HomeOur Blog
Blog Posts

Redefining insider threat

Phil Venables

Phil Venables

Table of contents
Phil Venables

Phil Venables

This is the first post in a series of four exploring the state of insider risk today. Follow Above Security to make sure you don't miss the next installment.

As we move further into the agentic era, it's worth reconsidering how we define both insider risk and its subset, insider threat. Many organizations still approach these concepts using assumptions that no longer reflect how people, contractors, and increasingly AI agents actually operate.

Modern insider risk encompasses accidental data leakage, shadow AI, and overpermissioned people and AI agents alike. These risks evolve quickly and often in ways that traditional security models were never designed to address.

Threat is a subset of risk

Before we begin, it's worth establishing some common terminology. The distinction may seem pedantic, but it matters.

"Insider threat" and "insider risk" are often used interchangeably, but they describe different things.

Insider threat is the person or entity with the intent to do harm: malicious, coerced, or deliberately planted. Insider risk is the broader universe of ways insiders can create harm for the organization.

Most insider risk involves no malicious intent at all: the well-meaning employee who moves data into an unsanctioned tool to meet a deadline, the negligent mistake, or the undocumented workaround that gradually becomes standard practice. If your program only focuses on identifying threats, it ignores the much larger class of events where most incidents actually originate.

That doesn't diminish the importance of insider threats. If anything, distinguishing malicious behavior from negligent or misinformed behavior is becoming increasingly difficult.

Insiders are more than just employees

If your model of insider threat is limited to the disgruntled employee leaving with a customer database, you're working from an increasingly incomplete picture.

In this post, I'll focus on the human personas that fall outside the traditional model. AI agents deserve equal attention, but they warrant a discussion of their own in a future article.

The third-party insider

The Coinbase incident last year illustrates this well.

Contractors are often categorized as a third-party risk. In practice, it's often more accurate to think of them as an insider risk. This doesn't fit comfortably within the traditional model of insider threat: there may be no long arc of disgruntlement, no warning signs accumulating in an HR file. Instead, a trusted external party abuses legitimate access that was intentionally granted.

The distinction matters because the security problem is fundamentally the same. The individual has legitimate access to systems and data, and their actions occur from inside the organization's trust boundary.

The instant insider

Many insider incidents unfold gradually through a series of actions. Extortion, bribery, or blackmail can compress that timeline to almost nothing.

An employee who was trustworthy on Monday can become an active threat on Tuesday—not because they've become disgruntled, but because someone outside the organization made cooperation financially attractive or made refusing unbearably costly. When a criminal organization threatens an employee's family, that employee may do things that neither the organization nor the employee themselves would ever have predicted.

This is worth reflecting on because it challenges one of the most common assumptions about insider risk.

When I led security programs inside large organizations, senior leaders would sometimes tell me, "We trust our employees. They're not going to go bad."

Perhaps they're right. Perhaps every person you've hired is fundamentally honest.

That assumption breaks down once coercion enters the picture. Trust is not a control against blackmail. In that sense, every organization has people who could become targets—not because they're untrustworthy, but because they're human.

The fake insider

This scenario challenges the traditional model even further: the insider who was never a trusted employee in the first place.

Fake IT workers and individuals who join organizations specifically to gain insider access have moved from the realm of spy novels to documented, recurring reality. The familiar "trusted employee goes bad" narrative doesn't adequately describe this case because there was never trust to erode. The threat arrived on day one, complete with credentials and legitimate access that the organization itself provided.

Related: Building a modern insider risk program

Book a demo

Why the old mental model fails now

The malicious employee stereotype isn't wrong. It's simply incomplete.

The pace of modern operations only widens that gap. Criminal recruitment, coercion, infiltration, and abuse of legitimate access can all happen far more quickly than they once did. A single encrypted message may replace what previously unfolded over months.

That speed changes the assumptions behind many traditional insider risk programs. Static watchlists, periodic access reviews, or confidence built solely on tenure provide only snapshots of a problem that changes continuously.

The biggest risks rarely present themselves as obvious threats. They look like employees, contractors, trusted partners, and new hires because they are legitimate insiders operating with legitimate access.

Ultimately, insider risk is better understood as a property of the organization than as a characteristic of particular individuals.

Organizations need to understand intent continuously so that meaningful changes in behavior can be identified while there is still an opportunity to influence the outcome. That represents the shift from managing a list of suspects to managing insider risk as a living, dynamic property of the organization.

We'll spend the rest of this series exploring what that looks like in practice. Next week, we'll examine what organizations actually discover once they gain this level of visibility—and why the results are rarely what they expected.

Share

Contact us

You've made a great move.
We'll be in touch shortly

Close
Watch Now