Skip to main content

Set a meeting with us at RSA Conference 2024

6-9 May 2024


Moscone Center

Meet With Us

Data Protection

Cybersecurity Breaches Caused by Insiders: Types, Consequences, and Ways to Prevent Them


Security incidents are often hard to detect and tend to go unnoticed for far too long. They’re also time-consuming to investigate, since gathering evidence and correlating facts may take months or even years. For instance, the graphic design website Canva became aware of the theft of user credentials for almost a million accounts only seven months after the actual incident. That’s why it’s better to put your effort into preventing incidents rather than handling their consequences.

The best way to avoid cybersecurity breaches is to learn about the most common types and examples of cybersecurity and constantly enhance the protection of your infrastructure against them. In this article, we explore the types and consequences of cybersecurity breaches and pay special attention to tricky insider threats. We also reveal how to respond to a data breach and suggest best practices to detect, mitigate, and prevent cybersecurity incidents caused by malicious and inadvertent insiders.

Cybersecurity breaches: definition, types, and consequences

A cybersecurity breach is a security incident that results in unauthorized access to an organization’s protected systems and data. It’s an early-stage violation that can lead to consequences like system damage and data loss.

The terms security breach and data breach are often used interchangeably because these events usually come hand in hand. A cybersecurity breach occurs first when an unauthorized party bypasses security measures to get inside the protected perimeter and gain access to company accounts, intellectual property, and personal information of customers and employees. A data breach is what happens next when the unauthorized party steals confidential information and compromises it.

Security breaches can happen to any organization and lead to the following consequences:

  • Data theft — Malicious actors can steal sensitive information, including private data of customers and employees and an organization’s intellectual property.
  • Financial losses — The cost of a data breach depends on multiple factors including a company’s location, the types of data stolen, and the size of the breach. The average total cost of a data breach is $1.24 million according to the IBM 2020 Cost of a Data Breach Report.
  • Reputational damage — Depending on the impact of a breach and its press coverage, a company may lose the loyalty of its customers, stakeholders, and partners.
  • Fines — Each industry is regulated by laws and standards that establish cybersecurity requirements. Failing to comply with data protection regulations may result in fines.

There are dozens of ways to breach an organization’s cybersecurity, including various malware attacks, phishing emails, and DoS, DDoS, and XSS attacks. However, cybersecurity incidents don’t only happen because of intruders from outside an organization.

There’s a lot of examples of internal data breaches. Malicious insiders can use their legitimate access rights to intentionally compromise sensitive data and harm a company. For instance, opportunistic attackers may spot vulnerabilities in a system and wait for a convenient moment to take advantage of them. Cybersecurity breaches and threats can also be caused by unintentional insiders due to human errors.

Insider Threat Protection Solution

Examples of recent cybersecurity breaches caused by insider threats

Security incidents caused by insiders happen every year to various entities, including large enterprises, small companies, and government organizations. Let’s take a look at five examples of cyber security incidents.


1. In 2018, a former Chicago Public Schools IT worker stole sensitive information of 70,000 employees, volunteers, and vendors. The stolen data included employee ID numbers, addresses, phone numbers, and criminal histories.

2. A former employee of the Desjardins Group, a Canadian financial services cooperative, shared the personal information of around 2.7 million people and 173,000 businesses.

3. It took almost five months for the DoorDash food delivery company to detect a data breach that affected 4.9 million customers, delivery workers, and merchants. Stolen data included email and delivery addresses, phone numbers, and hashed passwords. DoorDash claimed a third-party service provider caused the breach.

4. A third party caused another breach concerning data security in the banking industry that happened to Capital One in 2019. A former worker of Amazon Web Services, Capital One’s cloud hosting company, gained access to more than 100 million Capital One customer accounts and credit card applications. The stolen information included social security numbers, bank account numbers, names, addresses, and credit information.

5. Singaporean doctor Ler Teck Siang misused his privileged access to confidential information and shared screenshots of the Singaporean HIV Registry with US citizen Mikhy Farrera Brochez. As a result, a database with the names and addresses of 14,200 people was leaked in 2019.

From these and other employee data breach examples, it’s easy to conclude that internal breaches are often quite devastating and challenging to detect. And the more time you need to identify them, the more harm these breaches can cause. Not to mention such incidents usually lead to significant penalties for non-compliance with cybersecurity regulations.

Let’s take a closer look at insider threats, define their types, and explore ways to mitigate and prevent data breaches caused by insiders.

5 Real-life Cases When Employees Caused Data Breaches

The danger of insider threats

According to CERT, an insider threat is the potential for an individual who currently has or previously had authorized access to an organization’s assets to use this access, either maliciously or unintentionally, in a way that could negatively affect the organization.

Internal actors can harm an organization’s security on purpose (malicious insiders) or unintentionally by making miscellaneous errors (inadvertent insiders).

The Verizon 2020 Data Breach Investigations Report discovered that 30% of data breaches in 2019 involved internal actors. Such incidents happen across all industries. However, some are more often affected than others.

Malicious insiders pose the greatest threat to government, healthcare, financial, and educational institutions, since such institutions store valuable data that can be sold. The Cost of Insider Threats 2020 report by IBM says that the industries with the fastest-growing rates of insider threats from 2018 to 2019 were retail, with a 38% two-year increase, and financial services, with a 20% two-year increase.

How To Protect Patient Data

The negative impact of cybersecurity breaches includes financial losses that vary depending on the type of incident and the damage caused:


Besides the fact that insider threats are widespread, they’re also particularly challenging to deal with. There are three main factors that make insider threats dangerous:

1. Insider attacks are hard to detect

Any person with legitimate access to sensitive data and an organization’s infrastructure can be considered an insider once they take malicious actions. The scope of access to critical data determines the level of risk an employee poses. If employees have unlimited access to sensitive data, it’s very hard to distinguish potential security violations from their regular work routines. As a result, it can take months or even years to detect privilege misuse or data theft by departing employees or other insiders.

4 Cyber Security Insider Threat Indicators to Pay Attention To

2. Insider attacks are costly to remediate

Even if a data breach is detected right away, it can be quite expensive to remediate because of:

  • costs for notifying all affected parties
  • fines and penalties for non-compliance with security regulations
  • public relations fallout
  • costs for conducting investigations
  • legal expenses
  • investments in enhancing cybersecurity.

The longer a breach stays undetected, the higher these costs rise. If an attack is successful, a malicious actor usually stays in the system and keeps compromising data, which increases remediation costs.

3. Insider attacks are hard to investigate

The fact that insider attacks are so hard to detect contributes to the difficulty of investigation. Also, it may be easy for a tech-savvy insider with privileged access to cover up traces of their misuse. Even if perpetrators get caught, they can always deny any malicious intent and claim that what happened was an unintentional mistake.

12 Best Cybersecurity Practices in 2021

4 types of cybersecurity breaches caused by insiders and how to mitigate them

There are numerous scenarios for insider breaches, and it’s impossible to be prepared for everything. However, we can define types of incidents that occur frequently enough and affect companies across a wide enough range of industries to be considered more or less universal.

Let’s look at four types of insider-related incidents. By putting controls in place that cover these four cases, you’ll be able to secure your systems from the majority of insider threats regardless of your industry and the size of your company.


Portrait of Malicious Insiders: Types, Characteristics, and Indicators

1. Data misuse by privileged users

Privileged users are the most dangerous insiders since they have elevated access rights and more opportunities to leak data by mistake, misuse data, or steal sensitive information than anyone else within your company.

One of the most frequent results of an insider attack by privileged users is fraud via data misuse. Employees often look up clients’ personal information and then sell it, leverage it for personal gain, or use it for fraudulent transactions.

The best practices to prevent and mitigate data misuse by privileged users are limiting the number of privileged users, monitoring user actions, and controlling access to sensitive data.


Limit the number of privileged users

The fewer users have access to sensitive data, the easier it is to protect your company from insider attacks. Therefore, you should use the principle of least privilege to limit the number of privileges granted, providing users with the minimum level of access rights they require to perform their daily tasks.

Monitor user actions

It’s essential to be able to clearly see what privileged users do with your company’s sensitive data. User action monitoring software provides full video recordings of user activity, allowing you to see exactly what’s going on and act immediately when suspicious activity is detected.

Control access to sensitive data

Make sure to grant access to sensitive data and resources only to verified users. Consider implementing just-in-time privileged access management to minimize the chances for malicious insiders to compromise sensitive data. Conduct regular user access reviews to re-evaluate user roles, access rights, and privileges. Also, it’s always a good practice to establish an additional layer of login protection. For instance, you can benefit from secondary authentication to enhance user verification and identify users of shared accounts.

Privileged User Monitoring

2. Data leaks by third-party vendors

As do privileged users, subcontractors and third-party providers often have remote access to (and can misuse) company infrastructure and sensitive data.

Even if your third-party contractors are honest and reliable, there’s no way to control what’s happening on their end. So you can’t be sure that a subcontractor upholds high security standards.

Preventing insider attacks by subcontractors and third-party vendors is challenging but possible. Here are three steps to control third-party activity:


Evaluate the security of third-party vendors

Do your research before hiring third-party vendors. This should include conducting a complete overview of a vendor’s security controls and checking for relevant security certificates. Beyond that, put your expectations regarding cybersecurity into your contract with a third-party vendor. Formalizing security standards and procedures in a written agreement allows you to enforce them in the future.

Monitor third-party activity

It’s extremely important to know what subcontractors and third parties are doing with your company’s sensitive data, and the only way to reliably do this is to have full recordings of every session available when necessary.

Provide temporary access to sensitive resources

Another way to limit potential cybersecurity breaches by subcontractors is to limit their access to your infrastructure as much as possible. To this effect, you can use temporary access solutions such as one-time passwords to grant third parties access only when they need it. A system administrator can manually approve each connection, or you can set automatic approval for certain use cases.

Third-Party Vendor Monitoring

3. Industrial espionage

Industrial espionage is an illegal and unethical way of collecting corporate data (intellectual property, trade secrets, client information, financial data, or marketing secrets) and using it to gain a competitive or personal advantage.

Industrial espionage can be performed by malicious insiders or former workers. This is why it’s vital to keep an eye on employees who either have received notice of termination or have decided to quit on their own. Such employees often think they don’t have anything to lose and may want to take advantage of their final weeks in the office to misuse or compromise data.

The best practices to prevent industrial espionage and related cybersecurity breaches are:


  • revoking access rights and user credentials once employees stop working at your company
  • closely monitoring all actions of employees who are about to leave your organization
  • leveraging user monitoring software to gain clear insights into how terminated employees use their
  • access to sensitive data in the last couple of weeks in the office
  • deploying user and entity behavior analytics (UEBA) tools that can automatically detect suspicious activity and notify security officers or administrators.

Sometimes, employees can perform business espionage because of personal issues, conflicts with colleagues and executives, or burnout at work. Such issues can be spotted by HR managers during regular meetings or detected by UEBA tools.

How to Detect and Prevent Industrial Espionage

4. Inadvertent data leaks

Not all insider-related data breaches are caused by malicious perpetrators. Employees often make mistakes like interacting with phishing emails. There are many examples of human errors in computer security that eventually lead to data breaches.

Your best bet is to detect mistakes quickly and remediate them as soon as possible. Often, employees themselves don’t realize they’ve made mistakes. In this situation, traditional insider threat detection techniques can prove effective.

Here’s how to prevent inadvertent insider threats:


Detect phishing

Hackers use phishing emails to infect computers with malware, allowing them to easily access your infrastructure and sensitive data. Such emails are often used in tandem with social engineering to trick employees into revealing their credentials to a perpetrator. You can minimize the chances of such incidents succeeding by setting up spam filters and keeping all of your organization’s software up to date.

Create a strong cybersecurity policy

A cybersecurity policy enforces a formal set of rules that your employees should follow. A written policy reduces the number of mistakes due to misunderstandings and increases the effectiveness of security controls that are already in place.

Educate employees

Make sure your employees understand the importance of proper cybersecurity procedures. By teaching them why it’s necessary to follow all cybersecurity rules, you transform your employees into assets in your fight for data security. Cybersecurity awareness among employees will not only reduce mistakes but help you detect both malicious and inadvertent data breaches quicker.

Monitor user actions to detect leaks and simplify investigations

User activity monitoring is the best way to detect any data breaches that originate within your organization. Activity monitoring solutions can spot unusual activity and instantly warn security personnel. A session recording tool can also be employed to record user sessions in a tamper-proof format to let you investigate incidents and clearly show whether a security breach was caused by a malicious or inadvertent action.

User Activity Monitoring

Ekran System can help you mitigate insider threats

Ekran System is a full-cycle insider threat management platform that helps organizations efficiently monitor user activity, detect insider threats, immediately respond to suspicious activity, and gather valuable evidence for investigations.

By deploying Ekran System, you can leverage its numerous benefits to secure your data from malicious insiders:

  • Establish robust user activity monitoring and session recording to know who accesses critical data and what they do with it.
  • Easily manage access rights for each user or group of users.
  • Make sure only authorized users can access your sensitive data with multi-factor authentication and one-time passwords.
  • Receive real-time alerts each time abnormal activity is detected to prevent data breaches.
  • Closely monitor privileged users and third parties to ensure they don’t misuse their elevated access rights.
  • Gather all evidence in a tamper-proof format to speed up the investigation process if a cybersecurity incident happens.

Moreover, you can use Ekran System as your dedicated software for complying with requirements imposed by NIST 800-53, SWIFT CSP, HIPAA, GDPR, FISMA, and PCI DSS.

Mitigating Insider Threats: Plan Your Actions in Advance


Knowing the most common types and consequences of cybersecurity breaches caused by insiders is essential to understand the risks and establish robust cybersecurity within your organization. Insider threats shouldn’t be underestimated, since such incidents cause much harm if they aren’t immediately detected.

US-Based Defense Organization Enhances Insider Threat Protection with Ekran System [PDF]

With Ekran System, you can effectively deter, detect, and disrupt insider threats. Leverage the advanced monitoring functionality to keep an eye on all users who can access your organization’s data and prevent data breaches with customized alerts on abnormal user activity.

Want to try Ekran
System? Request access
to the online demo!

See why clients from 70+ countries already use Ekran System.



See how Ekran System can enhance your data protection from insider risks.