How to Recognize and Address Insider Threats

According to federal prosecutors with the U.S. Navy, veteran Johnathan Toebbe, alongside his wife Diana Toebbe, attempted to sell sensitive information regarding Virginia-class submarines. This wouldn’t be the first time an insider threat led to a potential leak of crucial military information, but the fact that it has happened in 2021 indicates that even in 2021, mitigating insider threats is still a vital issue. 

This news should be abundantly clear that insider threats are still a significant problem in modern cybersecurity. Here we’ll discuss what insider threats are and what you can do to reduce or mitigate the dangers of these threats for your organization. 

What Is an Insider Threat?

We tend to think of an insider threat as something that government agencies worry about. Secret documents, foreign agents and clandestine meetings are all part of this romanticized version of covert theft. 

But espionage is a real danger for many organizations. There is always the threat of insider breach in areas like federal systems or defense applications (as we’ve seen numerous times, including the most recent incident discussed above). But corporations and even mid-sized businesses can be victims of industrial or corporate espionage executed by an insider with access to resources others don’t have. 

Simply put, an insider threat is the threat of a security breach or the theft of data by someone inside your organization. Insider threats are particularly insidious because they are much harder to predict and counteract. Attacks by outside agents can be modeled and secured against, but it’s much more challenging to know if and when someone who works under you will suddenly decide to abuse their privileges for ill-gotten gain. 

That being said, there are two types of insider threats that you should consider as realistic scenarios for your business:

• Malicious Threats: These are threats that are what they are: attempts to steal information from you for purposes of profit or other gains.
• Accidental Threats: Accidents do happen, unfortunately, and in some rare cases it is possible that someone in your organization can unwittingly disclose information to others without intention to do so. 

In the case of the latter type of threat, the best you can do is shore up system security and employee training to avoid accidents before they occur. However, in the case of malicious threats, you must have followed security and compliance procedures to prevent the problem and mitigate damage should it occur. 

How Do I Recognize Insider Threats? 

The most significant challenge posed by insider threats is that they are unpredictable. Anyone can be a potential threat. That’s not to sound paranoid, but rather to highlight that in many cases, the individual posing a threat is usually a trusted employee or contractor. For example, Edward Snowden was a subcontractor working with the CIA and NSA with access to highly classified information on, among other networks, the DoD SIPRNet system. Chelsea (nee Bradley) Manning was a member of the U.S. Army with access to classified systems for years. 

This isn’t to say that recognizing threats is an impossible task, but instead that it takes a certain attention to detail to have any chance of success. Some of these details can include:

1. Sudden Changes in Behavior, including isolation, secretiveness or depression. Changes in behavior can also include changes in digital behaviors, such as attempts to access files outside the scope of work or long work hours at secure terminals. 
2. Challenges at Home, such as accruing debts, loss of property or family or other areas where money could be used as leverage for blackmail. 
3. Political Changes, such as sudden shifts into seemingly radical ideologies or fascination with foreign states. This kind of warning signal can also coincide with recent or repeated trips to the same foreign countries, or a sudden uptick in international travel. 

These details are broad, and in many cases, fall out of the scope of cybersecurity. And yet, they are some of the most important facets to understanding the potential for an insider threat. They call on you and your team to step out from behind the IT system and the computer monitor and look at the inner workings of your organization. While physical and administrative security are parts of most compliance frameworks, they cannot speak directly to the nuances of your team and any warning flags that may arise from them. 

Can I Prevent Insider Threats?

In short, not entirely. Like any security approach, insider threat prevention will always face challenges regarding how comprehensively you can protect information. This challenge is only compounded by the fact that you have to give some level of trust to employees and contractors above and beyond other stakeholders. 

That doesn’t leave you powerless, however. There are several steps you can take to help blunt these threats: 

• Perform Wide-Ranging Risk Assessment: Risk assessment isn’t simply about understanding technical security gaps. Skilled risk assessors can determine risks in every part of your organization. And, just because you’ve identified someone (or a position, or a department) as a risk doesn’t mean that they are a problem–it simply means that you should pay special attention to their situation. 
• Leverage Physical Security Measures: Keypads, locked data centers, monitored and secured workstations all go a long way towards protecting key assets. Although an insider most likely has some sort of access to anything they might steal, physical controls limit the pool of potential risks related to any resource while providing the system necessary to track who accesses what resources and when. 
• Extensive Logging and Monitoring: Speaking of tracking, audit trails and monitoring are critical for preventing and remediating insider threats. Your organization should have immutable logging capabilities and extensive reporting to help you understand who uses resources, when and for what purpose. These logs are a great resource for tracking potentially risky or telling behaviors before a breach occurs, and they provide forensics for remediation after the fact. 
• Use Advanced Identity Proofing: Modern IAM is evolving every day. While MFA and strong passwords can secure your system to some extent, they aren’t going to stand up to a long-planned insider attack. More advanced security like passwordless entry and compliant identity proofing can significantly limit overlaps in resource access. 
• Enforce Strict Role- or Attribute-Based Access Control (RBAC or ABAC): Your organization should have clear, strict and regularly reviewed policies on permissions, access controls, and roles. No person in your organization should have any access to information that doesn’t serve their job. RBAC and ABAC can give you granular access controls without sacrificing usability. 

Prepare Your Security and Compliance Infrastructure with Lazarus Alliance

Insider threats are a real, ever-present challenge for government agencies, public organizations and private businesses. Because they are so unique, however, they can be hard to prevent. 

With Lazarus Alliance, you can work with a security firm with decades of experience hardening IT systems, auditing for complex compliance requirements and helping organizations like yours prepare for the most challenging security threats, even those that come from the inside. 

Ready to Look Inward and Prevent Insider Threats?

Call Lazarus Alliance at 1-888-896-7580 or fill our this form to learn more on our penetration testing and red team services. 

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→