It's Here

Real-world advice on tackling
insider threats by those who are
leading the charge


Featured Security Executives



Insider threats are not new, so what’s changed about it in the 2020s? That’s what we wanted to answer through this book. Written by some of the leading security and product executives, the Red Book of Insider Threats is a biannual publication which will bring you the latest and greatest in this space.

In the Summer 2020 edition, we feature 15 great leaders.

Some of the ideas and thought processes they share in the following pages will help define how you deal with insider threats. Many security professionals we spoke with are in the process of defining a formal insider threat program for their business. Included with the Red Book is a free “Insider Threats Checklist” that will help you assess your readiness to deal with these risks.

Ani ChaudhuriCofounder & CEO, Dasera



Where do insider threats arise from? How exactly does one define who’s inside and who’s outside?

The primary causes of insider threats are well known – employees, contractors, partners. In short, anyone who has access to your sensitive data or company networks is an insider. Even if you give temporary access to a third party like a vendor or consultants, they become insiders too. In some cases, companies also consider ex-employees or recently churned employees as insiders.

Several industry reports also suggest that a malicious outsider, who steals the credentials of an insider, should also be considered as an insider.

This raises the question – when does an external attack convert into an “insider” threat? And what insider threat defenses do you deploy when the attacker has already gained access?

So, to get started, do you have a list of your insiders? Without an exhaustive definition for insiders, it is going to be impossible to build an effective defense against insider threats and breaches.

Frequency of 4,716 incidents for three insider profiles


Source: 2020 Cost of Insider Threats Global Report – Ponemon Institute Sponsored by Observe IT & IBM

Insider Threats - The Unusual Suspects

Insiders needn’t only mean your employees. A truly robust insider threat program will account for many edge cases or scenarios.



Employees who are in their notice period or have just left need some extra attention. They may potentially use their credentials to copy files to personal drives, delete or exfiltrate sensitive data in case they left on poor terms.



Contractors can have long-term or temporary access to company networks or databases. In such situations, the contractors’ employees need to be considered as much an insider as those on your own payroll.



Most data breaches take months to detect. So if a malicious outsider steals employee credentials, they are likely to have access to your network for a long time. We need to understand their intent differently than an inside agent.



There are many situations that can cause an employee to be upset with peers, managers, or the company. They can potentially act out in different ways too e.g. just deleting data instead of stealing or misusing it.

Mark Weatherford

Chief Strategy Officer and Board Member

National Cybersecurity Center

Prepare now to navigate through a complicated mix of federal, state, and industry regulations and laws when dealing with consumer data.

Julie Tsai

Head of InfoSec


We can’t protect what we don’t know. Flag & correlate for simple indicators of what shouldn’t be happening.


Why are there more insider threats today than just a few years ago? How are our insiders changing?

Industry reports suggest that the average number of incidents involving insiders has steadily increased over the last 4 years. Insider threats of all kinds have increased, irrespective of what they stem from – negligence, malintent, or credential theft. The steady increase can be attributed to increased vulnerabilities, greater transparency or federal regulations, or simply to an erosion of human values.

Sixty percent of organizations, one report suggests, had more than 30 insider-driven incidents per year. As more of our data and applications run on cloud software and teams become globally distributed and remote, these incidents will become more frequent.

On any given day, security teams perceive insider threats as significantly less dangerous compared to external hackers. However, the days of relying merely on training and trust to deal with insiders are far gone. In our research for this book, all the CISOs and security executives that were interviewed said insider threats were going to become more critical and top of mind for them in this new decade.

All types of insider threats are steadily increasing


Source: 2020 Cost of Insider Threats Global Report – Ponemon Institute Sponsored by ObserveIT & IBM

Insider Threat - Let's Paint A Picture

These are employees you hired for a reason — partners that you trust to run your business. And they are trustworthy, for the most part. But humans are human. We make mistakes. We can be careless. Sometimes, we will let curiosity get the better of us. In our worst moments, we can also be petty, greedy and even vindictive. When insiders handle data, insider breaches happen. Since insiders are human and insiders are everywhere, insider breaches are everywhere as well.


Lauren’s new on the job and wanted to impress her boss with her analytical skills. She downloaded thousands of customers’ PII on her laptop to build the report. And then lost the laptop in a coffee shop.

a girl learning about data breaches
a person thinking about data analysis


Britney Spears just checked into your hospital. Tom got to know of it from a friend in another department. He looks up the details on the patient records database and leaked the news to a tabloid for a quick buck.


Jason works for a retail company. He is upset over a breakup. He wonders if his ex is already over him and is dating other people. He decides to check her recent purchases to determine how her lifestyle has changed.

a person understanding about data breaches

Anand Ramanathan

VP of Products and Marketing (Enterprise)


Reprioritize threat information to ensure you’re seeing relevant insider threat metrics as well.

Sujeet Bambawale



Trust is atomic. Privileges to perform a trusted action are granted to the minimally viable constituent of the system that will dispose that action.


How much does it cost a business to recover from an insider-driven data breach?

The cost of insider breaches is increasing. As per the 2020 Ponemon Report, the average breach today costs 1.4 times what it used to in 2018 and almost 3 times the cost in 2016. The increase in frequency and costs is a double whammy for any security team.

Look at how this cost breaks down. Apart from technology (which has long-term detection and remediation benefits), almost all other cost categories, amounting for 79% of the cost, are disruptive in nature – they upset our well-laid business plans and hurt business continuity.

This cost does not include the opportunity cost of lost business. In today’s day and age, breaches receive exposure significant media and result in a strong erosion of consumer trust. When your brand reputation suffers, it is tough to estimate how it impacts your growth as a business.

Percentage cost of insider incidents by standard categories (n=204)


Source: 2020 Cost of Insider Threats Global Report – Ponemon Institute Sponsored by ObserveIT & IBM


$11.5m is a lot of money. For an early, venture-backed startup, it may mean an existential threat. In many cases, we also see courts and regulatory authorities consider the company’s revenue and size in determining the value of the settlement or fines. Here are some factors that impact the average cost of your breaches.


For companies that have more than 25,000 employees, the average cost of a breach jumps from $11M to $17-18M. For companies smaller than 5,000 employees, the same number is in the range of $7- 8M. Bigger companies also have more insiders who have access to sensitive data, which increases their exposure to risk.


The average credential theft costs almost 1.8 times more than the average negligent insider. However businesses have traditionally trained their security focus on the ‘evil outsider’ and relied on trust and training to deal with insiders. As a result, businesses face many more insider related breaches. This makes the annualized cost of insider breaches almost 3 times more than those caused by credential thieves.

Amol Kulkarni

Chief Product Officer


We must build monitoring and remediation capabilities that add no friction to the teams that leverage data and files for their work.

Andy Kim


AllState Insurance

Understand incompatible duties - Long-term staff have deep institutional knowledge, which makes them powerful but also puts them under high risk.


How do business monitor potential risks? And how do they proactively save themselves from breaches?

The most used method to prevent insider threats continues to be user training and awareness, with 55% companies saying they use these methods. And yet, if you read articles on the top breaches this year, every one of them was either directly or indirectly perpetrated by a negligent, careless or malicious insider.

Companies are clearly waking up to the fact that training and trust cannot work when dealing with humans. We are prone to making mistakes. Lapses in judgement happen all the time. As a result, companies have increased their investment in technologies like DLP and UBA systems that help them prevent data from leaving the premise or understand employee behaviors better.

Leveraging data is now a key competitive differentiator. This means giving more insiders access to sensitive information. Consequently, it also means more risk. Are companies technically ready to deal with the future of data use in the organization? It is important to estimate how it impacts your growth as a business.

Tools and activities that reduce insider threats

User Training & Awareness
Data Loss Prevention (DLP)
User Behavior Analytics (UBA)
Employee Monitoring & Surveillance
Security Incident & Event Management (SIEM)
Incident Response Management (IRM)
Strict Third-Party Vetting Procedures
Threat Intelligence Sharing
Privileged Access Management (PAM)
Network Traffic Intelligence

Source: 2020 Cost of Insider Threats Global Report – Ponemon Institute Sponsored by ObserveIT & IBM

Data Has Three States - Are All Protected?

data transit


When data moves from one system to another e.g. batch updates or backup.



When data resides in the database or in a file and isn’t being moved or used.

These two states are well-protected, because our focus till now has been on keeping outsiders out.

right icon

Application Security

right icon


right icon

Cloud Security

right icon

Endpoint Security

right icon

Infrastructure Security

right icon


right icon

Identity & Access

right icon

Network Security

right icon

Data Loss Prevention

right icon

Web Security

database information


When data is being used or manipulated by a system or a person.

Point to Ponder

How Do We Protect Data In Use ?

Sameer Khera


Norton LifeLock

Monitor behaviors such as downloads, unnecessary data access, files being sent to personal accounts, social media activity, etc.

Hemanta Swain



Identify the company’s most valuable assets. Then, perform a risk assessment to assess the risk of data loss or breaches due to insiders.

Marc Ariano

Head of Cybersecurity


Security and threats are consistently evolving. You need to continuously tweak your program.


What do sellers, advisors and consultants for security teams have to say about insider threats?

Siddharth Bohra

Chief Business Officer
Head of Digital & Analytics

L&T Infotech

Businesses need to make security a mainstream conversation and not an afterthought.


Here’s an easy checklist to test your insider threats preparedness, based on the inputs provided by the executives featured in this book.

Insider Threats Checklist By Red Book Authors