Gartner Blog Network


Threats Inside vs Insider Threat

by Anton Chuvakin  |  August 9, 2016  |  7 Comments

Here is a quick one on INSIDER THREAT. Deep down, we all know that nobody cares about the insider threat. Well, not literally “nobody”; few organizations do care about their insider threats [and, yes, those who genuinely care tend to care a whole lot, granted].

Now, many say they do care (a great example), but, frankly, I don’t think they spend money on it, hence their actions scream “WE DON’T CARE!” while their words whisper “eh…we …eh…care…maybe!” Off the cuff, we may get 50 malware calls for every 1 insider threat call, based on my purely unscientific impression of available data. Meanwhile, one may argue that insider threat is mostly about process than tools and so the spend is less visible, to which I say: try building a robust, mature process without spending lots of money – or time.

On the other hand, many organizations today are starting to care about the threats that are already inside (malware, attackers who hacked in, etc). Funnily, some security vendors market “insider threat solutions” to those people – thus creating hilarity (like “sandboxing to catch insider threat” or “top exploits used by insiders”…huh?)

To reduce this confusion, maybe we can think about this like so:

  • THREATS INSIDE – drive spending on UBA / UEBA, traffic analysis (NTA), SIEM, deception, lots of other tools, etc. A BIG DEAL!
  • INSIDER THREAT – drive almost no spending (as per our research, <10% of security budget). For a small number of organizations, this is a big deal too. For most others, this is a “meh!” issue.

While we are on the topic, check out our fun research on real insider threats! Also, I will be speaking on malicious insider threat next week at Gartner Catalyst.

Blog posts related to this research:

Category: insider  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Threats Inside vs Insider Threat


  1. Sriram Ramachandran says:

    “Insider Threat” already comes with an accepted definition (see https://en.wikipedia.org/wiki/Insider_threat).

    “Threats inside” is perhaps more open to interpretation. In a general sense, it can encompass: compromised users, negligent insiders and malicious insiders. The second category resonates strongly with enterprises.

  2. Bill Munroe says:

    My experiences marketing an insider threat product from my DLP days versus the UEBA product I market today completely aligns with your view Anton. The interesting question is why? We know the insider steals data often – especially the leaving employee and yet companies and even security pros seem uninterested. Is it:
    – I do not want to play “big brother”
    – It is too hard – HR, Legal, regulations
    or is it management – I trust my employees and turn a blind eye to the leaving employee problem?

  3. Matt says:

    @bill, it’s all those things perhaps. I don’t think insider threats are perceived as being something you solve with products, or as having the same reputation impacts. Take a look at the 2016 Verizon DBIR. In the trends section, it’s reported that 80%+ of breaches have external threat actors. Although there are other dimensions that matter, generally it seems natural to focus on the 80%.

  4. Matthew Gardiner says:

    We must have been separated at birth….Just finished a draft of my RSAC submission:

    Threats on the Inside or Insider Threats? – Techniques for Stopping Both

    Maybe Threats on the Inside are more prevalent, but Insider Threats are on average more damaging?

    • Oh wow. So happy to hear that [well, not that we got separated at birth, that is :-) – this sounds sad]. I am happy to hear that this is being explored that is.

      Thanks for a great comment!

  5. re: more damage from insider threat — this is “a widely held belief” but I really like to see proof… and by proof I don’t mean “a pokemon told me” :-)

  6. Andre Gironda says:

    No mention of the Unintentional Insider. You are working the (after-effect) symptoms, not the root problem.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.