-threat" /> <link rel="alternate" hreflang="ja" href="https://www.proofpoint.com/jp/threat-reference/insider-threat" /> <link rel="alternate" hreflang="en-au" href="https://www.proofpoint.com/au/threat-reference/insider-threat" /> <link rel="alternate" hreflang="it" href="https://www.proofpoint.com/it/threat-reference/insider-threat" /> <link rel="alternate" hreflang="ko" href="https://www.proofpoint.com/kr/threat-reference/insider-threat" /> <title>What Is an Insider Threat? Definition, Detection &amp; Prevention | Proofpoint US</title> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_5x1zduTS4IFCCOssa4IT2g5zuOu1aGbQfcPEEW3PgCM.css?delta=0&amp;language=en&amp;theme=particle&amp;include=eJx1UVtqxDAMvNBqTelPb7PIjpKYOJKR5KV7-zqlNE6hf9ZoxDxc6yO_fXAoyEvDhWAip-Sit1ofO-pGLmFvnNYt84EZoaY1NM_FjtlX2im4SImoN3uZ0x4iGt0qqudUKCRRGqgYGWPMvJyMRWQpBLOw24nOIk4Kz_eBWMQM9QUs00WBndih9gR6wivhdNGJ2pGkbY_fMrgo1tXCpK1iuZ_IvXFtsWRbaRpUHCEi8yjRDUUsQKVHu5i3imlwGIssYC1a0hwH_BeCzkjbuVAyaZrI_ltA7k1fBc7J6dMhSWk7D56edDy63ZnQmxL0hP7nSJj6HaSehnRMPysRuOZ-XpGpjDWr_BRz-ayj_g4xPr8A3EDsqg" /> <link rel="stylesheet" media="all" href="/sites/default/files/css/css_bP7oRBuA1gvuedJLGpkU3_MXm8bmvffZSwHXFMoq2ZA.css?delta=1&amp;language=en&amp;theme=particle&amp;include=eJx1UVtqxDAMvNBqTelPb7PIjpKYOJKR5KV7-zqlNE6hf9ZoxDxc6yO_fXAoyEvDhWAip-Sit1ofO-pGLmFvnNYt84EZoaY1NM_FjtlX2im4SImoN3uZ0x4iGt0qqudUKCRRGqgYGWPMvJyMRWQpBLOw24nOIk4Kz_eBWMQM9QUs00WBndih9gR6wivhdNGJ2pGkbY_fMrgo1tXCpK1iuZ_IvXFtsWRbaRpUHCEi8yjRDUUsQKVHu5i3imlwGIssYC1a0hwH_BeCzkjbuVAyaZrI_ltA7k1fBc7J6dMhSWk7D56edDy63ZnQmxL0hP7nSJj6HaSehnRMPysRuOZ-XpGpjDWr_BRz-ayj_g4xPr8A3EDsqg" /> <script src="/sites/default/files/js/js_Wi8RdyzDF-uwGcwq9eMv1Giiu7RfMo7nYneG5kg6rd4.js?scope=header&amp;delta=0&amp;language=en&amp;theme=particle&amp;include=eJx1UVtqxDAMvNBqTelPb7PIjpKYOJKR5KV7-zqlNE6hf9ZoxDxc6yO_fXAoyEvDhWAip-Sit1ofO-pGLmFvnNYt84EZoaY1NM_FjtlX2im4SImoN3uZ0x4iGt0qqudUKCRRGqgYGWPMvJyMRWQpBLOw24nOIk4Kz_eBWMQM9QUs00WBndih9gR6wivhdNGJ2pGkbY_fMrgo1tXCpK1iuZ_IvXFtsWRbaRpUHCEi8yjRDUUsQKVHu5i3imlwGIssYC1a0hwH_BeCzkjbuVAyaZrI_ltA7k1fBc7J6dMhSWk7D56edDy63ZnQmxL0hP7nSJj6HaSehnRMPysRuOZ-XpGpjDWr_BRz-ayj_g4xPr8A3EDsqg"></script> </head> <body class="path-node"> <a href="#main-content" class="visually-hidden focusable"> Skip to main content </a> <div class="limit-width-wrapper"> <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas> <div class="header-nav__spacer"></div> <div class="header-nav js-is-top"> <div class="header-nav__extra"> <div class="header-nav__extra-wrap"> <div class="header-nav__top-language" data-open="content:x_lng"> <span>English (Americas)</span> </div> <div class="header-nav__actions"> <div class="header-nav__top-search" data-open="content:x_sch"> <span>Search</span> </div> <div class="header-nav__top-login" data-open="content:x_lgn"> <span>Login</span> </div> </div> </div> </div> <div class="header-nav__main"> <div class="header-nav__main-wrap"> <div class="header-nav__expand" data-open="home"></div> <ul class="header-nav__top-links"> <li class="header-nav__top-link"> <div data-open="content:platform_panel" class="header-nav__top-link-text"> Platform </div> </li> <li class="header-nav__top-link"> <div data-open="content:products_panel" class="header-nav__top-link-text"> Products </div> </li> <li class="header-nav__top-link"> <div data-open="content:solutions_panel" class="header-nav__top-link-text"> Solutions </div> </li> </ul> <a href="/us" class="header-nav__logo">Proofpoint</a> <div class="header-nav__buttons"> <a href=/us/contact class="global-elements__cta-button--outline header-nav__button" > <span>Contact</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> <div class="header-nav__mobile-actions"> <div class="header-nav__mobile-search" data-open="content:x_sch">Search</div> <div class="header-nav__mobile-menu" data-open="home"></div> </div> </div> </div> </div> <div class="header-nav__menu"> <div class="header-nav__menu-wrapper"> <div class="header-nav__menu-close"></div> <div class="header-nav__menu-pane" data-home={true}> <ul class="header-nav__home-links"> <li class="header-nav__home-link" data-open="content:platform_panel" ><span>Platform</span></li> <li class="header-nav__home-link" data-open="content:products_panel" ><span>Products</span></li> <li class="header-nav__home-link" data-open="content:solutions_panel" ><span>Solutions</span></li> <li class="header-nav__home-link" data-open="content:partners_panel" ><span>Partners</span></li> <li class="header-nav__home-link" data-open="content:resources_panel" ><span>Resources</span></li> <li class="header-nav__home-link" data-open="content:company_panel" ><span>Company</span></li> </ul> <div class="header-nav__menu-extras"> <div class="header-nav__menu-search" data-open="content:x_sch">Search</div> <div class="header-nav__menu-login" data-open="content:x_lgn">Login</div> <div class="header-nav__menu-language" data-open="content:x_lng">English (Americas)</div> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Platform"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Platform</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Products"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Products</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Solutions"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Solutions</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Partners"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Partners</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Resources"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Resources</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-sublinks="Company"> <div class="header-nav__sublinks"> <div class="header-nav__expand-title">Company</div> <ul class="header-nav__expand-links"> </ul> </div> </div> <div class="header-nav__menu-pane" data-content="products_panel"> <div class="header-nav__content"> <a href="/us/products/protect-people" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Protect People</div> <div class="header-nav__content-group-desc">Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk.</div> </div> </a> <div class="header-nav__content-link"> <a href="/us/products/threat-defense" class="header-nav__content-link-text">Email Security</a> </div> <div class="header-nav__content-link"> <a href="/us/products/impersonation-protection" class="header-nav__content-link-text">Impersonation Protection</a> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:products_more_tp_products_panel">More products</a> </div> <a href="/us/products/defend-data" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Defend Data</div> <div class="header-nav__content-group-desc">Transform your information protection with a human-centric, omni-channel approach.</div> </div> </a> <div class="header-nav__content-link"> <a href="/us/products/data-loss-prevention" class="header-nav__content-link-text">Enterprise DLP</a> </div> <div class="header-nav__content-link"> <a href="/us/products/adaptive-email-dlp" class="header-nav__content-link-text">Adaptive Email DLP</a> </div> <div class="header-nav__content-link"> <a href="/us/products/insider-threat-management" class="header-nav__content-link-text">Insider Threat Management</a> </div> <div class="header-nav__content-link"> <a href="/us/products/compliance-and-archiving" class="header-nav__content-link-text">Intelligent Compliance</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Mitigate Human Risk</div> <div class="header-nav__content-group-desc">Unlock full user risk visibility and drive behavior change.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/mitigate-human-risk" class="header-nav__content-link-text">Security Awareness</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Augment Your Capabilities</div> </div> <div class="header-nav__content-link"> <a href="/us/products/premium-services" class="header-nav__content-link-text">Managed Services</a> </div> <div class="header-nav__content-link"> <a href="/us/products/packages" class="header-nav__content-link-text">Product Packages</a> </div> <div class="header-nav__content-link-spacer"></div> </div> </div> <div class="header-nav__menu-pane" data-content="products_more_tp_products_panel"> <div class="header-nav__content"> <div class="header-nav__content-heading">More Protect People Products</div> <div class="header-nav__content-link"> <a href="/us/products/identity-protection" class="header-nav__content-link-text">Account Take-Over and Identity Protection</a> <div class="header-nav__content-link-desc">Secure vulnerable identities, stop lateral movement and privilege escalation.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/adaptive-email-security" class="header-nav__content-link-text">Adaptive Email Security</a> <div class="header-nav__content-link-desc">Stop more threats with a fully integrated layer of behavioral AI.</div> </div> <div class="header-nav__content-link"> <a href="/us/products/email-security-and-protection/secure-email-relay" class="header-nav__content-link-text">Secure Email Relay</a> <div class="header-nav__content-link-desc">Secure your application email and accelerate DMARC implementation</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_panel"> <div class="header-nav__content"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Solutions by Use Case</div> <div class="header-nav__content-group-desc">How Proofpoint protects your people and data.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/email-authentication-with-dmarc" class="header-nav__content-link-text">Authenticate Your Email</a> <div class="header-nav__content-link-desc">Protect your email deliverability with DMARC.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/combat-email-and-cloud-threats" class="header-nav__content-link-text">Combat Email and Cloud Threats</a> <div class="header-nav__content-link-desc">Protect your people from email and cloud threats with an intelligent and holistic approach.</div> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:solutions_by_use_case_panel">More use cases</a> </div> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Solutions by Industry</div> <div class="header-nav__content-group-desc">People-centric solutions for your organization.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/federal" class="header-nav__content-link-text">Federal Government</a> <div class="header-nav__content-link-desc">Cybersecurity for federal government agencies.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/state-and-local-government" class="header-nav__content-link-text">State and Local Government</a> <div class="header-nav__content-link-desc">Protecting the public sector, and the public from cyber threats.</div> </div> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:solutions_by_industry_panel">More industries</a> </div> <a href="/us/compare" class="header-nav__content-link-group-anchor"> <div class="header-nav__content-link-group"> <div class="header-nav__content-group-title">Comparing Proofpoint</div> <div class="header-nav__content-group-desc">Evaluating cybersecurity vendors? Check out our side-by-side comparisons.</div> </div> </a> <div class="header-nav__content-link"> <a href="#" class="header-nav__content-link-text" data-open="content:compare_proofpoint_panel">View comparisons</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_by_use_case_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Solutions By Use Case</h3> <div class="header-nav__content-heading">How Proofpoint protects your people and data.</div> <div class="header-nav__content-link"> <a href="/us/solutions/change-user-behavior" class="header-nav__content-link-text">Change User Behavior</a> <div class="header-nav__content-link-desc">Help your employees identify, resist and report attacks before the damage is done.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/combat-data-loss-and-insider-risk" class="header-nav__content-link-text">Combat Data Loss and Insider Risk</a> <div class="header-nav__content-link-desc">Prevent data loss via negligent, compromised and malicious insiders.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/enable-intelligent-compliance" class="header-nav__content-link-text">Modernize Compliance and Archiving</a> <div class="header-nav__content-link-desc">Manage risk and data retention needs with a modern compliance and archiving solution.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/protect-cloud-apps" class="header-nav__content-link-text">Protect Cloud Apps</a> <div class="header-nav__content-link-desc">Keep your people and their cloud apps secure by eliminating threats and data loss.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/prevent-loss-from-ransomware" class="header-nav__content-link-text">Prevent Loss from Ransomware</a> <div class="header-nav__content-link-desc">Learn about this growing threat and stop attacks by securing ransomware&#039;s top vector: email.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/secure-microsoft-365" class="header-nav__content-link-text">Secure Microsoft 365</a> <div class="header-nav__content-link-desc">Implement the best security and compliance solution for Microsoft 365.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="solutions_by_industry_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Solutions By Industry</h3> <div class="header-nav__content-heading">People-centric solutions for your organization.</div> <div class="header-nav__content-link"> <a href="/us/solutions/higher-education-security" class="header-nav__content-link-text">Higher Education</a> <div class="header-nav__content-link-desc">A higher level of security for higher education.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/financial-services-and-insurance" class="header-nav__content-link-text">Financial Services</a> <div class="header-nav__content-link-desc">Eliminate threats, build trust and foster growth for your organization.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/healthcare-information-security" class="header-nav__content-link-text">Healthcare</a> <div class="header-nav__content-link-desc">Protect clinicians, patient data, and your intellectual property against advanced threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/mobile-message-security-solutions-for-service-providers" class="header-nav__content-link-text">Mobile Operators</a> <div class="header-nav__content-link-desc">Make your messaging environment a secure environment.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/email-security-solutions-for-service-providers" class="header-nav__content-link-text">Internet Service Providers</a> <div class="header-nav__content-link-desc">Cloudmark email protection.</div> </div> <div class="header-nav__content-link"> <a href="/us/solutions/protection-compliance-small-business" class="header-nav__content-link-text">Small and Medium Businesses</a> <div class="header-nav__content-link-desc">Big-time security for small business.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="compare_proofpoint_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Proofpoint vs. the competition</h3> <div class="header-nav__content-heading">Side-by-side comparisons.</div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-abnormal-security" class="header-nav__content-link-text">Proofpoint vs. Abnormal Security</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-mimecast" class="header-nav__content-link-text">Proofpoint vs. Mimecast</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-cisco" class="header-nav__content-link-text">Proofpoint vs. Cisco</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-microsoft" class="header-nav__content-link-text">Proofpoint vs Microsoft</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-microsoft-purview" class="header-nav__content-link-text">Proofpoint vs. Microsoft Purview</a> </div> <div class="header-nav__content-link"> <a href="/us/compare/proofpoint-vs-legacy-dlp" class="header-nav__content-link-text">Proofpoint vs. Legacy DLP</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="partners_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Partners</h3> <div class="header-nav__content-heading">Deliver Proofpoint solutions to your customers.</div> <a href=https://partners.proofpoint.com class="global-elements__cta-button header-nav__content-button" > <span>Channel Partners</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/partners/trusted-data-solutions-partnership" class="header-nav__content-link-text">Archive Extraction Partners</a> <div class="header-nav__content-link-desc">Learn about Extraction Partners.</div> </div> <div class="header-nav__content-link"> <a href="/us/global-system-integrator-gsi-and-global-managed-service-provider-msp-partners" class="header-nav__content-link-text">GSI and MSP Partners</a> <div class="header-nav__content-link-desc">Learn about our global consulting.</div> </div> <div class="header-nav__content-link"> <a href="/us/partners/technology-alliance-partners" class="header-nav__content-link-text">Technology and Alliance Partners</a> <div class="header-nav__content-link-desc">Learn about our relationships.</div> </div> <div class="header-nav__content-link"> <a href="/us/partners/digital-risk-and-compliance-partners" class="header-nav__content-link-text">Social Media Protection Partners</a> <div class="header-nav__content-link-desc">Learn about the technology and....</div> </div> <div class="header-nav__content-link"> <a href="/us/channel-partners-small-and-medium-business" class="header-nav__content-link-text">Proofpoint Essentials Partner Programs</a> <div class="header-nav__content-link-desc">Small Business Solutions .</div> </div> <div class="header-nav__content-link"> <a href="https://partners.proofpoint.com/prm/English/s/applicant" class="header-nav__content-link-text">Become a Channel Partner</a> </div> </div> </div> <div class="header-nav__menu-pane" data-content="resources_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Resources</h3> <div class="header-nav__content-heading">Find reports, webinars, blogs, events, podcasts and more.</div> <a href=/us/resources class="global-elements__cta-button header-nav__content-button" > <span>Resource Library</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/blog" class="header-nav__content-link-text">Blog</a> <div class="header-nav__content-link-desc">Keep up with the latest news and happenings.</div> </div> <div class="header-nav__content-link"> <a href="/us/webinars" class="header-nav__content-link-text">Webinars</a> <div class="header-nav__content-link-desc">Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity.</div> </div> <div class="header-nav__content-link"> <a href="/us/cybersecurity-academy" class="header-nav__content-link-text">Cybersecurity Academy</a> <div class="header-nav__content-link-desc">Earn your certification to become a Proofpoint Certified Guardian.</div> </div> <div class="header-nav__content-link"> <a href="/us/podcasts" class="header-nav__content-link-text">Podcasts</a> <div class="header-nav__content-link-desc">Learn about the human side of cybersecurity.</div> </div> <div class="header-nav__content-link"> <a href="/us/new-perimeters" class="header-nav__content-link-text">New Perimeters Magazine</a> <div class="header-nav__content-link-desc">Get the latest cybersecurity insights in your hands.</div> </div> <div class="header-nav__content-link"> <a href="/us/threat-reference" class="header-nav__content-link-text">Threat Glossary</a> <div class="header-nav__content-link-desc">Learn about the latest security threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/events" class="header-nav__content-link-text">Events</a> <div class="header-nav__content-link-desc">Connect with us at events to learn how to protect your people and data from ever-evolving threats.</div> </div> <div class="header-nav__content-link"> <a href="/us/customer-stories" class="header-nav__content-link-text">Customer Stories</a> <div class="header-nav__content-link-desc">Read how our customers solve their most pressing cybersecurity challenges.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="company_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Company</h3> <div class="header-nav__content-heading">Proofpoint protects organizations' greatest assets and biggest risks: their people.</div> <a href=/us/company/about class="global-elements__cta-button header-nav__content-button" > <span>About Proofpoint</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/why-proofpoint" class="header-nav__content-link-text">Why Proofpoint</a> <div class="header-nav__content-link-desc">Learn about our unique people-centric approach to protection.</div> </div> <div class="header-nav__content-link"> <a href="/us/company/careers" class="header-nav__content-link-text">Careers</a> <div class="header-nav__content-link-desc">Stand out and make a difference at one of the world&#039;s leading cybersecurity companies.</div> </div> <div class="header-nav__content-link"> <a href="/us/newsroom" class="header-nav__content-link-text">News Center</a> <div class="header-nav__content-link-desc">Read the latest press releases, news stories and media highlights about Proofpoint.</div> </div> <div class="header-nav__content-link"> <a href="/us/legal/trust" class="header-nav__content-link-text">Privacy and Trust</a> <div class="header-nav__content-link-desc">Learn about how we handle data and make commitments to privacy and other regulations.</div> </div> <div class="header-nav__content-link"> <a href="/us/legal/esg" class="header-nav__content-link-text">Environmental, Social, and Governance</a> <div class="header-nav__content-link-desc">Learn how we apply our principles to positively impact our community.</div> </div> <div class="header-nav__content-link"> <a href="/us/support-services" class="header-nav__content-link-text">Support</a> <div class="header-nav__content-link-desc">Access the full range of Proofpoint support services.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="platform_panel"> <div class="header-nav__content"> <h3 class="header-nav__content-title">Platform</h3> <div class="header-nav__content-heading">Discover the Proofpoint human-centric platform.</div> <a href=/us/platform class="global-elements__cta-button header-nav__content-button" > <span>Learn More</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <div class="header-nav__content-link"> <a href="/us/platform/nexus" class="header-nav__content-link-text">Proofpoint Nexus</a> <div class="header-nav__content-link-desc">Detection technologies to protect people and defend data.</div> </div> <div class="header-nav__content-link"> <a href="/us/platform/zen" class="header-nav__content-link-text">Proofpoint Zen</a> <div class="header-nav__content-link-desc">Protect and engage users wherever they work.</div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="x_sch"> <div class="header-nav__content"> <div class="header-nav__content-title--search"> Search Proofpoint </div> <div class="header-nav__search"> <form class="header-nav__search-form"> <input type="text" class="header-nav__search-input" placeholder=""> <input type="submit" class="header-nav__search-button" val="Search"> </form> <div class="header-nav__search-sugg-title">Try searching for</div> <div class="header-nav__search-suggestions"> <a href="/us/search?content%5Bquery%5D=Email%20Security" class="header-nav__search-suggestion">Email Security</a> <a href="/us/search?content%5Bquery%5D=Phishing" class="header-nav__search-suggestion">Phishing</a> <a href="/us/search?content%5Bquery%5D=DLP" class="header-nav__search-suggestion">DLP</a> <a href="/us/search?content%5Bquery%5D=Email%20Fraud" class="header-nav__search-suggestion">Email Fraud</a> </div> </div> </div> </div> <div class="header-nav__menu-pane" data-content="x_lgn"> <div class="header-nav__content"> <div class="header-nav__content-title"> Select Product Login </div> <ul class="header-nav__logins"> <li class="header-nav__content-login"> <a href="https://proofpoint.my.site.com/community/s/" target="_blank">Support Log-in</a> </li> <li class="header-nav__content-login"> <a href="https://proofpointcybersecurityacademy.adobelearningmanager.com" target="_blank">Proofpoint Cybersecurity Academy</a> </li> <li class="header-nav__content-login"> <a href="https://digitalrisk.proofpoint.com/" target="_blank">Digital Risk Portal</a> </li> <li class="header-nav__content-login"> <a href="https://emaildefense.proofpoint.com/login.php" target="_blank">Email Fraud Defense</a> </li> <li class="header-nav__content-login"> <a href="https://threatintel.proofpoint.com/" target="_blank">ET Intelligence</a> </li> <li class="header-nav__content-login"> <a href="https://us1.proofpointessentials.com/app/login.php" target="_blank">Proofpoint Essentials</a> </li> <li class="header-nav__content-login"> <a href="https://proofpointcommunities.force.com/community" target="_blank">Sendmail Support Log-in</a> </li> </ul> </div> </div> <div class="header-nav__menu-pane" data-content="x_lng"> <div class="header-nav__content"> <div class="header-nav__content-title"> Select Language </div> <ul class="header-nav__language-links"> <li class="header-nav__language-link"> <a href="/us">English (Americas)</a> </li> <li class="header-nav__language-link"> <a href="/uk">English (Europe, Middle East, Africa)</a> </li> <li class="header-nav__language-link"> <a href="/au">English (Asia-Pacific)</a> </li> <li class="header-nav__language-link"> <a href="/es">Español</a> </li> <li class="header-nav__language-link"> <a href="/de">Deutsch</a> </li> <li class="header-nav__language-link"> <a href="/fr">Français</a> </li> <li class="header-nav__language-link"> <a href="/it">Italiano</a> </li> <li class="header-nav__language-link"> <a href="/br">Português</a> </li> <li class="header-nav__language-link"> <a href="/jp">日本語</a> </li> <li class="header-nav__language-link"> <a href="/kr">한국어</a> </li> </ul> </div> </div> </div> </div> <div class="layout-container"> <div> <div data-drupal-messages-fallback class="hidden"></div> </div> <main class="container" role="main"> <a id="main-content" tabindex="-1"></a> <section class="row"> <div class="layout-content"> <div> <div id="block-particle-content"> <article about="/us/threat-reference/insider-threat" class="node--type--glossary node--view-mode--full node node-glossary-full"> <script type="application/ld+json"> { "@context": "https://schema.org/", "@type": "DefinedTerm", "name": "What Is an Insider Threat?", "description": "Definition of an Insider Insider Threat Patterns Who Are Your Insiders? Insider Threat Statistics Who Is at Risk of Insider Threats? What Advantages Do Insider Threats Have Over Others? What Is Not Considered an Insider Threat? What Are the Characteristics of an Insider Threat? Examples of Insider Threats Insider Risk vs. Insider Threat Identifying the Types of Insider Threats How to Detect Malicious Insiders How to Stop Insider Threats How Proofpoint Can Help Insider Threats FAQs", "url": "https://www.proofpoint.com/us/threat-reference/insider-threat", "inDefinedTermSet": "https://www.proofpoint.com/us/threat-reference" } </script> <div class="glossary-content__breadcrumbs"> <div class="breadcrumbs"><div class="nav-crumbs"><div class="breadcrumb__item"><a href="/us/threat-reference" class="breadcrum__item-link">Glossary</a></div><div class="breadcrumb__item"> What Is an Insider Threat? </div></div></div> </div> <div class="glossary-content__hero"> <div class="paragraph paragraph--type--hero-banner-v3 paragraph--view-mode--default hero-banner-v3" style="background-image: url(&quot;/sites/default/files/styles/webp_conversion/public/general-banners/pfpt-placeholder-banner-2022.png.webp?itok=E050rqaL&quot;)"> <div class="hero-banner-v3__wrapper hero-banner-v3__wrapper-default"> <h1 class="hero-banner-v3__title"> What Is an Insider Threat? </h1> <a href=/us/learn-more/itm-free-trial class="global-elements__cta-button--white" target="" > <span>Request a Free Trial</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> <a href=/us/resources/threat-reports/cost-of-insider-threats class="global-elements__cta-button" target="" > <span>The Cost of Insider Threats</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> </div> </div> <div class="glossary-content"> <h3 class="glossary-content__headline"> Table of Contents </h3> <div class="node-full__body glossary-content__body"> <div style="display: flex; flex-wrap: wrap; margin: 25px 0;"> <ul style="margin: 0; width: 400px;"> <li><a href="#toc-1">Definition of an Insider</a></li> <li><a href="#toc-2">Insider Threat Patterns</a></li> <li><a href="#toc-3">Who Are Your Insiders?</a></li> <li><a href="#toc-4">Insider Threat Statistics</a></li> <li><a href="#toc-5">Who Is at Risk of Insider Threats?</a></li> <li><a href="#toc-6">What Advantages Do Insider Threats Have Over Others?</a></li> <li><a href="#toc-7">What Is Not Considered an Insider Threat?</a></li> <li><a href="#toc-8">What Are the Characteristics of an Insider Threat?</a></li> </ul> <ul style="margin: 0; width: 400px;"> <li><a href="#toc-9">Examples of Insider Threats</a></li> <li><a href="#toc-10">Insider Risk vs. Insider Threat</a></li> <li><a href="#toc-11">Identifying the Types of Insider Threats</a></li> <li><a href="#toc-12">How to Detect Malicious Insiders</a></li> <li><a href="#toc-13">How to Stop Insider Threats</a></li> <li><a href="#toc-14">How Proofpoint Can Help</a></li> <li><a href="#toc-15">Insider Threats FAQs</a></li> </ul> </div> </div> </div> <div class="glossary__components"> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <div class="block-text-cols__body"> <p>An insider threat can happen when someone close to an organization with authorized access misuses that access to negatively impact the organization’s critical information or systems. This person does not necessarily need to be an employee—third-party vendors, contractors, and partners could also pose a threat. Insider threats can be unintentional or malicious, depending on the threat’s intent. Unintentional insider threats can arise from a negligent employee falling victim to a phishing attack. Examples of malicious threats include intentional <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="e939cb11-b7ad-40a6-b722-d16e902ff6af" href="/us/threat-reference/data-theft" title="Data Theft">data theft</a>, corporate espionage, or data destruction.</p> <p>&nbsp;</p> <p><iframe allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen frameborder="0" height="315" src="https://www.youtube.com/embed/rPdM92dhYm4" title="YouTube video player" width="560"></iframe></p> <p>&nbsp;</p> <p>Your biggest asset is also your biggest risk and the root cause of insider threats: people. Yet most security tools only analyze computer, network, or system data.</p> <p>Threats can come from any organizational level and from anyone with access to proprietary data. In fact, 25% of all security incidents involve insiders.^[1]</p> <p>Recent <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="cc110d3e-5095-4b11-9ee1-d8691798a9e2" href="/us/resources/threat-reports/cost-of-insider-threats" title="2022 Ponemon Cost of Insider Threats Global Report">insider threat statistics</a> reveal that 69% of respondents say their organizations have experienced an attempted or successful threat or corruption of data in the last 12 months.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <div class="paragraph paragraph--type--free-trial-panel paragraph--view-mode--full free-trial-panel free-trial-panel--black v3-dark-bg-only free-trial-panel--no-img"> <div class="free-trial-panel__wrapper"> <div class="free-trial-panel__content"> <div class="free-trial-panel__heading"> <h3>Cybersecurity Education and Training Begins Here</h3> </div> <a href=# class="global-elements__cta-button--white free-trial-panel__action-btn" > <span>Start a Free Trial</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> </div> <div class="free-trial-panel-form"> <div class="paragraph paragraph--type--marketo-form paragraph--view-mode--default marketo-form UNCONVERTED"> <div class="marketo-form__content"> <h2>Here’s how your free trial works:</h2> <ul> <li>Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure</li> <li>Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days</li> <li>Experience our technology in action!</li> <li>Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks</li> </ul> <p>Fill out this form to request a meeting with our cybersecurity experts.</p> </div> <div class="marketo-form__form-container"> <div class="mk-form"> <div class="mk-form__form-container"> <script type="IN/Form2" data-data-form="mktoForm_3331" data-field-firstname="FirstName" data-field-lastname="LastName" data-field-email="Email" data-field-company="Company" data-field-title="Title" data-field-state="State" data-field-country="Country" ></script> <form id="mktoForm_3331" data-mkto-id="3331" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1" class="mk-form__form marketo-form-block__form" ></form> </div> </div> <div class="mk-form__success"> <p>Thank you for your submission.</p> </div> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__md"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-1"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Definition of an Insider</h3> <div class="block-text-cols__body"> <p>An insider is a current or former employee, contractor, or business partner who has or has had authorized access to the organization’s network, systems, or data. Examples of an insider may include:</p> <ul> <li>A person given a badge or access device.</li> <li>A person to whom the organization supplied a computer or network access.</li> <li>A person who develops products and services.</li> <li>A person who is knowledgeable about the organization’s fundamentals.</li> <li>A person with access to protected information.</li> </ul> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-2"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Insider Threat Patterns</h3> <div class="block-text-cols__body"> <p>Insider threats pose a significant risk to organizations, as they often involve individuals with authorized access who misuse that access to harm the organization’s critical information or systems. To effectively detect and mitigate insider threats, understanding the behavior patterns and technical indicators associated with them is essential.</p> <h4>Behavior Patterns</h4> <p>Sophisticated intrusion detection systems and monitoring applications analyze network traffic and user behavior patterns to identify potential insider threats. Some common behavior patterns associated with insider threats include:</p> <ul> <li>Frequently violates data protection and compliance rules.</li> <li>In constant conflict with other employees.</li> <li>Consistently receives low-performance reports.</li> <li>Uninterested in projects or other job-related assignments.</li> <li>Misuses travel and expenses.</li> <li>Interested in other projects that don’t involve them.</li> <li>Uses sick leave frequently.</li> </ul> <p>These behavior patterns can indicate malicious intent or negligence on the part of the insider.</p> <h4>Technical Indicators</h4> <p>In addition to behavior patterns, technical indicators can help detect insider threats and data theft. Some common technical indicators include:</p> <ul> <li><strong>Unusual data movement</strong>: Excessive spikes in data downloads, sending large amounts of data outside the company, and using tools like Airdrop to transfer files can be signs of an insider threat.</li> <li><strong>Use of unsanctioned software and hardware</strong>: Negligent or malicious insiders may install unapproved tools to simplify data exfiltration or bypass security controls. This “shadow IT” creates security gaps.</li> <li><strong>Increased requests for escalated privileges or permissions</strong>: When an increasing number of people request access to sensitive information, it raises the risk of insider threats, whether from malicious intent or accidental exposure.</li> <li><strong>Access to information unrelated to their job function</strong>: If an employee attempts to access data not pertinent to their role, it could be a sign of an insider threat.</li> <li><strong>Renamed files where the file extension doesn’t match the content</strong>: Malicious insiders may try to mask data exfiltration by renaming files to hide their actual content.</li> <li><strong>Abnormal access times outside regular business hours</strong>: Unusually timed logins and activity at odd hours can help detect potential insider threats.</li> <li><strong>Unusual logon activity accessing credentials such as multiple sessions</strong>: Suspicious credential usage patterns can indicate an insider threat. Additionally, changing passwords can also signal unusual activity.</li> <li><strong>Unknown locations accessing resources</strong>: Logins from unfamiliar locations may signal an insider threat.</li> </ul> <p>These technical indicators can be used with behavior patterns to identify potential insider threats and mitigate the associated risks. By understanding and monitoring these behavior patterns and technical indicators, organizations can better detect and respond to insider threats, ultimately safeguarding their critical information and systems.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-3"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Who Are Your Insiders?</h3> <div class="block-text-cols__body"> <p>An insider is anyone within your organization’s network. Most organizations understand this to mean that an insider is an employee, but insider threats can also come from third parties.</p> <p>Insiders include:</p> <ul> <li>High-privileged users such as network administrators, executives, partners, and other users with permissions across sensitive data.</li> <li>Developers with access to data using a development or staging environment.</li> <li>Resigned or terminated employees with enabled profiles and credentials.</li> <li>Acquisition managers and employees.</li> <li>Vendors with internal access.</li> <li>Contractors with internal access.</li> <li>Partners with internal access.</li> </ul> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-4"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Insider Threat Statistics</h3> <div class="block-text-cols__body"> <ul> <li>One-third of all organizations have faced an insider threat incident.^[2]</li> <li>50% of incidents where private or sensitive information was unintentionally exposed.^[3]</li> <li>40% of incidents where employee records were compromised or stolen.^[3]</li> <li>33% of incidents where customer records were compromised or stolen.^[3]</li> <li>32% of incidents where confidential records (trade secrets or intellectual property) were compromised or stolen.^[3]</li> </ul> </div> </div> </div> </div> <div class="paragraph paragraph--type--text-onecol-centered paragraph--view-mode--full text-onecol-centered text-onecol-centered--large"> <div class="text-onecol-centered__body"> <p><strong>Decrease your risk immediately with advanced insider threat detection and prevention.</strong></p> </div> <div class="text-onecol-centered__link"> <a href=/us/learn-more/itm-free-trial class="global-elements__cta-button" > <span>Test Drive Proofpoint Insider Threat Management for Free</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-5"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Who Is at Risk of Insider Threats?</h3> <div class="block-text-cols__body"> <p>Every organization is at risk of insider threats, but specific industries obtain and store more sensitive data. These organizations are more at risk of hefty fines and significant brand damage after theft. Larger organizations risk losing large quantities of data that could be sold off on darknet markets. An insider threat could sell intellectual property, trade secrets, customer data, employee information and more. Industries that store more valuable information are at a higher risk of becoming victims.</p> <p>A few common industries at high risk of insider threats include:</p> <ul> <li>Financial Services</li> <li>Telecommunications</li> <li>Technical Services</li> <li>Healthcare</li> <li>Government</li> </ul> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-6"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">What Advantages Do Insider Threats Have Over Others?</h3> <div class="block-text-cols__body"> <p>Insider threats—employees or users with legitimate access to data—are difficult to detect. These threats have the advantage of legitimate access, so they do not need to bypass firewalls, access policies, and cybersecurity infrastructure to gain access to data and steal it.</p> <p>Malicious, high-privilege users can cause the most devastating insider attacks by stealing data with minimal detection. Keep in mind that these users are not always employees. They can be vendors, contractors, partners, and other users with high-level access across all sensitive data.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-7"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">What Is Not Considered an Insider Threat?</h3> <div class="block-text-cols__body"> <p>Corporations spend thousands to build infrastructure to detect and block external threats. These threats are not considered insiders even if they bypass cybersecurity blocks and access internal network data. Insider threats are specific trusted users with legitimate access to the internal network. They have legitimate credentials, and administrators provide them with access policies to work with necessary data. These users do not need sophisticated malware or tools to access data because they are trusted employees, vendors, contractors, and executives.</p> <p>Any attack that originates from an untrusted, external, and unknown source is not considered an insider threat. Insider threats require sophisticated monitoring and logging tools so that any suspicious traffic behaviors can be detected. Older, traditional ways of managing users were to blindly trust them, but a <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="c7aca24b-92f6-4db3-a801-6c7f3516fd0f" href="/us/threat-reference/zero-trust" title="Zero Trust">zero-trust network</a> is the latest cybersecurity strategy, along with <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="2fe775d9-f38e-42df-bb63-7c231e61425b" href="/us/products/data-loss-prevention" title="Stop Data Loss">data loss prevention (DLP) solutions</a>. These frameworks require administrators and policy creators to consider all users and internal applications as potential threats.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-8"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">What Are the Characteristics of an Insider Threat?</h3> <div class="block-text-cols__body"> <p>An external threat is typically motivated financially to steal data, extort money, and potentially sell stolen data on darknet markets. While insider threats could share this motivation, it’s more likely that an insider will unintentionally fall for a sophisticated phishing or social engineering attack. In the case of a malicious threat actor, a common goal is to harm the organization by data theft.</p> <p>Insider threats come in many forms, making the warning signs difficult to identify. The most common underlying characteristics of modern insider threats include:</p> <ul> <li><strong>Authorized access</strong>: An insider threat is someone with legitimate access to an organization’s systems, data, or facilities, such as an employee, contractor, vendor, or partner.</li> <li><strong>Malicious intent or negligence</strong>: Insider threats can be malicious, where the individual intentionally misuses their access to harm the organization, or negligent, where the individual unintentionally exposes the organization to risk through careless actions.</li> <li><strong>Difficult to detect</strong>: Insider threats are challenging to detect because the individual already has authorized access, making it hard for security controls to distinguish normal from harmful activity.</li> <li><strong>Strong motivation</strong>: Malicious insiders often have a strong personal motive, such as revenge, financial gain, or espionage, that drives them to misuse their access.</li> <li><strong>Varied tactics</strong>: Insider threats can employ a range of tactics, from data exfiltration and sabotage to credential theft and privilege escalation, to achieve their goals.</li> <li><strong>Increased risk in certain industries</strong>: Sectors like healthcare, finance, manufacturing, and government are at heightened risk of insider threats due to the sensitive nature of their data and operations.</li> </ul> <p>Because users generally have legitimate access to files and data, good insider threat detection looks for unusual behavior and access requests and compares this behavior with benchmarked statistics.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-9"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Examples of Insider Threats</h3> <div class="block-text-cols__body"> <p>Even the most successful and reputable companies are not immune to inside threats. Here are real-world examples of insider threats that have led to significant cybersecurity breaches:</p> <ul> <li><a href="https://www.linkedin.com/pulse/insider-threats-desjardins-banks-data-breach-brett-coffin" rel="noopener" target="_blank"><strong>Desjardins</strong></a>: In 2019, Canada’s largest credit union required users to copy customer data to a shared drive that everyone could use. A malicious insider continued to copy this data for two years, resulting in 9.7 million publicly disclosed customer records. It cost Desjardins $108 million to mitigate the breach.</li> <li><a href="https://www.justice.gov/usao-ndny/pr/former-ge-engineer-sentenced-24-months-conspiring-steal-trade-secrets" rel="noopener" target="_blank"><strong>General Electric</strong></a>: An engineer at General Electric, Jean Patrice Delia, stole over 8,000 sensitive files to start a rival company. The FBI investigated this incident, and Delia was sentenced to up to 87 months in prison.</li> <li><a href="https://www.theverge.com/2023/8/21/23839940/tesla-data-leak-inside-job-handelsblatt" rel="noopener" target="_blank"><strong>Tesla</strong></a>: Two former Tesla employees misappropriated confidential information, including personal information of employees and production secrets, which was then leaked to a German news outlet.</li> <li><a href="https://www.darkreading.com/cyberattacks-data-breaches/suntrust-ex-employee-may-have-stolen-data-on-1-5-million-bank-clients" rel="noopener" target="_blank"><strong>SunTrust Bank</strong></a>: A former SunTrust employee stole 1.5 million names, addresses, phone numbers, and account balances for bank customers. Other sensitive data was not accessed, but it posed a risk to the bank and its customers.</li> <li><a href="https://www.bleepingcomputer.com/news/security/coca-cola-suffers-breach-at-the-hands-of-former-employee/" rel="noopener" target="_blank"><strong>Coca-Cola</strong></a>: An investigator found that a Coca-Cola employee copied the data of about 8,000 employees to a personal external hard drive. After Coca-Cola became aware of the data breach, the organization notified employees and offered free credit monitoring for a year.</li> <li><a href="https://techmonitor.ai/technology/cybersecurity/pegasus-airline-data-breach-aws-bucket" rel="noopener" target="_blank"><strong>Pegasus Airlines</strong></a>: An employee’s negligence at Pegasus Airlines led to the exposure of 23 million files containing personal data due to improper configuration of an AWS bucket. This incident exposed flight charts, navigation materials, and crew personal information.</li> <li><a href="https://www.usatoday.com/story/money/2022/04/06/cash-app-data-breach/9490327002/" rel="noopener" target="_blank"><strong>Cash App</strong></a>: A disgruntled employee leaked Cash App’s customer data. This case highlights the risk posed by employees who may act maliciously due to dissatisfaction or other personal motives.</li> </ul> <p>Inside threats are a much different beast to tame. Organizations with an exceptional cybersecurity posture can still encounter data leaks and breaches with potentially catastrophic outcomes. Although challenging, recognizing indicators and detecting insider threats is critical for organizations with many employees, vendors, and contractors who have access to internal data.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-10"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Insider Risk vs. Insider Threat</h3> <div class="block-text-cols__body"> <p>Insider risk and insider threat are related concepts in cybersecurity but are distinctly different. Insider risk refers to data exposure events that jeopardize the well-being of a company and its stakeholders, regardless of the user’s intent. It focuses on a broader, more holistic, and data-centric approach to managing or mitigating risks.</p> <p>On the other hand, insider threat is the potential for an insider to use their authorized access, intentionally or unintentionally, to negatively impact the organization.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-11"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">Identifying the Types of Insider Threats</h3> <div class="block-text-cols__body"> <p>Insider threats come from within and are as diverse in their origins as they are in their intentions and methodologies. Here’s a structured breakdown of these varied types:</p> <ul> <li><strong>Malicious insider threats</strong>: Characterized by individuals with authorized access who deliberately seek to harm the organization. These insiders might sell sensitive data to rivals, leak confidential information intentionally, or engage in direct sabotage against company systems.</li> <li><strong>Opportunistic insider threats</strong>: Stemming from employees without initial malintent but who become seduced by opportunity. They may hoard sensitive information during their tenure and choose to exploit it upon departure or at another opportune moment for personal gain or vendetta.</li> <li><strong>Negligent insider threats</strong>: These actions inadvertently compromise security through disregard for protocols. Employees seeking shortcuts might bypass essential safeguards, unintentionally exposing critical assets without malicious intent.</li> <li><strong>Accidental insider threats</strong>: Purely unintended incidents where insiders cause data breaches through mistakes—like sending files to incorrect recipients or misconfiguring databases—highlighting human error without any underlying motive.</li> <li><strong>Compromised insider threats</strong>: Occur when external entities hijack legitimate users’ credentials via phishing scams or malware, thus gaining unauthorized access while masquerading as genuine employees—a deceitful breach executed under false pretenses.</li> <li><strong>Collusive threats</strong>: These threats emerge when insiders collaborate with external entities, such as competitors or cyber criminals, to conduct espionage, intellectual property theft, or facilitate unauthorized access. This collusion can significantly amplify the potential damage by combining insider knowledge with external resources and capabilities.</li> </ul> <p>Understanding these diverse categories of insider threats underscores the imperative for a holistic approach to cybersecurity—one that transcends mere technological fixes and incident response plans. It highlights the critical role of fostering an organizational culture steeped in <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="c932da4d-9d01-49db-9ca2-3b4f646dd7a7" href="/us/threat-reference/security-awareness-training" title="Security Awareness Training">security awareness</a> and vigilance at all levels.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-12"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">How to Detect Malicious Insiders</h3> <div class="block-text-cols__body"> <p>Organizations must implement comprehensive strategies to detect and mitigate malicious insider threats, which can cause significant damage to the organization’s data and reputation. Here are some techniques and tools that can help in detecting and preventing malicious insider threats:</p> <ul> <li><strong>Behavioral analytics</strong>: These tools analyze user behavior patterns to identify anomalies and detect potential insider threats. They can detect if an employee is suddenly accessing unusual files or systems, which may indicate malicious intent.</li> <li><strong>Data loss prevention</strong>: DLP solutions monitor and protect sensitive data by identifying and preventing unauthorized access, transfer, or data leakage. They can help organizations enforce access controls and monitor data movements.</li> <li><strong>Cybersecurity analytics and monitoring solutions</strong>: <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="dca6eac8-b7ac-49fd-a0e6-796e56d81e28" href="/us/threat-reference/cybersecurity-analytics" title="Cybersecurity Analytics">Cybersecurity analytics</a> solutions that send alerts and notifications when users display suspicious activity to help organizations detect and respond to potential insider threats. These solutions also provide real-time visibility into user activities and data movements.</li> <li><strong>User behavior analytics</strong>: <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="0a237cc2-ef19-4ffa-9d15-5c50b049562a" href="/us/threat-reference/user-entity-behavior-analytics-ueba" title="UEBA">UEBA</a> tools analyze user behavior patterns to identify anomalies and detect potential insider threats. They can detect if an employee is suddenly accessing unusual files or systems, which may indicate malicious intent.</li> <li><strong>Machine learning</strong>: ML models can be trained to identify insider threats by analyzing patterns of behavior associated with insider attacks. These models can help organizations detect and respond to potential threats more effectively.</li> <li><strong>Threat hunting</strong>: Proactive threat hunting involves hunting for anomalous insider behavior that may not be detected by security controls alone. This can be done using techniques such as UEBA, ML, and human intelligence to identify potential threats.</li> <li><strong>Insider threat management and security solutions</strong>: <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="770593a0-07e8-4eb1-ba94-b6c5363b3b31" href="/us/products/insider-threat-management" title="Contain Insider Threats">ITM software</a> can help organizations detect and respond to insider threats by monitoring user activities and data movements, identifying abnormal behavior patterns, and automating responses to potential security incidents.</li> <li><strong>Real-time monitoring</strong>: Tracking user activity and data movements in real-time can help organizations detect and respond to potential insider threats more effectively. This can be achieved using solutions that offer customizable alert thresholds to minimize false positives and real-time threat review capabilities.</li> <li><strong>User feedback learning</strong>: Integrating user feedback to refine anomaly detection models can help organizations tailor their threat detection systems to specific organizational needs, improving the accuracy of their insider threat detection efforts.</li> <li><strong>Kill chain detection</strong>: Employing <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="692a87ba-aadc-4cf9-ba44-822ef622abc5" href="/us/threat-reference/cyber-kill-chain" title="Cyber Kill Chain">cyber kill chain</a> detection can help organizations uncover lateral malware movement or insider threat activities, identifying irregular behaviors and command-and-control (C&amp;C) communication.</li> </ul> <p>By implementing these techniques and tools, organizations can improve their ability to detect and respond to malicious insider threats, ultimately reducing the risk of data loss and system compromise.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-13"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">How to Stop Insider Threats</h3> <div class="block-text-cols__body"> <p>Insiders are some of the most challenging threats to pinpoint and prevent, requiring a multifaceted approach. To effectively stop insider threats, organizations should implement a comprehensive security strategy that includes a combination of the following best practices and tools:</p> <ul> <li><strong>Establish a security policy</strong>: Assemble a proactive security policy that includes procedures for detecting and blocking misuse by insiders. Consider including the consequences of potential insider threat activity and outline guidelines for investigating misuse.</li> <li><strong>Implement a threat detection governance program</strong>: Establish an ongoing, proactive threat detection program in collaboration with your leadership team. Ensure executives and key stakeholders are well informed on the scope of malicious code reviews, with privileged users treated as potential threats.</li> <li><strong>Secure your infrastructure</strong>: Restrict physical and logical access to critical infrastructure and sensitive information using strict access controls. Apply least privileged access policies to limit employee access and apply more robust identity verification systems to reduce the risk of insider threats.</li> <li><strong>Map your exposure</strong>: Your organization’s CISO should analyze your internal teams and map each employee’s likelihood of becoming a threat. This analysis shines a spotlight on potential risks and areas for improvement.</li> <li><strong>Use threat modeling</strong>: Apply threat modeling at a large scale to better understand your threat landscape, including threat vectors related to malicious code or vulnerabilities. Identify the type of roles that might compromise a system and how they might access your assets.</li> <li><strong>Set up strong authentication measures</strong>: Use <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b8d75393-714c-4d80-9662-80f4c02efedc" href="/us/threat-reference/multifactor-authentication" title="Multifactor Authentication">multifactor authentication (MFA)</a> and safe password practices to make it harder for attackers to steal credentials. Passwords should be complex and unique, and MFA helps prevent infiltrators from accessing your system even if they have user IDs and passwords.</li> <li><strong>Prevent data exfiltration</strong>: Place access controls and monitor access to data to prevent lateral movements and protect your organization’s <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b044cc6a-5f5b-4027-9598-90f6914cf7dc" href="/us/threat-reference/intellectual-property-theft" title="Intellectual Property Theft">intellectual property</a>.</li> <li><strong>Eliminate idle accounts</strong>: Purge your directory of orphan and dormant accounts immediately and continuously monitor for unused accounts and privileges. Ensure that non-active users, such as former employees, can no longer access the system or the organization’s data.</li> <li><strong>Investigate anomalous behavior</strong>: Investigate any unusual activity in your organization’s LAN to identify misbehaving employees. Combined with behavior monitoring and analysis tools, you can efficiently identify and prevent insider threats.</li> <li><strong>Conduct sentiment analysis</strong>: Perform sentiment analysis to determine the feelings and intentions of individuals. Regular analysis can help you identify employees under stress, experiencing financial troubles, or performing poorly, which may indicate potential malicious insiders.</li> <li><strong>Implement insider threat detection tools</strong>: Use tools like <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="f9b4775d-4900-4616-8edc-73f160b4cce1" href="/us/threat-reference/security-information-event-management-siem" title="Security Information and Event Management (SIEM)?">Security Information and Event Management (SIEM)</a> solutions, <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="f09c8721-3198-4e75-bb5d-fc7b79e8eda5" href="/us/threat-reference/endpoint-detection-and-response-edr" title="Endpoint Detection and Response (EDR)">Endpoint Detection and Response (EDR)</a>, log management tools, User Behavior Analytics (UEBA), IT Management (ITM), and security automation to detect and prevent insider threats.</li> <li><strong>Leverage security automation</strong>: Implement security automation to understand baseline network behavior and to react efficiently to different situations.</li> <li><strong>Utilize employee awareness training</strong>: Use security awareness training to teach employees how to spot likely insider threat actors and make them aware of behavioral risk indicators.</li> <li><strong>Conduct regular audits and reviews</strong>: Conduct regular audits and reviews of your security policies, procedures, and technologies to ensure they are up-to-date and effective in preventing insider threats.</li> </ul> <p>By implementing these solutions, organizations can improve their security posture to stop insider threats and protect their critical information and systems.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-14"></span> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <h3 class="block-text-cols__title">How Proofpoint Can Help</h3> <div class="block-text-cols__body"> <p>As an industry-leading cybersecurity company, Proofpoint takes a people-centric approach to insider threat management and data loss prevention, enabling organizations to gain visibility, efficiency, and rapid response capabilities for mitigating the growing risks from insiders. Proofpoint offers several solutions to combat these insider threats:</p> <p><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="770593a0-07e8-4eb1-ba94-b6c5363b3b31" href="/us/products/insider-threat-management" title="Contain Insider Threats"><strong>Proofpoint Insider Threat Management (ITM)</strong></a> provides real-time, contextualized insights into user activity and behavior to detect and prevent insider threats. Key capabilities include:</p> <ul> <li><strong>Visibility and prevention</strong>: ITM provides visibility into the “who, what, when, and where” of user actions, with timeline views and screen captures to aid investigations. It can also block users from exfiltrating data across channels like USB, web uploads, cloud sync, and print.</li> <li><strong>Efficiency</strong>: ITM offers a centralized view to help security teams correlate alerts and manage investigations across endpoints, the web, cloud, and email. It includes workflows for better collaboration and exportable reports for HR, legal, and other stakeholders.</li> <li><strong>Rapid time to value</strong>: ITM is a scalable, cloud-native solution that can be deployed quickly with a lightweight endpoint agent, providing flexible monitoring of both everyday and high-risk users.</li> </ul> <p><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="2fe775d9-f38e-42df-bb63-7c231e61425b" href="/us/products/data-loss-prevention" title="Stop Data Loss"><strong>Proofpoint Enterprise Data Loss Prevention (DLP)</strong></a> integrates with ITM to provide comprehensive protection against data loss from negligent, compromised, and malicious users. It can identify sensitive data, detect exfiltration attempts, and automate regulatory compliance.</p> <p><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="abc81c1f-1a1f-447e-87b7-43bf6a8e0b1b" href="/us/products/mitigate-human-risk" title="Mitigate Human Risk"><strong>Proofpoint Security Awareness Training</strong></a> helps transform employees into effective data defenders by proactively identifying potentially risky users and changing their behavior to ensure compliance.</p> <p>To learn more about how to mitigate insider threats, <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="6bc75608-952f-4867-8cc7-9d004280fdee" href="/us/contact" title="Contact Us"><strong>contact Proofpoint</strong></a>.</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--text-onecol-centered paragraph--view-mode--full text-onecol-centered text-onecol-centered--large"> <div class="text-onecol-centered__body"> <p><strong>Are you ready to decrease your risk with advanced insider threat detection and prevention? Let us walk you through our Proofpoint Insider Threat Management and answer any questions you have about Insider Threats.</strong></p> </div> <div class="text-onecol-centered__link"> <a href=/us/resources/webinars/live-demo-people-centric-approach-insider-threat-management class="global-elements__cta-button" > <span>Request a Demo</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> </div> <span data-smooth-scroll="true" class="anchor_link" id="toc-15"></span> <div class="paragraph paragraph--type--vertical-feature-list paragraph--view-mode--full vert-feats UNCONVERTED"> <div class="vert-feats__wrapper"> <h3>Insider Threats FAQs</h3> <h2></h2> <div class="vert-feats__items"> <div class="vert-feats__items-wrapper"> <div class="paragraph paragraph--type--vertical-feature-list-item paragraph--view-mode--default vert-feats__item"> <h4>How Many Potential Insider Threat Indicators Are There?</h4> <p>Any user with internal access to your data could be an insider threat. Vendors, contractors, and employees are all potential insider threats. Suspicious events from specific insider threat indicators include:</p> <ul> <li><strong>Recruitment</strong>: Employees and contractors can be convinced by outside attackers to send sensitive data to a third party.</li> <li><strong>Voluntary</strong>: Disgruntled and dissatisfied employees can voluntarily send or sell data to a third party without any coercion.</li> <li><strong>Unknowing</strong>: Due to <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="3d41a44d-bc21-401b-8912-4f84e4e683ce" href="/us/threat-reference/phishing" title="Phishing">phishing</a> or <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="4d1cd792-cfe7-4903-8091-18e49f4e61c3" href="/us/threat-reference/social-engineering" title="Social Engineering">social engineering</a>, an individual may disclose sensitive information to a third party.</li> </ul> </div> <div class="paragraph paragraph--type--vertical-feature-list-item paragraph--view-mode--default vert-feats__item"> <h4>What Advantages Do Insider Threats Have Over Others?</h4> <p>Because insiders have at least basic access to data, they have an advantage over an external threat that must bypass numerous <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="e3d8ca76-e45f-4756-962b-337673275a42" href="/us/threat-reference/firewall" title="Firewall">firewalls</a> and intrusion detection monitoring. The level of authorized access depends on the user’s permissions, so a high-privilege user has access to more sensitive information without the need to bypass security rules.</p> </div> <div class="paragraph paragraph--type--vertical-feature-list-item paragraph--view-mode--default vert-feats__item"> <h4>What Is Not Considered a Potential Insider Threat?</h4> <p>External threats are definitely a concern for corporations, but insider threats require a unique strategy that focuses on users with access, rather than users bypassing authorization. Attacks that originate from outsiders with no relationship or basic access to data are not considered insider threats. Note that insiders can help external threats gain access to data either purposely or unintentionally.</p> </div> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <div class="paragraph paragraph--type--text-columns paragraph--view-mode--full text-cols"> <div class="block-text-cols__cols block-text-cols__cols-1"> <div class="paragraph paragraph--type--text-column paragraph--view-mode--default block-text-cols__cols__item"> <div class="block-text-cols__body"> <p>[1] Verizon. “<a href="https://enterprise.verizon.com/resources/reports/dbir/" rel=" noopener" target="_blank">Data Breach Investigations Report</a>”<br> [2] SANS. “<a href="https://www.sans.org/reading-room/whitepapers/threats/insider-threats-fast-directed-response-37447" rel=" noopener" target="_blank">Insider Threats and the Need for Fast and Directed Response</a>”<br> [3] CSO Magazine. “<a href="https://www.trendmicro.com/en_us/ciso/21/h/cybercrime-today-and-the-future.html" rel=" noopener" target="_blank">U.S. State of Cybercrime Report</a>”</p> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__sm"> </div> </div> </div> <div class="paragraph paragraph--type--resources paragraph--view-mode--full resources-block"> <div class="resources-block__wrapper"> <div class="resources-block__inner-wrapper"> <div class="resources-block__heading-wrapper"> <h3 class="resources-block__heading"> Related Resources </h3> </div> <div class="resources-block__resources"> <div about="/us/resources/e-books/an-overview-of-insider-threat-management" class="node--type--resource-item node--view-mode--teaser-v3 resource-teaser-v3"> <a class="resource-teaser-v3__url" href="/us/resources/e-books/an-overview-of-insider-threat-management"> <div class="resource-teaser-v3__image" data-type="ebook"></div> <h3 class="resource-teaser-v3__type">E-book</h3> <h4 class="resource-teaser-v3__title"> An Overview of Insider Threat Management </h4> </a> </div> <div about="/us/resources/e-books/a-guide-to-setting-up-your-insider-threat-management-program" class="node--type--resource-item node--view-mode--teaser-v3 resource-teaser-v3"> <a class="resource-teaser-v3__url" href="/us/resources/e-books/a-guide-to-setting-up-your-insider-threat-management-program"> <div class="resource-teaser-v3__image" data-type="ebook"></div> <h3 class="resource-teaser-v3__type">E-book</h3> <h4 class="resource-teaser-v3__title"> A Guide to Setting Up Your Insider Threat Management Program </h4> </a> </div> <div about="/us/blog/insider-threat-management/thoughts-new-forrester-report-best-practices-mitigating-insider" class="node--type--blog-post node--view-mode--teaser-v3 blog-teaser-v3 resource-teaser-v3 UNCONVERTED"> <a class="blog-teaser-v3__url" href="/us/blog/insider-threat-management/thoughts-new-forrester-report-best-practices-mitigating-insider"> <div class="blog-teaser-v3__image"></div> <h3 class="blog-teaser-v3__type">Blog</h3> <h4 class="blog-teaser-v3__title"> <span>Thoughts on New Forrester Report: “Best Practices: Mitigating Insider Threats”</span> </h4> </a> </div> <div about="/us/resources/analyst-reports/gartner-market-guide-insider-risk-management" class="node--type--resource-item node--view-mode--teaser-v3 resource-teaser-v3"> <a class="resource-teaser-v3__url" href="/us/resources/analyst-reports/gartner-market-guide-insider-risk-management"> <div class="resource-teaser-v3__image" data-type="analyst-report"></div> <h3 class="resource-teaser-v3__type">Analyst Report</h3> <h4 class="resource-teaser-v3__title"> Proofpoint Recognized in 2023 Gartner® Market Guide for Insider Risk Management Solutions </h4> </a> </div> </div> <div class="resources-block__link-wrapper"> <a class="resources-block__link" href="/us/resources"> See more resources </a> </div> </div> </div> </div> <div class="subscribe-block blog-subscribe" data-animate="true"> <div class="subscribe-block__inner blog-subscribe__inner"> <div class="subscribe-block__copy"> <h3 class="subscribe-block__heading"> Subscribe to the Proofpoint Blog </h3> </div> <div class="subscribe-block__form"> <div class="mk-form"> <div class="mk-form__form-container"> <script type="IN/Form2" data-data-form="mktoForm_19277" data-field-firstname="FirstName" data-field-lastname="LastName" data-field-email="Email" data-field-company="Company" data-field-title="Title" data-field-state="State" data-field-country="Country" ></script> <form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1" class="mk-form__form marketo-form-block__form" ></form> </div> </div> </div> </div> </div> <div class="paragraph paragraph--type--space paragraph--view-mode--full space"> <div class="space__wrapper"> <div class="space__item space__xl"> </div> </div> </div> <div class="paragraph paragraph--type--cta-banner paragraph--view-mode--full cta-banner cta-banner--bg" data-background-image="/sites/default/files/styles/webp_conversion/public/cta-banner/cta-bkgd.jpg.webp?itok=lGrCI_5c"> <div class="cta-banner__wrapper"> <h2 class="cta-banner__heading"> Ready to Give Proofpoint a Try? </h2> <p class="cta-banner__body">Start with a free Proofpoint trial.</p> <div class="cta-banner__buttons"> <a href=/us/free-trial-request class="global-elements__cta-button--white" target="" > <span>Get Protected</span> <div class="global-elements__cta-button--arrow-wrapper"></div> </a> </div> </div> </div> </div> <div class="glossary__content-pager"> <div class="content-pager"> <div class="content-pager__items-wrapper"> <div class="content-pager__items"> <div class="content-pager__item content-pager__item--prev"> <a href="/us/threat-reference/information-seeking-scams" hreflang="en">Previous Glossary</a> </div> <div class="content-pager__item content-pager__item--next"> <a href="/us/threat-reference/integrated-cloud-email-security" hreflang="en">Next Glossary</a> </div> </div> </div> </div> </div> </article> </div> </div> </div> </section> </main> </div> <div class="footer-v3" data-animate="true"> <div class="footer-v3__inner"> <nav class="footer-v3__nav"> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Products</div> <ul class="footer-v3__nav-collapsible"> <li><a href="/us/products/protect-people">Protect People</a></li> <li><a href="/us/products/defend-data">Defend Data</a></li> <li><a href="/us/products/mitigate-human-risk">Mitigate Human Risk</a></li> <li><a href="/us/products/premium-services">Premium Services</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Get Support</div> <ul class="footer-v3__nav-collapsible"> <li><a href="https://proofpoint.my.site.com/community/s/" target="_blank">Product Support Login</a></li> <li><a href="/us/support-services">Support Services</a></li> <li><a href="https://ipcheck.proofpoint.com" target="_blank">IP Address Blocked?</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">Connect with Us</div> <ul class="footer-v3__nav-collapsible"> <li><a href="tel:+1-408-517-4710" class="icon-phone-ppoint">+1-408-517-4710</a></li> <li><a href="/us/events">Attend an Event</a></li> <li><a href="/us/contact">Contact Us</a></li> <li><a href="/us/free-demo-request">Free Demo Request</a></li> </ul> </div> <div class="footer-v3__nav-wrapper"> <div class="footer-v3__nav-heading">More</div> <ul class="footer-v3__nav-collapsible"> <li><a href="/us/company/about">About Proofpoint</a></li> <li><a href="/us/why-proofpoint">Why Proofpoint</a></li> <li><a href="/us/company/careers">Careers</a></li> <li><a href="/us/leadership-team">Leadership Team</a></li> <li><a href="/us/newsroom">News Center</a></li> <li><a href="/us/legal/trust">Privacy and Trust</a></li> </ul> </div> </nav> <div class="footer-v3__bottom-wrap"> <section class="footer-v3__bottom"> <div class="footer-v3__logo"> <a href="/us" class="footer-v3__logo-link"> <div class="footer-v3__logo-image"></div> </a> <div class="footer-v3__bottom-copyright-info">&copy; 2024. All rights reserved. </div> </div> <div class="footer-v3__bottom-copyright"> <a class="footer-v3__bottom-copyright-info" href="/us/legal/license">Terms and conditions</a> <a class="footer-v3__bottom-copyright-info" href="/us/legal/privacy-policy">Privacy Policy</a> <a class="footer-v3__bottom-copyright-info" href="/us/sitemap">Sitemap</a> </div> <ul class="footer-v3__bottom-social-menu"> <li> <a href="http://www.facebook.com/proofpoint" class="icon-facebook" target="_blank"></a> </li> <li> <a href="http://www.twitter.com/proofpoint" class="icon-twitter" target="_blank"></a> </li> <li> <a href="https://www.linkedin.com/company/proofpoint" class="icon-linkedin" target="_blank"></a> </li> <li> <a href="https://www.youtube.com/channel/UCIvtJgsrUzFo90NKeiVozhQ" class="icon-youtube-play" target="_blank"></a> </li> <li> <a href="https://www.instagram.com/proofpoint" class="icon-instagram" target="_blank"></a> </li> </ul> </section> </div> </div> </div> </div> <script type="text/javascript">document.write(unescape("%3Cscript src='//munchkin.marketo.net/munchkin.js' type='text/javascript'%3E%3C/script%3E")); </script> <script>Munchkin.init('309-RHV-619');</script><div class="element-invisible" style="clear:both;"><!-- Google Code for Remarketing Tag --> <!-------------------------------------------------- Remarketing tags may not be associated with personally identifiable information or placed on pages related to sensitive categories. See more information and instructions on how to setup the tag on: http://google.com/ads/remarketingsetup ---------------------------------------------------> <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 950296937; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/950296937/?value=0&amp;guid=ON&amp;script=0"/> </div> </noscript></div> </div> <div id="flyout-container"></div> <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","pathPrefix":"us\/","currentPath":"node\/107141","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"ajaxPageState":{"libraries":"eJxlkVFuAyEMRC8Ugqr-9DaVYR0WhbWRbaLm9vVGVcKmf_DG4PG4g0AR6KvGRUaHdu5Pch7UR2pVV1xOjq3mhjE1Lsdb0JE0S004cUFYsowt6QtmJkOy0KGgzFiml9kgJCCaKy7MhhJunxMSxGBSofl3hO2llMbJKTbcvJkeBFWQeyBepoaFuTQMFz4Ur-7fWxLcjqxSmYHwn9mDOUHlIRlDNdz-Yw0eW76-BO2QJ0fPPN_rDH8sZG5jI32jTOhCyD4yyryvG-4HD-SCYEMw-ELt1Pt3_fii2IDK8HWEBQ2zsezKBnJF47gNyuu10s4UQfIah9Wm-91WjzcaJIKUHqE8GXNLICe9q08fEyj-AmTx7Ko","theme":"particle","theme_token":null},"ajaxTrustedUrl":[],"vwo":{"id":767242,"timeout_library":2500,"timeout_setting":2000,"usejquery":"false","testnull":null},"pp_i18n":{"language":"us"},"instantsearch":{"indexName":"content","path":"us\/search"},"user":{"uid":0,"permissionsHash":"26dd96d39e445e838e5f0382a0a4240ea0629de7ad59c3778594246405e2ccf5"}}</script> <script src="/sites/default/files/js/js_8CW70isSIT32kS0YKfqio8Q45sLJZNysYeCQqB4dtLQ.js?scope=footer&amp;delta=0&amp;language=en&amp;theme=particle&amp;include=eJx1UVtqxDAMvNBqTelPb7PIjpKYOJKR5KV7-zqlNE6hf9ZoxDxc6yO_fXAoyEvDhWAip-Sit1ofO-pGLmFvnNYt84EZoaY1NM_FjtlX2im4SImoN3uZ0x4iGt0qqudUKCRRGqgYGWPMvJyMRWQpBLOw24nOIk4Kz_eBWMQM9QUs00WBndih9gR6wivhdNGJ2pGkbY_fMrgo1tXCpK1iuZ_IvXFtsWRbaRpUHCEi8yjRDUUsQKVHu5i3imlwGIssYC1a0hwH_BeCzkjbuVAyaZrI_ltA7k1fBc7J6dMhSWk7D56edDy63ZnQmxL0hP7nSJj6HaSehnRMPysRuOZ-XpGpjDWr_BRz-ayj_g4xPr8A3EDsqg"></script> <script src="https://geoip-js.com/js/apis/geoip2/v2.1/geoip2.js"></script> <script src="/sites/default/files/js/js_DA7GHFg6Iz1O22c58zPl-nNTEwx5y7RuyKjesK1mXJI.js?scope=footer&amp;delta=2&amp;language=en&amp;theme=particle&amp;include=eJx1UVtqxDAMvNBqTelPb7PIjpKYOJKR5KV7-zqlNE6hf9ZoxDxc6yO_fXAoyEvDhWAip-Sit1ofO-pGLmFvnNYt84EZoaY1NM_FjtlX2im4SImoN3uZ0x4iGt0qqudUKCRRGqgYGWPMvJyMRWQpBLOw24nOIk4Kz_eBWMQM9QUs00WBndih9gR6wivhdNGJ2pGkbY_fMrgo1tXCpK1iuZ_IvXFtsWRbaRpUHCEi8yjRDUUsQKVHu5i3imlwGIssYC1a0hwH_BeCzkjbuVAyaZrI_ltA7k1fBc7J6dMhSWk7D56edDy63ZnQmxL0hP7nSJj6HaSehnRMPysRuOZ-XpGpjDWr_BRz-ayj_g4xPr8A3EDsqg"></script> <script src="//munchkin.marketo.net/munchkin.js"></script> <script src="/sites/default/files/js/js_Q_hAq3KoriT4uxdUnA3XDouviRgbwswFyj5MCBnzVHU.js?scope=footer&amp;delta=4&amp;language=en&amp;theme=particle&amp;include=eJx1UVtqxDAMvNBqTelPb7PIjpKYOJKR5KV7-zqlNE6hf9ZoxDxc6yO_fXAoyEvDhWAip-Sit1ofO-pGLmFvnNYt84EZoaY1NM_FjtlX2im4SImoN3uZ0x4iGt0qqudUKCRRGqgYGWPMvJyMRWQpBLOw24nOIk4Kz_eBWMQM9QUs00WBndih9gR6wivhdNGJ2pGkbY_fMrgo1tXCpK1iuZ_IvXFtsWRbaRpUHCEi8yjRDUUsQKVHu5i3imlwGIssYC1a0hwH_BeCzkjbuVAyaZrI_ltA7k1fBc7J6dMhSWk7D56edDy63ZnQmxL0hP7nSJj6HaSehnRMPysRuOZ-XpGpjDWr_BRz-ayj_g4xPr8A3EDsqg"></script> <script src="/themes/custom/proofpoint/apps/drupal/../../dist/app-drupal/assets/js/app.js?q=_dtj1XYObGo&amp;v=1"></script> <script src="/sites/default/files/js/js_2LYNA9Zu5KE51oXU7U2qX9zbS5cCqO7wzxelxAEWhjk.js?scope=footer&amp;delta=6&amp;language=en&amp;theme=particle&amp;include=eJx1UVtqxDAMvNBqTelPb7PIjpKYOJKR5KV7-zqlNE6hf9ZoxDxc6yO_fXAoyEvDhWAip-Sit1ofO-pGLmFvnNYt84EZoaY1NM_FjtlX2im4SImoN3uZ0x4iGt0qqudUKCRRGqgYGWPMvJyMRWQpBLOw24nOIk4Kz_eBWMQM9QUs00WBndih9gR6wivhdNGJ2pGkbY_fMrgo1tXCpK1iuZ_IvXFtsWRbaRpUHCEi8yjRDUUsQKVHu5i3imlwGIssYC1a0hwH_BeCzkjbuVAyaZrI_ltA7k1fBc7J6dMhSWk7D56edDy63ZnQmxL0hP7nSJj6HaSehnRMPysRuOZ-XpGpjDWr_BRz-ayj_g4xPr8A3EDsqg"></script> <script src="//app-abj.marketo.com/js/forms2/js/forms2.min.js"></script> </body> </html>