Building an effective insider risk management program

A joint report from PwC and Microsoft

New opportunities bring new risks

The digitization of the business ecosystem has generated new opportunities for growth and transformation of organizations across industries. This digital revolution has also introduced new risks to business operations as cybersecurity threats evolve and proliferate.

While organizations have long prioritized external cybersecurity risks, many are now considering the risks posed by trusted insiders due to the potentially greater damage they can cause. Consequently, organizations are beginning to recognize the importance of establishing controls to combat insider risks.

New opportunities bring new risks

The most common insider risks include espionage, fraud, loss of sensitive business assets, sabotage and physical violence.

Impact of insider incidents

Several high-profile incidents attributed to insiders have contributed to increased awareness. Recent examples include theft of sensitive data from a leading technology company and sabotage of an automotive manufacturer’s operations. Regardless of industry, the impacts of insider incidents are potentially devastating—and financially steep. The average cost of insider incidents has climbed to $8.76 million, according to a study by the Ponemon Institute1.

Overall, cybersecurity has evolved from an information technology (IT)-centric function to an organization-wide risk management issue. While insider risk management is evolving in a similar way, current market adoption strategies emphasize use of additional tools and technologies to address insider risks without including the underlying principles of risk management.

$8.76 million

The average cost of insider incidents across industries*


of organizations over time have experienced insider incidents, and frequency has increased**

 * The Ponemon Institute, “2018 Cost of Insider Threats: Global Organizations,” April 2018.
** Crowd Research Partners, “Insider Threat 2018 Report,” 2018.

Insider Threats Impacting your Business

Insiders perpetrate five different types of malicious activities that will impact your business. On average, insider attacks cost more than the external breaches due to the insider's knowledge of the environment and location of critical assets or "crown jewels".

Five different types of malicious activities


Deliberate destruction, damage, or obstruction, especially for political or military advantage. Example: An insider deletes backups and wipes the production database before leaving the company.


Wrongful or criminal deception intended to result in financial or personal gain. Example: An insider exfiltrates a key database and sensitive data elements are sold.

Espionage (state-sponsored and corporate)

The practice of spying or of using spies, typically by governments to obtain political and military information. Example: A foreign adversary uses an insider to gain information access for the purpose of blackmail or economic advantage. The insider provides a five-year business strategy to a competitor company.

Theft of sensitive data

The act of stealing information stored on computers, servers, or other devices with the intent to compromise privacy or obtain confidential information. Example: An insider with access to intellectual property data steals critical patents, trade secrets, R&D data, etc.

Workplace violence

Workplace violence is any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behavior that occurs at the work site. It ranges from threats and verbal abuse to physical assaults and even homicide. It can affect and involve employees, clients, customers and visitors.

Our enterprise wide approach to managing insider threat

We consider the following five elements critical to an insider threat management program


Establishes the constitution of the program and ensures consistency with organizational culture, sets guidelines for consistent application, and creates structure for acting on ambiguous information.


Sets tone and direction, helping the program be consistently understood, implemented, and used across the organization.

Threat & risk analysis

Enables risk-based prioritization and decision making to balance threat reality against critical business assets.

Training & awareness

Enables executive vision and intent to permeate the organization and create a corporate culture attuned to risk and anomalous behavior.


Integrates sophisticated tools and enriched data to create a technical intelligence platform that fuses sources, links threats and risks, curates historical records and ongoing cases, and supports risk-based decision making.

An enterprise-wide risk management challenge

Insider risk management programs often focus exclusively on implementing tools and technology without incorporating the necessary organizational, risk management, and cultural considerations. Without using those considerations to fine-tune the collection, the tools are not able to discern between relevant and non-relevant data, essentially searching for the needle in the proverbial haystack. Technology plays an important role, but is just one component of an effective program.

Culture should be considered when defining the program scope and goals. The program should protect the organization, people, and critical assets without being perceived as an overbearing authority or impeding the organization’s goals and operations.

Follow us

Contact us

John Boles

Principal, Cybersecurity and Privacy, PwC US

Sloane Menkes

Principal, Cybersecurity & Privacy, PwC US

Matt Gregson

Director, Cybersecurity & Privacy, PwC US