Skip to main content


How to Identify and Mitigate Insider Threats

Executive Resource
Weaver's downloadable tool can help your organization address insider threats & identify and mitigate financial crimes, intellectual property theft & cyber attacks.
August 9, 2023

What Is an Insider Threat and Why Should You Care?

External threats like ransomware may get a lot of publicity, but the biggest risks to your organization could actually come from inside. An employee, contractor or business partner with authorized access to your data may present a more significant threat to the organization’s assets, intellectual property or operations than any external perpetrator. Worse, because these insiders may have your trust, their activities may escape detection for months or even years.

Individuals with access to sensitive information and knowledge of the corresponding processes may intentionally or accidentally cause harm to the organization’s data, systems or reputation. These are just a few of the risks your organization could face:

Financial loss including financial crimes, theft of intellectual property or loss of revenue due to system downtime.

Reputational damage if sensitive information or customer data is leaked or compromised.

Regulatory noncompliance, which may involve steep fines or legal penalties, from failing to adequately protect personally identifiable information (PII) or protected health information (PHI)

Steps to Protect Your Organization

Fortunately, there are steps you can take to protect your organization. A comprehensive, holistic insider threat mitigation program will provide the tools to help you identify, monitor and mitigate insider threats.

Indicators exist that can raise red flags and help you identify insider threats: indicators such as behaviorial changes, evidence of financial pressures, attempts to bypass established controls, unethical activities, and accessing buildings or applications outside normal business hours, to name a few.

You can combine these indicators with systematic controls to deter financial crimes, attacks and security breaches from people within your organization. Recommended preventive actions include implementing proper corporate governance, establishing robust internal controls, monitoring critical metrics, training employees and establishing incident response plans that include inquiries or internal investigations, if warranted.

Types of Insider Threats

This overview offers a starting point to help your organization identify and mitigate insider threats. Effective management of these risks first requires analyzing the specific risks your teams face, identifying potential gaps and tailoring a program to the threats most relevant to your organization. Insider threats can take several forms:

Identify and Mitigate Insider Threats

1) Financial Crimes and Theft of Intellectual Property

When speaking of insider threats, a financial crime is the unauthorized or illicit use of an organization’s money or other property with the intent to improperly benefit from it. Examples include identity theft, money laundering, forgery, tax evasion, bribery, embezzlement and fraud.

Theft of intellectual property refers to the appropriation through illegal means of an organization’s ideas, inventions, trade secrets, customer lists, secret recipes, proprietary methods or proprietary products. Such crimes can be more damaging than financial theft due to the potential high value of these assets stored in electronic data files. This information is readily available to an insider with the proper level of access.

2) IT and Cyber Threats

These threats can include theft of information or anything related to technology, computers or a broad range of electronic devices, especially those that are readily accessible by personnel with the proper access rights. They include any kind of malicious activity that attempts to collect, disrupt, deny, degrade or destroy information system resources or the data itself. Threats can be perpetrated with techniques such as viruses, data breaches, malware, unpatched software vulnerabilities or ransomware. (Ransomware is a form of malware designed to encrypt files on a device, rendering systems and files unusable. Malicious actors then demand ransom in exchange for decryption.)

3) Violence

Violence includes any threatening behavior in the workplace that creates a hostile environment. It could start with threats followed by a physical attack intended to damage an organization’s infrastructure, equipment, buildings, inventory or other resources, and could also involve physical harm to other employees or visitors.

4) Espionage

Not just a problem for governments, espionage involves spying on a competitor, organization, foreign government or person to covertly or illicitly obtain confidential information, trade secrets or proprietary information for financial, military, political or strategic advantage. The targets of espionage often include offices of governments or organizations with access to valuable information such as scientific, technical, economic or engineering methods or techniques. Espionage could also involve private entities with similar information that could be monetized or leveraged by competitors or other entities.

5) Sabotage

Sabotage includes actions perpetrated by insiders to damage an organization’s physical infrastructure, contaminate spaces or cause an equipment failure. Such actions could result in delayed product roll-outs, expensive repairs, lawsuits from affected parties or reputational damage.

Manage Insider Threats with a Risk Management Framework and Culture of Compliance

The COSO Framework as a Starting Point

The Treadway Commission’s Committee of Sponsoring Organizations (COSO) created a framework for designing and managing internal controls. Organizations can take advantage of the COSO framework to design and implement internal controls that suit your evolving operations, technologies and risks.

While the COSO framework is a good starting point to identify, mitigate and monitor some of the risks associated with insider threats, it cannot replace a robust corporate compliance program designed specifically to address financial crimes, theft of intellectual property and cybersecurity attacks.

Recent DOJ Guidance on Corporate Compliance and Risk Assessments

Consider using the 2023 guidance from the U.S. Department of Justice (DOJ) on corporate compliance, which places risk assessments in the spotlight. The DOJ asks three overarching essential questions:

Is the compliance program well designed? Risk assessments are key to answering this first question.

Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?

Does the corporation’s compliance program work in practice?

In summary, you need to have a sound framework in place and a robust corporate compliance program tailored specifically to the risks that matter most to your organization. Review your compliance program and update it on a recurring basis to ensure it addresses evolving risks.

Examples of General Mitigation Activities

Identifying and mitigating insider threats require a comprehensive approach that involves multiple controls and strategies. These are some examples of activities you could implement to reduce the risk of improper activities committed by insiders:

Employee Screening: Conduct background checks — including criminal history checks, credit checks, employment history checks, and analysis of social media — before hiring new employees and regularly after they are employed. Such checks can help identify past or current behavior that could indicate a potential risk such as financial pressures, evidence of conflicts or anger over the workplace, and personal issues. Consider running background checks at least once a year for employees with access to sensitive information (financial data, personally identifiable information, trade secrets, etc.). The checks should be performed in consultation with qualified legal counsel to ensure compliance with applicable laws and regulations.

Segregation of Duties: By separating duties, you make it harder for an employee to commit fraud or other damaging acts. While proper segregation of duties is more difficult to accomplish in smaller organizations, there are ways to accomplish the goal, such as additional supervision or sign-offs.

Regular Monitoring: Implement a system of regular monitoring and evaluation of your internal controls and surveillance procedures to ensure they are effective at mitigating evolving threats Monitoring helps detect anomalies or inconsistencies that may indicate financial crimes or other potential threats. The appropriate frequency of the evaluations of your internal controls should be determined based on your facts and circumstances.

Security Measures: Install security measures such as access controls, alarms and surveillance cameras to protect physical assets and sensitive information.

Code of Conduct: Establish a code of conduct that outlines the expected behavior of employees and the consequences of violations. Make sure all employees are aware of the code of conduct and understand it. Taking proper disciplinary actions against employees regardless of level or seniority and “tone at the top” (i.e., leaders who do not tolerate dishonesty or poor ethics) are examples of critical elements in the code of conduct.

Training and Awareness: Provide regular training to employees on fraud prevention, cybersecurity and other topics such as preventing a hostile work environment. Consider providing training and support resources to treat anger management, depression and other mental health issues. Training and ongoing communications will help ensure that employees are aware of the risks and the supports available to them.

Reporting Mechanisms: Establish a system for employees to report suspicious activity, such as a fraud hotline or whistleblower program. Provide appropriate protections to whistleblowers. This will increase the probability that issues are identified and addressed promptly.

By implementing these activities, organizations can reduce the risk of financial crimes and other insider threats, while also promoting a culture of integrity and accountability.

Indicators of Financial Crimes and Theft of Intellectual Property

A robust insider threat mitigation program, as recommended by CISA, requires a combined effort on several fronts, including improvements to physical security, training and monitoring of employees’ activities (particularly of those with access to highly sensitive information).

This holistic approach is consistent with the overall COSO principles and the DOJ Guidance on Corporate Compliance; all three programs are based on a principle that risk management works best as a comprehensive, organization-wide program, rather than spotty, isolated efforts.

The following red flags are examples of behaviors or events that could be associated with financial crimes and theft of intellectual property. The list below shows common indicators; however, you should consider any risks or circumstances unique to your organization. We also provide examples of threat indicators at the overall organizational level.

Examples of Red Flags Indicating Pressures to Commit Financial Crimes



Examples of Red Flags for Theft of Intellectual Property

Examples of General Organizational Threat Indicators  

Indicators of IT and Cybersecurity Attacks

Following are some ideas for monitoring insider activity and detecting IT and cybersecurity attacks. Specialized software tools can store data sets such as access logs, user permissions, network activity, etc., for subsequent analysis to detect behaviors indicative of insider threats. The best cybersecurity approach combines automated software with human oversight and evaluation.

Examples of activities to identify high-risk indicators of IT and cyber security attacks include:

Metrics to Monitor

As your internal threats mitigation program evolves, consider implementing technology and repeatable processes to track the identification and the disposition of activity (focusing on individuals with access to sensitive data) related to the following metrics:

Data Source Frequency of Reporting Metric
Remote access logs Exception Basis High-risk patterns in network activity such as access from locations where the organization does not conduct business or authentication failures
Background check data Exception Basis Red flags in pre-employment screening data
External storage device exceptions Exception Basis Trend report and specific exceptions granted to connected external storage devices, including the rationale of the business need
Building access Exception Basis Employees’ or contractors’ access to the building outside business hours, holidays or other unexpected times
E-mail communications Weekly Volume and matches with high-risk behavior keywords
File downloads Weekly File downloads to detect high frequency or high volume of data
Intranet traffic Weekly High-risk behavior such as high level of internet use or traffic
Activity logs Weekly Anomalous activity in proprietary business applications or platforms
Database activity logs from critical applications Weekly Results of scanning of logs from critical applications (e.g., HR, Accounting, Sales)
Disciplinary actions Monthly Statistics of disciplinary actions or policy violations; determine if there is a pattern to the nature of the complaints
Employee performance evaluations Monthly Employee performance reports (e.g., poor performance, unethical activities, hostile behavior)
Travel expenses and travel records Monthly Summary stats by employee (e.g., travel records, travel locations, expense reimbursements, number of rejected expense reimbursements)
Printing and scanning activity Monthly Trend analysis highlighting spikes in volume of printing and scanning by individual employees or contractors


You can either build dashboards in-house or look for existing commercial software designed to track insider threats activity.

Identify and Mitigate Insider Threats Conclusion


Preventing financial crimes, theft of intellectual property, cybersecurity attacks and other IT threats requires a comprehensive approach using multiple controls and strategies. This overview and the downloadable tool explained below are just a starting point.

An effective strategy to identify and mitigate risk requires a holistic analysis of the current environment to determine potential weaknesses, then updating your policies and procedures to close any gaps. This process should be repeated regularly to ensure your organization is prepared to address constantly changing threats.

Several sources of information are publicly available to expand on the information provided herein. A few of these sources are:

A Tool to Help You Identify and Mitigate Insider Threats

Weaver has provided a downloadable tool to help you begin addressing insider threats. This Excel template will help you identify and mitigate threats such as:

The first tab, “Insider Threat Matrix,” provides a list of insider threat indicators and examples of activities to mitigate the threat.

Detailed descriptions of each “Organizational Level Activity” are provided in Tab 2, and explanations of the recommended data analytics techniques in Tab 3. You can use these activities and data analytics techniques to improve your processes, mitigate threats and close gaps.


New call-to-action