Jean Patrice Delia was an engineer at GE when he decided to steal company data and use trade secrets, pricing information, marketing data, and other documents and funnel them to his business partner to compete against GE. After an FBI investigation, Delia was arrested and sentenced to two years in prison and ordered to pay $1.4 million in restitution. His business partner, Miguel Sernas, spent nearly a year in jail and was also ordered to pay $1.4 million.
A disgruntled Tesla employee exported significant amounts of company data and sent it to a third party outside the organization. Martin Tripp exported Gigabytes of Tesla data, including confidential photos, video of company manufacturing systems, and financial data. He admitted installing code on fellow employees’ computers to continue stealing data even after he left the company. While Tripp claimed whistleblower status, he was ordered to pay Tesla $400,000.
While both cases led to legal action and the companies were able to recover some money, the damage was done and it took years to conclude the cases.
These are just a couple of examples of known data breaches due to insider threats.
Recent editions of Verizon’s Data Breach Investigations Report (DBIR) continue to show that the human element remains a dominant factor in security incidents, contributing to roughly 74–82% of breaches in recent years. Employees may unintentionally expose sensitive information, fall victim to phishing or social engineering, or misuse access credentials, while a smaller but significant share of incidents still involve intentional misuse by insiders.
In parallel, insider-related incidents—whether malicious or accidental—have steadily increased over the past several years, driven in part by expanded access to data and systems. These incidents continue to cost organizations millions in remediation, legal exposure, and reputational damage following the compromise of company, employee, or customer data.
With hybrid and remote work now firmly established in 2026, the risk landscape has grown more complex. Distributed work environments, broader device usage, and increased reliance on cloud services have made it harder to monitor and control data access. A large majority of IT and security leaders report heightened concern about insider risk in hybrid settings. It’s no longer just external attackers organizations must defend against—protecting data from internal exposure, whether accidental or intentional, is now equally critical.
Most Common Types of Insider Threats
Not all data leaks are breaches and are the result of malicious acts. Most of the time, incidents happen because employees fail to follow security protocols or don’t take them seriously. By far, most data breaches occur because of human error.
Phishing and business email compromise, clicking on malicious links or attachments, and giving outsiders access to company login credentials are among the threats.
Other insider threats include:
Departing Employees
One study showed that a quarter of employees admitted they took data with them when leaving their company. While most take material they created, 25% also admitted they took data they did not create. The overwhelming majority of those surveyed said they didn’t see anything wrong with doing it even when companies had policies in place to prevent data theft.
Company Executives
Company executives generally have access to escalating levels of data and may not always play by the same rules as everyone else. Especially when IT leaders report to executives, it may be challenging to get C-suite execs to follow cybersecurity best practices.
Executives may also feel they have ownership of the information they create or use, and feel comfortable taking it with them or sharing it — even if they should know better.
Conscientious Objectors
Not everyone in the company may agree with decisions that are made. Employees may be unhappy about policies or actions and want to get the information out there. Depending on the actions, some may feel justified in sharing sensitive information with the public, media sources, or regulatory agencies.
Protecting Your Data from Insider Threats
Protecting your data from insider threats requires a proactive approach to data security. Employee training can help educate workers on security threats and company protocols of safe data handling.
Other strategies include:
Data Encryption
All sensitive data within your network should be encrypted. When data is in transit, such as email, it should be protected by Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for safe transmission so that it cannot be read if intercepted.
Secure Email Gateway
A secure email gateway can filter email and block outside threats from accessing your network. The best systems will employ multiple strategies to protect your data from external threats, including:
- Anti-Spam
- Anti-Virus
- Anti-Spoofing
- Anti-Abuse
- Email Authentication
- Account Hijack Detection
- Blocklisting and Allowlisting
A secure email gateway can also protect your business from human error. The best systems will offer data leak prevention by also filtering outbound email. This flags and prevents the unauthorized transmission of sensitive information such as credit card numbers, social security numbers, and other confidential company data identified by your security policies outside of your network.
Using SecurityGateway™ for Email Servers or the cloud-hosted SecurityGateway service from MDaemon Technologies, for example, you can minimize data leakage by enabling preset rules or creating custom rules to filter specific types of data or terms that you identify. When such information is found, you can configure specific actions to take, such as encrypting the message or sending it to quarantine for administrator review.
Behavior Monitoring
When you uncover unusual employee activity, it should trigger further investigation. For example:
- An employee downloads large amounts of data.
- An employee accesses applications or data that are outside of their normal workload.
- An employee accesses your network at unusual times or unknown locations.
- An employee signs on to your network on their days off.
Creating security logs with alerts for unusual activity can help you detect warning signs of potential insider threats.
Managing Access Levels
Employing the Principle of Least Privilege is also an important security measure to prevent unauthorized access and distribution. This principle states that access should only be granted to those with a verified business reason. Any non-essential data or applications should be restricted from those without a reason unless they get prior authorization.
Employing a Zero Trust framework requires every user to be authenticated, authorized, and validated for security configurations before gaining access to data or applications. When deployed in the application or data layer, this helps segment the data to prevent lateral movement from threat actors inside the system.
Protecting Remote and Distributed Workers
Over the past several years, remote and hybrid work have become a permanent fixture of the modern workforce, with more employees than ever operating from distributed locations. By 2026, estimates suggest that roughly 28–30% of all professional jobs in North America are performed remotely at least part of the time, reflecting a sustained shift rather than a temporary trend. This evolution has significantly expanded the potential attack surface for organizations, increasing exposure to cyber threats across home networks, personal devices, and geographically dispersed endpoints.
People working remotely are often working on public or unsecured Wi-Fi, home routers, and shared devices. Besides educating remote workers about the additional exposure that comes from working outside the office, organizations should deploy a Secure Access Service Edge (SASE) and software-defined wide area networks (SD-WAN) to enforce security policies on all users, regardless of where they are working or accessing company resources.
For each session, SASE performs an ongoing assessment of risk and manages user sessions to enforce security policies based on:
- The identity of the person accessing resources
- The health and behavior of the device
- The sensitivity of the data being accessed
- Company security and compliance protocols
Mobile Device Management
Device loss and theft remain a persistent security risk in 2026, particularly as mobile and remote work continue to expand. Industry estimates indicate that millions of laptops and tens of millions of smartphones are lost or stolen each year in the U.S., with recovery rates still in the single digits. When company data is accessible from these devices—whether stored locally or accessed through remote connections—it significantly increases the risk of data exposure. Even without local storage, compromised devices can provide attackers with entry points into corporate systems, making strong endpoint security and access controls essential.
Mobile device management (MDM) software provides IT administrators with control to enforce security policies on mobile devices, segment and encrypt data, and wipe devices when they are lost or stolen. MDM can also manage what apps can be installed, allow and block site access, and enforce other password and security roles for individual devices, even on BYOD.
Mitigating Insider Theft
The Cybersecurity & Infrastructure Security Agency (CISA) recommends a four-step process to help mitigate insider theft:
- Define
- Detect and identify
- Assess
- Manage
Define
Organizations need to define what constitutes a threat and potential security flaw.
Companies should also periodically review their security and compliance policies along with an inventory of where and how their sensitive data is stored and accessed. Today’s networks have become complex, especially in companies with multiple locations that deploy hybrid or multi-cloud approaches. IT leaders need a detailed roadmap of where assets are deployed and how they are interconnected.
Detect and Identify
Successful insider threat programs use both human and technological resources to detect and identify vulnerabilities.
Assess
Besides threat prevention programs, companies should have an incident response team (IRT) and a strategic plan in place to quickly assess and respond when a security lapse is reported.
Manage
Threats must be managed and mitigated as quickly as possible to limit further damage and protect assets.
It Takes a Proactive Approach to Data Security
Managing insider threats requires a proactive approach, using best practices for network and data security, and active monitoring to detect and mitigate threats. For more information about securing your email from internal and external threats, contact the email security experts at MDaemon Technologies today.
