Insider threats: Prevention vs. privacy

Introduction

Insider threats account for a significant portion of cybersecurity incidents, yet they remain one of the least understood and most challenging risks to mitigate. Whether caused by malicious intent or negligence, insider threats can have devastating consequences, especially when sensitive data is involved.

During the webinar, Senior Executive in Infrastructure and Security Georgi Petrov shared his insights on how Malta Gaming Authority (MGA) manages insider threats while safeguarding trust within the organization. From Edward Snowden’s infamous whistleblowing to phishing attacks that exploit inattentiveness, the discussion emphasized the importance of proactive strategies that address both technical and human vulnerabilities.

At the end of the day, everybody is susceptible to data leaks. Every organization will face insider threats eventually — it’s not a matter of if, but when.
— Georgi Petrov

What are insider threats?

Insider threats refer to the risks posed by individuals within an organization, such as employees, contractors, or partners, who misuse their access to sensitive data or systems. These threats can be categorized into two types:

• Malicious insiders: Individuals who intentionally harm the organization, such as stealing data or sabotaging systems.
• Negligent insiders: Individuals who unintentionally compromise security, often due to ignorance or carelessness.

Georgi emphasized that insider threats often arise from poor system design, inadequate controls, or malicious intent. Addressing these vulnerabilities requires a combination of robust security frameworks and education.

You need to ensure that your insider threat program collects the right type of data — not everything. Focus on metadata, not sensitive content, and always ask: Why am I collecting this information? How does it help safeguard the organization?
— Georgi Petrov

Ethical dilemmas: Surveillance vs. privacy

One of the most debated topics during the webinar was whether insider threat monitoring programs merely serve as a facade for surveillance. Georgi argued that monitoring is not inherently invasive if implemented responsibly. The key is to collect only what is necessary — metadata rather than sensitive content — and to be transparent with employees.

For example: Instead of logging every keystroke or web browsing activity, organizations should focus on detecting risk-based behaviors, such as attempts to access unauthorized data or upload files to cloud storage.

Transparency and clear communication are vital. Employees need to understand that monitoring is designed to protect the organization, not to spy on them. This approach fosters trust while maintaining security.

We are not the big brother. We’re here to protect the organization’s cybersecurity posture, not to track employee activities unnecessarily.
— Georgi Petrov

Insiders vs. outsiders: Who poses a bigger risk?

When asked who poses a greater risk — trusted insiders or outsiders with limited access — Georgi provided a nuanced perspective:

• Outsiders: Unpredictable and capable of exploiting vulnerabilities to escalate privileges, which makes them harder to control.
• Insiders: More predictable and manageable through safeguards like role-based access controls and monitoring.

An outsider with minimal credentials can often pose a bigger risk because they’re unpredictable. They might escalate privileges or exploit vulnerabilities, which can be devastating for an organization.
— Georgi Petrov

Separating signals from noise

Monitoring tools generate vast amounts of data, making it challenging to distinguish genuine threats from irrelevant noise. Georgi stressed the importance of context in threat detection:

• Noise: Routine activities, such as a finance employee downloading spreadsheets during end-of-quarter reporting.
• Signal: Abnormal behaviors, such as an offboarding employee attempting to access and upload sensitive files to cloud storage.

The moment it becomes a signal is when you see abnormal activity — like accessing sensitive folders unrelated to their department or trying to exfiltrate data. That’s when you flip the switch and investigate.
— Georgi Petrov

Predictive vs. reactive threat detection

Should insider threat programs shift from reactive detection to predictive prevention? Georgi strongly advocated for predictive approaches that leverage AI and machine learning to identify subtle patterns that human analysts might miss.

For example: In a reactive system, an employee gradually exfiltrating files over weeks could evade detection. However, predictive tools can identify abnormal patterns and flag potential threats early.

Predictive prevention minimizes the damage caused by insider threats by allowing organizations to act before incidents escalate.

Balancing trust and security

Continuous monitoring can create a culture of mistrust among employees. To strike a balance, Georgi recommended the following:

• Transparency: Clearly communicate what is being monitored and why.
• Risk-based monitoring: Focus on behaviors that indicate potential threats rather than conducting blanket surveillance.
• Education: Regularly train employees on cybersecurity best practices to reduce negligence-based risks.

The main point: Trust and security are not mutually exclusive. By fostering a culture of transparency and education, organizations can build trust while maintaining robust defenses.

Trust, but verify. Build a culture of trust, educate your employees, and configure your monitoring tools to focus on risk-based behaviors — not constant surveillance.
— Georgi Petrov

Key takeaways

• Collect meaningful data: Avoid over-monitoring and focus on metadata and risk-based behaviors.
• Adopt predictive tools: Use AI to identify patterns and prevent threats before they occur.
• Foster trust: Transparency and education are essential for balancing security with employee confidence.
• Prepare for the inevitable: Insider threats are not a matter of "if" but "when". A multilayered approach ensures resilience.

Conclusion

Insider threats present a complex challenge for organizations, requiring them to navigate the fine line between prevention and privacy. As Georgi Petrov highlighted during the webinar, the key lies in building a culture of trust, implementing risk-based monitoring, and adopting predictive tools to stay ahead of threats.

At Passwork, we empower organizations with tools that enhance security without compromising trust. From managing passwords securely to fostering a culture of cybersecurity awareness, our solutions are designed to help you protect what matters most.

Further reading:

Why do employees ignore cybersecurity policies?

Employees often ignore cybersecurity rules not out of laziness, but because they feel generic, irrelevant, or disconnected from real work. True change starts with empathy, leadership, and context-driven policies. Read the full article to learn how to make security stick.

Passwork BlogTurpal Mahaev

Private password breach checking: A new algorithm for secure password validation

Table of contents * Introduction * Existing solutions and their tradeoffs * Our innovation: Obfuscated deterministic bloom filter indices * Key benefits: Bridging the privacy-performance gap * Real-world applications: Transforming password security * Conclusion: A new era in password security Introduction Data breaches have become routine: millions of users worldwide face the consequences of compromised passwords.

Passwork BlogIliya Garakh, CTO

Common myths about password managers

Worried that password managers are risky or hard to use? It’s time to rethink. In this article, we debunk common myths about password managers, break down how they actually work, and show why solutions like Passwork are vital for your cybersecurity. Learn how these tools keep your data protected.

Passwork BlogEirik Salmi