This content is part of the Essential Guide: How to prepare for the emerging threats to your systems and data
Manage Learn to apply best practices and optimize your operations.

Accidental insider threats and four ways to prevent them

Most insider attacks to enterprises are accidental, not intentional. SANS Faculty Senior Fellow Eric Cole, Ph.D., explains why security awareness training isn't enough to stop these threats.

Insider threat is a term many people are familiar with. The problem is that when people hear this term, they immediately...

think of malicious, evil insiders that are deliberately causing harm to an organization.

While the "malicious" insider threat will always be a concern, many may be surprised to learn that it isn't the primary area of damage for most organizations today. The main point of compromise for many attacks today is the "accidental" insider.

The accidental insider is someone who honestly and earnestly believes he is doing his job well and presents no threat to his employer, but is tricked or manipulated into allowing someone to cause harm to the organization.

When looking at attacks today, most people think external attacks are the biggest problem for organizations and where they need to focus most of their energy. However, it is important to distinguish between the source of an attack and the cause of damage. While the source of most attacks is absolutely external, the cause of damage is often the accidental insider. Adversaries recognize that it is too hard to directly break into servers and compromise an organization externally. It is much easier to target an insider, trick that person into opening an attachment or clicking on a link through social engineering, and then leverage his system as a point of compromise.

In many cases, the activity that is used to compromise an insider typically revolves around executable attachments, macros in office documents and HTML embedded content.

What can an organization do to properly protect itself against insider threats? Most organizations believe greater security awareness is the answer to minimizing accidental insider attacks; this means ensuring employees better understand the dangers and exposures. While I am a big fan of awareness, organizations have to remember that no solution will solve every problem.

Awareness is good for basic attacks where there is something visibly wrong with the email or information received by the user. However, with advanced adversaries and more sophisticated phishing attacks, the information received looks identical to real communication, thus the reason it is often successful. Awareness will not help in this case. The solution to these sophisticated attacks is to remove the vector of attack.

Insider threats are often targeted by attachments in email or embedded Web links that are used to cause harm and compromise a system. The following are four categories of actionable controls that enterprises can put in place to minimize the harm of the unintentional insider attacks.

Control applications

Two of the most potentially harmful applications on computers today are Web browsers and email clients; they are typically the most common points of entry for malware. Steps can be taken to limit the capability of those applications, but doing so also affects legitimate functionality that is often required to conduct key business processes.

Therefore, one solution is to run dangerous applications in separate virtual machines. Every time the application is launched, it runs in an isolated VM. If it is malicious, any infections would occur only in the VM, and there is no harm to the host operating system. When the application is closed, the VM is closed and any harmful activity is also controlled. In this case, a system is only infected for a short period in a controlled environment and there is minimal long-term impact. Additionally, this solution has no impact to the user while significantly impacting the ability of the adversary to cause harm.

Filter bad content

In many cases, the activity that is used to compromise an insider typically revolves around executable attachments, macros in office documents and HTML embedded content. Most organizations do not need to allow this activity coming from the Internet. Therefore, in the spirit of least privilege, if the activity is not required, it should be blocked. Strategically blocking only a small subset of harmful activity can have a positive impact on minimizing the damage from an adversary.

Limit executable content

Blocking all files of a certain type, while effective, is not always feasible if the files are needed by a user. Therefore, an alternative is to sandbox or filter out certain activity while still allowing legitimate activity through. Effective technology exists that can take an attachment, perform analysis of the content, and even run it in a sandbox to examine the behavior; if it is malicious, it would be blocked, and if it is legitimate, it is allowed through. This gives organizations more flexibility in filtering out content, but limits the impact of stopping normal activity that is required to run the business.

Control executables

Compromising an accidental insider is usually done by tricking the user into running an executable that they believe is legitimate, but actually contains malicious content. By controlling and verifying executables through technology like application whitelisting, you can minimize the introduction of harmful content into a system.


It can't be emphasized enough that the most important part of understanding accidental insider threats is that the non-malicious employees, partners and others with privileged access represent the greatest potential for malice, simply because of the ease with which the average person can be manipulated. The good news is that once an organization understands that the accidental insider is the greatest potential cause of insider-related damage, actionable steps can be taken to control and minimize the impact this risk has on an organization.

If there is an article that you would like written or a problem you are looking to solve, please contact Eric Cole at

About the author:
Eric Cole, Ph.D., is an industry-recognized security expert with more than 25 years of hands-on experience. He is the founder of and an executive leader at Secure Anchor Consulting, where he provides leading-edge cybersecurity consulting services and expert-witness work, and leads research and development initiatives to advance state-of-the-art information systems security. He was the lone inductee into the Infosecurity Europe Hall of Fame in 2014. He is actively involved with the SANS Technology Institute and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.

Next Steps

The SANS Institute says enterprises are overconfident in their ability to detect insider attacks and threats

Find out how the Dyre Wolf financial malware campaign is using social engineering to attack banks

This was last published in April 2015

Dig Deeper on Security Awareness Training and Internal Threats-Information

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What steps is your organization taking to mitigate insider threats?
The accidental insider threat is definitely an issue. This year is the first time that my company has started trying to address that. We have had required webinars to boost awareness, as well as test phishing attempts. People who fell for the phishing attempts (and the rates were fairly high) had to attend additional training. 

I do agree that awareness can only do so much, because some communications can look identical to the real think. I had never heard of running email and a browser in a temporary VM. It seems like that would be resource intensive. I wonder how much performance would suffer. Seems like a good idea in theory, though.
No matter how much training has been done I still see user fall victim to phishing schemes. In a business environment they are getting more and more clever. If you get an email say from a bank you deal with or a package delivery service saying there was a problem a user may open it without giving it a second thought. I tell them if you are not expecting anything or are unsure, open the full header and see where the actual mail is coming from or call the IT department for verification. Most IT departments run a spam filter but there are still many that slip through.
My company is taking all of these measures, and luckily we have not had any compromises to our systems. I do agree that awareness isn't enough, because I've seen a couple of very authentic looking emails. Fortunately the user did forward the email to the IT department.
What a stupid, time-wasting, money-sucking problem. Knowledge is one of the few ways to hold it at bay. Would be nice if we could stop these attacks. We won't, but we can keep them from inflicting even more harm.

Since email is often the source, we teach employees proper email handling techniques....

* Think before you click.
* Never open a photograph you didn't request.
* If you didn't ask for the information, don't open it.
* Don't click on email links unless you know where they link.
* When in doubt, call the sender and ask.
* No, you didn't win a special award from ______ (fill in the blank).
* No, no Nigerian prince/lawyer/banker really loves you.
* Odds are good your bank isn't trying to reach you.
* Use the link you know for your bank or credit card.
* No, you don't have to confirm your bank password.

These rules can go on and on. And you can add your own; most of them are self-obvious.  The smartest think you can do is talk with your co-workers about the problem and share the information you get. When one person learns that an account was hacked, we all know it. That saves a lot of clean up problems.
IT has a new policy. It's a pain for everyone, but stay viruses are virtually unknown.

To download information, pluck it out of the cloud off-site or pick up a clean thumb drive from IT. When you're ready to upload your work, bring that thumb drive back to IT, not to your computer. IT does the checking and uploading. files for you. No, you can't upload from off-site.

It's a major PITA and takes some getting used to. But we manage. And the system doesn't face threats.
One of the fundamental things I do with my work email is that I subscribe to nothing, and I unsubscribe any time I end up receiving any communications external to the company. Yes, I am a vendor's worst nightmare in that regard, but I have an alternate address for those interactions. Additionally, I try to make it a point to type in the base address of a URL first and then try to find the communication in the link, just to make sure I am not being phished (firebug is nice for this as well). This is doubly true any time I am asked to look at something that has anything to with transacting money or personal info.
We have positioned ourselves relatively strongly against external threats, but accidental insider threat which have caused us more problems
No matter how many precautions we take, it still happens. We have now blocked USB drives from auto running applications. But we still get internal users forwarding questionable e-mails. We need to hold people accountable.
This is a great article on prevention. Though realistically, there isn't a reliable way of preventing all bad things and getting all employees to do the right thing 100% of the time. The 1, 2 punch on this would also to be to add real-time detection of threats that have made their way inside the network before the attack cycle can be completed. I see deception for threat detection growing in popularity as organizations realize that prevention techniques alone are not enough.
I suppose if you eliminated removable media from PC's by using thin clients you may cut down on infections. That still leaves the biggest culprit, e-mails.