Report reveals why employees pose the biggest threat to data security

The Insider Threat 2018 Report found that 90% of organisations surveyed felt vulnerable to insider attacks. The main causes included too many users with unnecessary access privileges (37%), the growing number of devices with access to sensitive information (36%) and the increasing complexity of information technology (35%).

What is an insider threat?

We usually associate insider threats with disgruntled employees who intend to harm their employer, but this is not always the case. Insiders threats also include negligent employees who unintentionally compromise data, whether it be from falling victim to a phishing attack, inadvertently disclosing confidential information, or by other means.

Other key findings from the report

  • The insider threats organisations were most concerned about are accidental/unintentional insiders (51%) and malicious/deliberate insiders (47%).
  • The biggest enabler of accidental insider threats was phishing attempts (67%), followed by weak passwords (56%), unlocked devices (44%) and bad password-sharing practices (44%).
  • 53% admitted they had suffered an insider attack in the past year, and 27% said that insider attacks have increased in frequency.
  • 66% considered insider attacks (malicious or accidental) more likely than external attacks.
  • Lack of training and expertise (52%) was cited as the biggest barrier to improved insider threat management.
  • 82% have offered training to employees about how to reduce insider security risks, but 13% haven’t.

How can you prevent insider threats?

It’s important to remember that any organisation can be affected at any time. Internal threats should be addressed in the same way external attacks are. Here are some actions that you can take:

  • Implement deterrence, detection and monitoring measures.
  • Review employees’ access control levels regularly.
  • Train your staff on information security and cyber security best practices.

To provide your staff with consistent and flexible training that fits around their schedules and, more importantly, doesn’t break the bank, consider our e-learning courses.

Familiarise your employees with your internal policies on incident reporting and responses and introduce them to informatio n security best practices to minimise preventable mistakes with our Information Security Staff Awareness E-learning Course. Topics covered include inadequate passwords, phishing, portable devices and digital information security.

If phishing attacks are more of a concern, consider our Phishing Staff Awareness E-learning Course. We break down how phishing emails work, how to spot them, what you should do when you receive one and what happens when people fall victim.

Other e-learning courses include Phishing and Ransomware, Information Security and ISO 27001, and Misuse of Email Cc and Bcc.

Get in touch with our team to find out how we can help your organisation become more resilient >>


  • Luke Irwin

    Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology..