Insider Threats and GRC: When the Danger Comes from Within

• by Anthony Orjally
• Advent IM Blog

by Ellie Hurst ASYi, Commerical Director

Insider threats are the workplace equivalent of your cat suddenly deciding to attack your laptop while you’re on an important video call. 🐾 Predictable? Rarely. Disruptive? Always. Whether accidental or deliberate, insider threats can cause chaos in ways external hackers can only dream of.

In the realm of Governance, Risk, and Compliance (GRC), addressing insider risks is critical—but often overlooked. Many businesses focus their energy on external threats like phishing and ransomware, only to be blindsided by a problem originating from their own team.

So, let’s explore insider threats, why they happen, and how to mitigate them—sprinkled with practical examples and just a touch of humour to keep things light (because no one wants to imagine someone from HR going rogue!).

What is an Insider Threat?

An insider threat is any security risk that comes from within the organisation—whether it’s an employee, contractor, or partner. These threats are generally divided into three categories:

1. Malicious Insiders: Individuals who intentionally misuse their access to harm the organisation (e.g., selling data or sabotaging systems).
2. Careless Insiders: Employees who unintentionally compromise security (e.g., clicking on phishing links or losing devices).
3. Compromised Insiders: Staff whose accounts are taken over by external actors.

A recent 2023 report from Ponemon Institute found that insider threats have increased by 44% in the last two years, with the average cost of an insider incident reaching a staggering £11.5 million per year.

Sobering, right? Let’s break down how to tackle this.

Top Priorities for Mitigating Insider Threats

1. Access Control: Who Gets to See What?

Think of sensitive data like a tin of tuna. You wouldn’t leave it unattended in a room full of cats, and the same logic applies here.

• Role-Based Access: Employees should only have access to the information necessary for their role.
• Example: Finance doesn’t need access to IT’s server configurations, just like the marketing team doesn’t need payroll data.
• Centralised Permission Management: Use systems that allow you to define, track, and adjust permissions across teams.

2. Training: Make Security Relatable

Let’s face it: most employees don’t wake up thinking about cybersecurity. That’s why training needs to be engaging, practical, and (dare we say it) fun.

• Interactive Sessions: Use games or quizzes to teach employees about phishing scams, password hygiene, and suspicious activity.
• Example: Run a “Spot the Phish” competition and offer prizes for employees who correctly identify mock phishing emails. This is much nicer than making them feel bad and humiliated by being caught in a traditional phishing exercise.

Humour can go a long way here. Explain that a bad password (“password123”) is like leaving your front door open with a sign saying, “Free snacks inside.” Or, if it were me, “Free Cats inside.”

3. Monitoring: Quietly Keep an Eye Out

Nobody wants to feel like they’re working in a Big Brother environment, but subtle monitoring is essential.

• Data Monitoring Systems: Implement tools that flag risky behaviours, such as unusual data transfers, large file downloads, or access to sensitive files outside normal working hours.
• Example: An employee emailing sensitive documents to a personal address might trigger an alert for further investigation.

Remember, monitoring should always comply with privacy regulations like GDPR—so no snooping on employees’ personal emails! If you need help on how to appropriately monitor employees in a respectful way, we have a video that can help you or you can always get in touch… click here for video.

4. Incident Response Plan: Prepare for the “What If”

Even the best systems can fail, just like a locked treat cupboard sometimes fails to keep out a determined cat. You need a clear plan for when things go wrong.

• Immediate Actions: Disable access for employees leaving the company.
• Forensic Analysis: Assign responsibilities for investigating incidents and recovering data.
• Example: If an employee suddenly resigns and starts deleting files, a rapid response can limit damage and ensure continuity.

Test your incident response plan regularly—after all, you wouldn’t wait until a fire to test your extinguisher.

5. Build a Culture of Trust and Accountability

Insider threat mitigation isn’t about turning your office into a high-stakes spy thriller. The goal is to create an environment where employees understand risks, feel accountable, and are encouraged to report concerns.

• Encourage Openness: Make it easy for employees to report suspicious behaviour without fear of retaliation.
• Example: Recognise employees who flag potential risks—rewarding proactive behaviour can prevent incidents.

Why It Matters

According to a 2023 Verizon Data Breach Investigations Report, 22% of security incidents involve insider threats. While the majority are accidental, the consequences can still be devastating—think data breaches, regulatory fines, and reputational damage.

Insider threat mitigation is about balance: protecting your organisation while empowering employees. With the right mix of access control, training, monitoring, and preparation, you can reduce risks without creating a culture of paranoia.

Insider threats may seem unpredictable, but with a solid GRC framework in place, you’ll be prepared for whatever comes your way—whether it’s a rogue employee or an overly curious cat. 🐾

What steps has your organisation taken to mitigate insider threats? Let’s share insights.

#InsiderThreats #GRC #RiskManagement #Cybersecurity #GovernanceDoneRight