Insider profiles I. Typologies

Lately, enterprises have had to face a very specific type of risk that is increasingly harmful and dangerous for their survival and consists of the problems that can originate in their own IT systems.

In general terms, when we think of an attack, we usually envisage an external threat, a person alien to the enterprise who sneaks into the computer system to steal or sabotage information or the processes storing it. It is within this context that a word must be said about the infamous hackers.

But make no mistake; the threat can also come from within. Enterprises’ enemies can also be found on the inside, in the form of their own employees, known as insider hackers. These are individuals who have in their possession extensive knowledge about a company because they work or worked there and, for some reason, they cause cyberharm thanks to this knowledge or the position they hold in the enterprise.


With respect to the typologies of insiders, a general classification can be established that makes a distinction between those that are intentional and unintentional. Intentional insiders harm the enterprise in a premeditated way. They decide to attack it being fully aware of what they are going to do.

On the contrary, there are some insiders that are unintentional, who cause damage, but who do not do so voluntarily or consciously.

Within the unintentional category, a distinction can also be made between two types of insiders: the careless and the naive.

The careless insider

A careless insider is a negligent employee who creates a security breach involuntarily and who has no intention of obtaining an incentive or benefit from it. They are typically users who inadvertently misplace media storage devices or who leave data exposed or lose them accidentally.


Just because the breach is unintentional does not mean that these insiders do not inflict considerable, serious harm on the enterprise, as, in the end, the consequences it produces are the same as those that might be caused by a corporate espionage incident.

The naive insider

A naive insider passes privileged information or data on to persons or third parties who con or manipulate them in order to obtain this information. This context of deception is very similar to that used in the phishing phenomenon, through social engineering.

Sometimes these insiders are unaware that they are causing harm and even believe that they are acting for the good of the company when, for example, they disclose private details on answering an email that is very similar to their superior’s or a vendor’s, but when really the address is malicious. You would be surprised to know just how much confidential information can be obtained through politeness and small doses of deceit!

The insider profiles we describe below fall into the “malicious” category, which means that, unlike the types of employees we mentioned above, they are fully aware that their actions will jeopardize the company. Their motives can be found in one of the following four subcategories: the saboteur, the disloyal insider, the moonlighter and the mole.

The saboteur

Saboteurs are employees whose main goal is to harm the company, to cause as much damage as possible for purely personal reasons. They are employees who are disgruntled about their salaries, about the way they have been treated by their superiors, about a lack of promotion, etc.

Their interest does not lie in stealing information but in harming the company; their only incentive is the pleasure brought from wreaking revenge. Unlike unintentional insiders, these hide away, they are worried about being found out; hence, they act in a covert, clandestine way. If access to a certain type of information is blocked, they try elsewhere.

They are able to assess what types of information and actions cause as much damage as possible and these are the ones they choose. The extent of the damage also depends on the position they hold in the company, but it must be taken into account that the actions they opt for are always the most destructive.


On many occasions, the stolen information may be sent to competitors or even to the media, if by doing so they inflict harm. As they do not seek any economic gain, their intention is not to create competition among possible beneficiaries; hence, they disseminate the information widely among all the recipients they believe are going to use it in a way that is detrimental to the company.

Given that these types of employees are motivated by emotional issues, they do not stop until their thirst for revenge is quenched which, in corporate terms, represents a good deal of money in losses. If, moreover, we bear in mind that they do not want to be dismissed or identified, these types of insiders constitute a disease that gradually destroys the organism if it is not stopped in time.

The disloyal insider

Disloyal insiders plan to leaving the company in the short term and decide to reap some kind of benefit during this time, acting for their own personal gain to obtain as much information as possible from the company which they can subsequently profit from.

These types of attacks may range from stealing customers’ portfolios to misappropriating intellectual property. A priori they may not know the value of the information stolen and they may not even use the misappropriated data at a later date. This stolen information may sometimes be used to blackmail the company once they have quit or been fired or, on occasions, they may use the data in their new job.

The moonlighter

A moonlighter is a subtype of both of the above in which an employee who wants revenge or who is disloyal gets in contact with a potential buyer before stealing the information. In other words, it is an employee who has a clear, primary, economic goal.

This means that they do not select the data that do the most damage, but the information that is the easiest to sell at the highest price.

Sometimes their actions consist in finding the exact information sought by an external customer in order to pay off debts or to resolve a specific personal situation and, in this way, an originally loyal worker may become disloyal. Enterprises must realize that an employee’s loyalty is not a trait, in other words, a stable feature of their character, but it is a state, a temporary attitude that may change in certain circumstances.

The mole

A mole can be equated to the traditional kind of spy we are familiar with in films. In general terms, this insider does not act alone, but usually forms part of a group, state or competitor which infiltrates an alleged employee into an enterprise but whose sole mission, nevertheless, is to steal specific information.


This insider’s profile is usually completely false so they can disappear easily when the theft has occurred, concealing their true identity and personal background. This is the case of the most sophisticated and complex insider, who typically represents great danger and detriment for the company.

As can be seen, the fight against these types of insiders is not only the responsibility of a company’s security departments, but it also requires specific actions on the part of the HR department.

This does not mean that companies should mistrust their employees or that they should spy on or monitor their workers, but they do need to have measures in place that manage this potential risk.

Most employees never turn into insiders, in the same way as most companies never suffer a fire that razes their offices but, nevertheless, they invest in extinguishers and other fire protection systems.

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video



Posted by Tim Ayling

Tim Ayling is currently the Vice-President EMEA at buguroo. With over 20 years' experience in the cybersecurity and anti-fraud industry, Ayling began his career in technical support, and moved on to System Engineering. He began his leadership career when he established Entrust Inc. in Australia in 2003 and was made Vice-President Asia Pacific in 2006. Ayling has held numerous leadership roles in large cybersecurity vendors, including serving as the Global Head of Fraud Prevention Solutions at Kaspersky Labs, as EMEA Director of Fraud & Risk Intelligence at RSA Security, as well as spending time in the cyber-security practice of KPMG.

Did you like it? Share in your social communities

We recommend you...