Building an Insider Threat Program: Essential Resources
Insider threats are often downplayed, but they pose a significant risk to organizations, as employees, contractors, and business partners often have access to sensitive systems and data. Unlike external cyber threats, insider threats originate from individuals with legitimate credentials, making them harder to detect and mitigate. These threats can be malicious—such as intellectual property theft or sabotage—or unintentional, stemming from negligence or human error. Recently, there has been a surge in North Korea (DPRK) IT Workers within Western companies, deployed to generate millions of dollars in revenue for North Korea.
Regardless of intent, the consequences can be severe, including financial losses, reputational damage, and regulatory penalties.
Building a strong insider threat program requires a combination of security policies, monitoring tools, training, and an understanding of human behavior. To help security teams and business leaders develop an effective program, I’ve compiled a comprehensive list of resources. This includes industry-recognized certification programs, training courses, case studies of real-world insider incidents, and YouTube videos that break down key concepts. Whether you’re starting from scratch or refining an existing program, these resources will provide the knowledge and tools needed to safeguard your organization from insider threats.
Resources:
- LinkedIn Learning Courses
- Carnegie Mellon University Certifications
- CISA: Insider Threat Mitigation Resources and Tools
- YouTube
- From Bank Heist to IT Worker
- 5 Practices for Preventing & Responding to Insider Threat
- Understanding The Insider Threat Video
- How to Detect Insider Threats
- Challenges of Detecting Insider Threats – Whiteboard Wednesday
- Managing Insider Threats | SANS ICS Concepts
- Insider Threats Packing Their Bags With Corporate Data
- The Dark Side of Cybersecurity: Insider Threats Explained
- 28| The Insider Threat w/ Shawnee Delaney
- Podcast
- Notable Insider Threat Cases
- Waymo (2017) – The theft happened after the engineer became unhappy with his current position and began trying to recruit others in the project to branch off.
- Anthem (2017) – experienced a breach caused by a third-party vendor, LaunchPoint. In the LaunchPoint breach, an employee emailed protected health information (PHI) from their work device to their personal email address.
- Capital One (2019) – After bragging in underground forums, the woman who stole 100 million credit applications from Capital One has been found guilty.
- NSA (2017) – Former intelligence contractor spent more than four years in prison after pleading guilty to leaking classified information under the Espionage Act.
- Morgan Stanley (2014) – A financial adviser at Morgan Stanley’s wealth management division stole hundreds of thousands of client records (about 10% of customers) and some of that data – affecting 900 clients – later appeared on Pastebin as part of an attempt to sell the full dataset
- Twitter (2015) – In an espionage case, two Twitter employees exploited their access to gather personal data on users critical of the Saudi government and passed the info to Saudi officials in exchange for cash and gifts.
- AT&T (2019) – From 2012–2017, a fraud ring bribed AT&T call center employees to illegitimately unlock ~1.9 million phones by abusing insider credentials and even installing malware and rogue Wi-Fi devices in AT&T’s network to remotely process unlock requests.
- Tesla (2018) – A disgruntled Tesla technician engaged in “extensive and damaging sabotage,” using false usernames to modify the Tesla Manufacturing Operating System and exporting large amounts of highly sensitive data to unknown third parties.
- Tesla (2023) – Two former Tesla employees misappropriated tens of thousands of internal documents and leaked personal data (names, contact info, etc.) of over 75,000 current and former employees to a foreign media outlet, an incident first uncovered when journalists alerted Tesla to the trove of confidential data.
- Desjardins (2019) – Canada’s Desjardins credit union disclosed that over a 26-month period a “malicious” employee had been exfiltrating data from internal systems, resulting in a breach of personal information for nearly 10 million members – one of the largest insider-caused breaches to date.
- General Electric (2020) – Two GE engineers spent years stealing thousands of files on proprietary turbine technology (even convincing an IT admin to give them extra access) and then started a competing company to undercut GE using the stolen tech, until GE uncovered the scheme and the FBI brought charges.
- Stradis Healthcare (2020) – Shortly after being fired, a VP at Stradis Healthcare used a secretly created backdoor account to remotely delete critical shipping records, sabotaging the delivery of PPE (personal protective equipment) to hospitals during the COVID-19 pandemic.
- Ubiquiti (2021) – A Ubiquiti Networks software developer abused his cloud administrator privileges to quietly steal gigabytes of confidential data from the company’s AWS/GitHub servers and later posed as an “anonymous hacker,” demanding ~50 Bitcoin in ransom; when the company refused, he leaked data and planted false media stories about the “breach” – until investigators traced the activity back to him.
- KnowB4 (2024) – A software engineer hired for an internal IT AI team immediately became an insider threat by loading malware onto his workstation.
- Google (2024) – Ex-Google engineer charged with stealing AI secrets for the Chinese Government.
- FBI (2021) – Hanssen was an FBI agent for 25 years, but he was also a spy for the Soviet Union and the Russian Federation.