Insider Cyber Threat Actor

21 Ways To Protect Your Network From Internal Threats

Summary: Real threats include employee sabotage, accidental data leaks, and disgruntled ex-workers. Learn how to prevent internal breaches and protect your data from friendly fire. 

There is a common perception that the leading cyber security threats to a business come from hooded hackers halfway around the world.

These cyberattacks are more likely to be focused on larger targets than small to mid-sized businesses.

However, there are potential internal threats to be concerned with in the form of local employees and/or contractors. These are also known as insider threats or insider risks.

Some of the threats are breaches and theft by insiders acting independently.

There are also hybrid threats. These are threats in which the external bad actor colludes with either an unsuspecting person or with a willing participant on the inside.

Unwilling Collusion

An example of unwilling collusion is when an employee pays a fraudulent invoice or unwittingly gives up credentials due to successful phishing or other social engineering attacks.

Willing Collusion

An example of willing collusion is when a ransomware gang entices an insider to install and launch ransomware on a server in exchange for a percentage of the heist.

How can you protect your business from an ever-growing variety of internal threats? We have assembled a detailed list.

While this list may seem overwhelming, it shows that internal network security’s convenience vs. protection balance has moved toward the risk mitigation end of the spectrum.

1. Adopt a Zero Trust stance

Zero Trust is a security concept. It means taking a stance of not trusting anything internal or external by default. Anything or anyone trying to connect to company systems must first be verified.

The approach can be described as “untrusted until proven trustworthy.”

Zero Trust is not a one-and-done proposition. Users and permissions must be monitored on an ongoing basis.

2. Enforce internal software and firmware patching compliance

Continually updating all internal software and firmware with the latest updates from vendors is essential for patching vulnerabilities.

The CVE database is the most comprehensive source of information on current vulnerabilities. This Twitter user has compiled and regularly updates vulnerabilities used by ransomware gangs.

Internal threats can go undetected for a long time. This is why ensuring that all internal systems are always up-to-date is critical.

Patch management software is important for automating as much of the software and firmware updating process as possible.

Check with your managed service provider about their patch management software solution.

3. Be aware of all software being used within your organization

If your IT team doesn’t know about all installed software and firmware on employees’ machines, they won’t know everything that needs to be patched.

A good internal security practice is knowing about all the software used across your network and consistently updating it.

This may require establishing an inventory of all endpoints and installed software.

Note: While patching should be at the top of your security tasks list, it is not a silver bullet due to zero-day vulnerabilities. A zero-day attack happens when an attacker exploits a flaw or vulnerability before a vendor can create a patch to fix the vulnerability.

4. Replace end-of-life software

While it’s possible to subscribe to security updates to specific software past its end of life, like Windows 7, some software is so old that updates are simply not available.

One organization experienced a ransomware attack that succeeded, in part because of a vulnerability in an 11-year-old installation of Adobe ColdFusion 9.

5. Implement a company-wide password manager & policies

While using strong passwords is well-worn advice, it always bears repeating.

From an internal threat perspective, strong passwords are an essential layer of protection against Kerberoasting attacks.

In a nutshell, if a cyber attacker compromises the account of any domain user, they can use offline cracking tools to crack weak passwords easily.

Strong passwords are facilitated across the board by a company-wide password manager, along with appropriate password policies.

6. Require the use of multi-factor authentication

When a password is an employee’s only account authentication requirement, and it is weak, a hacker can log into their account by brute force in minutes or seconds.

A good internal security practice is to use multi-factor authentication whenever possible. Multi-factor authentication requires an additional step beyond a username and password to access an online account. Examples are:

  • Email services
  • Cloud productivity software such as Office 365 and Google Workspace
  • Document storage such as Box and DropBox
  • Online banking services
  • Social media accounts like LinkedIn, Twitter & Facebook
  • CRM, ERP, and tax preparation software

The benefit of this is that if the first level of authentication is compromised, the second level will still be in place.

7. Add a layer of email filtering

Both Microsoft Office 365 and Google Workspace have native email filtering capabilities that can warn users about suspicious emails.

However, some third-party products give more control over email filtering policies.

An email filtering application can catch suspicious emails that a vendor email server may have missed.

8. Implement better antivirus/EDR software

In some small businesses, antivirus software is a “catch-as-catch-can” with employees using different types of AV software. There is no verification as to the reliability of installed AV software.

Centrally administered AV or Endpoint Detection and Response (EDR) software ensures that reliable and up-to-date software is installed on all endpoints.

9. Provide Zero Trust remote network access

When members of a distributed workforce have remote access to the corporate network, zero-trust security should be applied.

Cloud-based remote access technologies such as Secure Access Service Edge (SASE), along with integrated software-defined perimeter (SDP) capabilities, enable organizations to implement Zero Trust network access more easily.

For example, you can deny administrators the ability to have administrative access from outside the internal network.

Hybrid workers can have more restrictive remote privileges compared to when they are in the office.

10. Give internal users access to the minimum needed resources

The Principle of Least Privilege (a.k.a. Least Privilege Security Model) states that each user’s account should only have the access privileges necessary for a person to do their job.

For example, some users may not be granted privileges for installing new desktop software.

The Principle of Least Privilege can also apply to database software such as CRM and ERP. Users can be given access to only the records and fields they need.

Encrypted fields, such as fields containing certain personal information and passwords, can be visible to users who need to see the information.

11. Give administrators the minimum privileges they need

The Principle of Least Privilege should also apply to internal administrators. Just because an admin can control several system settings does not mean they should be able to control them all. Role-based permissions can be applied to admins, just as permissions can be applied to users.

Administrative accounts usually have the highest risk of insider threat. Microsoft provides tools to help with this.

Removing unnecessary administrator rights helps defend against attacks such as Pass-the-Hash.

12. Segment your network into subnets

Network segmentation involves creating a set of smaller networks within an organization rather than having a single, extensive network. The flow of traffic between networks can be tightly controlled.

This can be used to wall off departments from one another completely. For example, the engineering and the marketing departments may not need to access one another’s network applications or files.

In the “execute ransomware for hire” scenario described above, an employee willing to execute ransomware may not have access to the machine on which it needs to be executed.

13. Immediately disable a departing employee’s accounts

Accounts created by an employee who no longer works for the company should be deleted, deactivated, or changed passwords as soon as possible.

Employees who quit, are laid off or are fired often take internal data — intentionally or unintentionally.

Security Threat: Terminated Employee

Your IT services provider may be able to supply a formal offboarding template to ensure everything is locked down when an employee leaves the company.

14. Monitor high-risk employee activity

The computer-related behavior of soon-to-be-departing employees and other high-risk employees can be monitored.

There are available applications that can add departing employees to a risk detection lens for data exfiltration — and then monitor them for any suspicious file transfers.

“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.” – Dr. Larry Ponemon

15. Implement internal security awareness training

It’s important to conduct security awareness training for employees and contractors. Many Managed Security Service Providers (MSSPs) include this in their offering.

This partly involves training users to spot phishing and business email compromise (BEC) emails. Employees should be instructed to forward any suspicious-looking emails to an IT representative.

Other forms of social engineering by hackers, including phone calls, text messages, and in-person visits, can cause an employee to give up their password to a third party. When this happens, email filters and strong passwords are irrelevant.

16. Use voice analytics to assess the risk level

Voice analytics technology company Clearspeed provides innovative technology that can screen prospective or current employees for risk.

A “yes” or “no” response to each of a set of questions can clear a prospective employee or flag them for additional screening.

If an incident has already occurred, the technology can flag a current employee for further investigation.

17. Set internal session timeouts

To protect your network against internal threats, session timeouts should be used.

This will help users maintain security by not leaving Windows and other sessions active while they are away from their desks. If users are left logged into an internal network for an extended period, they may unintentionally or intentionally be giving up computer access to someone else who may be posing as a user.

18. Disable unnecessary services and protocols

SMBv1 is an old Server Message Block protocol version that Windows uses for file sharing on a local network. It’s been replaced by SMBv2 and SMBv3.

However, some devices like MFDs (printers/scanners) still require SMBv1. As of 2019, a long list of SMBv1-dependent applications and devices existed

If you have web servers, you may be running TLS 1.0 and TLS 1.1 even though current versions of modern browsers no longer support those versions for security reasons.

Even if some website visitors use an old browser that only supports TLS 1.1 or lower, you may also choose to disable TLS 1.0 & 1.1 because the risk of keeping it enabled with the current known vulnerabilities is too high.

19. Restrict access to critical internal systems to only certain users

It is also essential to restrict access to internal systems to only certain users. This is especially true regarding internal administrative access with internal systems critical for the business.

Internal users with access to internal networks or servers should be monitored closely for unusual activity. Access levels with permissions on different internal systems should also be managed carefully, usually with an internal system management tool.

Security experts often overlook internal threats; internal-facing threats, whether viruses or security breaches are difficult to detect.

20. Keep up to date with internal security news, internal threat intelligence

To protect your internal networks from internal threats, you should keep up to date with security news and internal threat intelligence.

Websites that focus on business security include:

Some headlines alone may draw needed attention to a newly discovered vulnerability or a creative new social engineering approach that employees should be aware of.

21. Conduct internal (and external) penetration tests

An Internal Pen Test requires having or hiring a competent auditor who can emulate the behavior of an attacker who has gained access to your network.

An experienced tester will create a map of your internal network. The tester will then perform brute force attacks on employee accounts and exploit any vulnerabilities to break into servers and other devices.


Internal threats are ever-present in many organizations — even in small businesses. Business owners, managers, and IT teams must be more vigilant than ever.

Adopting a zero-trust stance and employing the right blend of technology can help mitigate these threats.

Also, a regular Network Security Assessment will identify group policies that need to be tightened down, user access vulnerabilities, and other services that may present an attack vector.

Enjoyed the read?

Get more small business advice and technology tips