Please fill in the form below to subscribe to our blog

3 Main Motivators Behind Malicious Insider Threats Have Shifted

December 22, 2023

Malicious Insiders Don’t All Want the Same Thing

 Cybercriminals and their tricks aren’t the only threat to a company’s systems and data. As organizations work to fortify their defenses against a wide array of persistent and emerging cyberthreats, they must pay attention to every threat vector, including the homegrown kind. The threat posed by employees, contractors or partners with access to sensitive information is a multifaceted challenge that every company has to face. Most insider threats come from well-meaning employees making mistakes or simple negligence. However, every company has to consider the fact that, at some point, they may have to contend with a malicious insider. Exploring how an employee becomes a malicious insider and the way the motivations of malicious insiders have shifted in the last few years can help companies gain a deeper understanding of malicious insider threats. 

How does an employee become a malicious insider? 

No one ever wants to believe that someone on their team would ever do more harm than good. But unfortunately, it’s not uncommon for employees to go rogue. While not every malicious insider incident ends in a data breach, reviewing research into the causes of data breaches can offer insight into the problem. According to Verizon’s Data Breach Investigations Report 2023, there are three primary reasons why an employee becomes a malicious insider. 

Money: About 89% of malicious insiders are motivated by money. Money-motivated employees may sell their credentials to an Initial Access Broker (IAB) or sell data on the dark web. This is a 19% increase in this category compared to 2022. The challenging global economy may be a contributing factor to that increase. 

Revenge: An estimated 13% of malicious insiders have revenge against their employer in mind when they act. Disgruntled employees might do destructive things, like deploy ransomware into their company’s systems. The damage can be catastrophic, especially if the vengeful employee has privileged access.  

Espionage: About 5% of malicious insiders are engaged in corporate espionage. They might disclose company secrets to a rival, provide cybercriminals insider knowledge about a company’s defenses or steal intellectual property. However, there has been a 20% drop for this motivator since 2022. 

In The Educator’s Guide to Cybersecurity, see the cyber threats that schools face & how to mitigate them. DOWNLOAD IT>>

Top concerns about malicious insiders and their actions 

Ponemon Institute’s Cost of Insider Threats Global Report highlighted the moves that malicious insiders are most likely to make. Data theft tops the list, whether exfiltrated via email or simply downloaded. An estimated 45% of employees download, save or send work-related files before they leave their job. This happens most frequently in the tech, financial services, business consulting and management sectors. Employees who have given notice that they’re leaving a company are major risks for stealing data like intellectual property – 70% of insider intellectual property thefts take place within 90 days of an employee’s resignation.

The top 5 malicious insider actions

74%Exfiltrating data via email
62%Scanning for unsecure open ports and network vulnerabilities
60%Accessing sensitive data without legitimate cause
53%Downloading large amounts of data
50%Utilizing unauthorized external storage devices

Source: Ponemon Institute Cost of Insider Threats Global Report

Learn more about growing supply chain risk for businesses and how to mitigate it in a fresh eBook. DOWNLOAD IT>>

How do malicious insiders make money? 

Money will forever be the biggest motivator for any criminal, and a malicious insider is no exception. Here are some of the ways that employee bad actors can profit from a company’s misfortune: 

Misusing their credentials: A malicious actor might use their (or someone else’s) credentials to access sensitive information or give someone access to systems and data who shouldn’t have it. In the Verizon Data Breach Investigation Report 2023, researchers determined that malicious insiders caused 406 data security incidents via privilege misuse, and 288 of them resulted in data disclosure. 

Selling their credentials: Money-motivated malicious insiders can make a tidy sum by selling their credentials on the dark web. While an average legitimate corporate network credential goes for between $2,000 to $4,000, selling a privileged credential is much more lucrative. Desirable privileged credentials can go for upwards of $120,000. 

Peddling data on the dark web: Data is currency on the dark web. Personal data reigns as the hottest type of data on the dark web followed by medical data in second place. Employees can also profit from selling proprietary data like formulas, research (especially medical research) and corporate secrets. An estimated 45% of employees download, save or send work-related files before they leave their job. 

Cybercrime-as-a-Service: Cybercrime is a $8 trillion industry and there are plenty of “jobs” available. Major cybercrime gangs hire specialists to take care of various aspects of their operations — like an employee with access to a company’s systems who can deploy ransomware. 


See the challenges companies face & how they’re overcoming them in our Kaseya Security Survey Report 2023 DOWNLOAD IT>>

Don’t ignore these warning signs of malicious activity 

While every malicious insider has unique motivations, some actions or behaviors should be viewed as red flags since they often point to the possibility of an employee carrying malicious intent. Employees who have recently been laid off, demoted or terminated are major risks to a company’s security. Over 90% of malicious insider incidents are preceded by employee termination or layoff. 

 Suspicious behaviors like these are also red flags that can indicate a malicious insider: 

  • Downloading or accessing large amounts of data 
  • Mishandling passwords 
  • Adding unauthorized privileges to their user account 
  • Sending proprietary information to their private email accounts 
  • Installing unauthorized software and applications 
  • Feeling like they are under unnecessary stress and feeling unappreciated 
  • Having serious financial problems 
  • Anger about being passed over for a promotion 
  • Isolating themselves or antisocial behavior 

an ominously dark image of a hacker in a blue grey hoodie with the face obscured.

Explore the nuts and bolts of ransomware and see how a business falls victim to an attack. GET EBOOK>>

Mitigate All Kinds of Risk Effectively with Kaseya’s Security Suite

Kaseya’s Security Suite has the tools that MSPs and IT professionals need to mitigate all types of cyber risk effectively and affordably, including insider risk. Our solutions integrate seamlessly and leverage automation and AI to make IT professionals’ lives easier.   

BullPhish ID — This effective, automated security awareness training and phishing simulation solution provides critical training that improves compliance, prevents employee mistakes and reduces a company’s risk of being hit by a cyberattack.      

Dark Web ID — Our award-winning dark web monitoring solution is the channel leader for a good reason: it provides the greatest amount of protection around with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.     

Graphus — Automated email security is a cutting-edge solution that puts three layers of AI-powered protection between employees and phishing messages. It works equally well as a standalone email security solution or supercharges your Microsoft 365 and Google Workspace email security.    

Kaseya Managed SOC powered by RocketCyber — Our managed cybersecurity detection and response solution is backed by a world-class security operations center that detects malicious and suspicious activity across three critical attack vectors: endpoint, network and cloud.       

Datto EDR — Detect and respond to advanced threats with built-in continuous endpoint monitoring and behavioral analysis to deliver comprehensive endpoint defense (something that many cyber insurance companies require).       

Vonahi Penetration Testing — How sturdy are your cyber defenses? Find out with vPenTest, a SaaS platform that makes getting the best network penetration test easy and affordable for internal IT teams.    

Learn more about our security products, or better yet, take the next step and book a demo today! 

dark web threats

Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!