ForgeAwareness
Get started
Insider Threat Awareness/Course player
0 of 7 complete0%
Module 14 min

What insider threat actually looks like

TL;DR

Hollywood version: rogue genius copying secrets in the dead of night. Reality: a stressed engineer emailing themselves project files because they want to work from home, then leaving for a competitor a month later. Most insider incidents are accidental or careless, not malicious.

Three categories of insider risk

1. Unintentional (most common)

The employee doesn't mean to cause harm. They:

  • Paste customer data into a free AI tool to draft a response faster
  • Email work files to their personal account "to keep working"
  • Reuse a work password on a personal site that gets breached
  • Forward a sensitive email to the wrong person with a name autocomplete
  • Lose a laptop, leave a USB drive in a coffee shop, post a screenshot with sensitive details in the corner

This is the majority of "insider incidents." Often the employee is one of the company's best people, just trying to get something done.

2. Negligent (less common)

The employee knows the rule but doesn't follow it. Examples:

  • Knowing the AI policy says no customer data, but pasting it anyway because the work is faster
  • Knowing personal storage isn't allowed, but uploading anyway "just this once"
  • Sharing credentials with a colleague "to save time"
  • Tailgating someone through a badge gate

The difference from unintentional: there's awareness. The motivation isn't malice; it's friction or impatience.

3. Malicious (rare but real)

The employee intends to cause harm or steal value. Common scenarios:

  • Departing for a competitor: copies customer lists, project files, or designs in their last weeks
  • Disgruntled employee: retaliates after demotion, layoff, or conflict
  • Financial motive: sells data, accesses information they shouldn't, fraud
  • Coerced employee: blackmail, extortion, family pressure (rare but tracked)

This category gets the headlines but represents a small fraction of incidents.

Why this matters

If you treat every employee as a potential malicious insider, you create a toxic culture, miss the unintentional incidents (which are most of them), and probably don't catch the actually-malicious ones either.

The healthy approach: systemic guardrails that prevent unintentional incidents, clear policies + transparency to reduce negligent ones, and specific signal detection for the rare malicious cases.

Real cases for context

  • Tesla, 2023 — Two former employees leaked personal data of 75,000+ people including current/former employees to a foreign media outlet. Investigation revealed planning over months.
  • Twitter / X, 2022 — Whistleblower / former security chief disclosed sensitive internal practices. (Categories blur — whistleblower vs. insider threat is a legal and ethical conversation, not a security one.)
  • Anthem, 2017 — A subcontractor employee emailed PHI of ~18,000 people to their personal email over several months.
  • Most companies — Departing employee downloads files in their last two weeks. Boring, common, rarely makes the news.

Knowledge check

Knowledge check 1

What is the most common category of insider incident?