Email Security

Mitigating the Dangers of an Insider Threat

Adrien Gendre


3 min

The term “insider threat” in email security brings to mind malicious employees, but the truth is more complicated. According to Verizon’s 2020 Data Breach Investigations Report, 30 percent of data breaches were caused by internal actors in 2019. However, 22 percent of breaches were caused by errors and eight percent were caused by privilege misuse.

The Verizon report reveals that although the impact of an insider threat is real, malicious employees are only a small part of the problem. Ninety-four percent of breaches begin with email—where employees spend a significant amount of their workday. From phishing to malware and ransomware, the most common email attacks, employees are both vulnerable to attacks and capable of spreading threats throughout the organization, both accidentally and willfully.

How an employee becomes an insider threat

Rogue employees aside, there are a number of ways a good employee can inadvertently become an insider threat. Below are just a few examples:

Lack of training

Cybersecurity awareness training is on the rise, but many businesses have not made a significant or meaningful investment in their employees. Poorly trained or untrained employees are more apt to click on phishing links and attachments that can unleash credential theft, malware, and other threats across an organization.

Sharing malicious links and files

Employees who don’t recognize malicious emails can and do inadvertently share them with other employees. One of the most famous insider threat cases occurred during the 2016 US presidential election when a Hillary Clinton help desk admin forwarded a Google phishing email to the campaign’s chief of staff. The phishing email was a fake sign-in attempt alert from Google, warning Clinton’s chairman John Podesta to change his email password. He did, and the rest is history.

Failing to report known threats

Reporting email threats when they’re detected is one of the best ways to halt an attack before it spreads throughout an organization. Unfortunately, even users who are trained to spot phishing emails and other threats do not immediately report them. In fact, the rate of reporting goes down as time elapses between training sessions, and the rate of reporting phishing emails is only 17 percent.

Clicking on links and attachments

Forty-six percent of organizations reported that malware was delivered to their organization via email in 2019. Office documents were the most popular filetype used to deliver malware, and phishing was the top attack vector. Users who click on links and attachments have the potential to unleash malware, ransomware, and even additional insider attacks from hackers who compromise employee accounts via phishing and then carry out additional attacks from within the business’s applications, including Microsoft 365.

Insider threat protection

A secure email gateway (SEG) remains one of the most common solutions for email security, but they have limitations when it comes to insider threats in the cloud. First, a SEG sits outside cloud-based email, including Microsoft 365. For this reason, many SEGs cannot scan intra-company email in-transit because these messages never leave the tenant. Some vendors offer separate products for insider threat detection, but they aren’t an integrated component of the core email filter and result in additional cost and complexity for the MSP and their end clients.

For Microsoft 365 clients, an API-based solution that natively integrates with Microsoft is capable of scanning internal email in real time, the same way it does email coming from outside the tenant. Whether malicious or inadvertent, an email-based insider threat can be scanned for malicious attachments and links, and even suspicious behavior like the pretexting and social engineering found in spear phishing attacks.

Additionally, identity and access management (IAM) tools can monitor suspicious behavior both before and after an attack. For example, IAM tools, including MFA and Azure AD Identity Protection, can detect impossible travel logins, or login attempts that occur far from the employee’s location. This is often the first sign that an unauthorized login is being attempted, and notification arrives quickly.

In “Protecting Against Business Email Compromise Phishing,” Gartner notes that IAM tools are especially critical to protecting Microsoft 365, where account takeover is common. If a Microsoft 365 password is compromised, for example, MFA can reduce the potential of account takeover with methods like push notifications and one-time passwords.

Vade Secure for Microsoft 365 is natively integrated with Microsoft 365 via API, allowing for analysis of internal email traffic. Vade’s content filter protects 1 billion mailboxes worldwide, providing the threat intelligence and user feedback used to train our machine learning algorithms to detect and block phishing, malware, ransomware, and spear phishing.