Three proactive strategies for defending against insider threats

When cybersecurity leaders think of insider threats, the image of a disgruntled employee stealing corporate secrets typically comes to mind. However, the reality is that the most significant risk often comes from well-meaning employees making simple, unintentional mistakes. Yet, regardless of intent, the damage can be just as severe, say security experts, compelling organizations to adopt a proactive and technologically sophisticated defense to get ahead of the problem.

In a recent podcast produced for CyberScoop, Linda Michels, Cisco director of Security Service Edge, and David Gormley, Cisco’s security edge leader, discussed the scale of the insider threat challenge and outlined a modern framework for mitigating it. They argued that protecting the enterprise is less about policing every action and more about creating a secure environment that is both powerful and practically invisible to the end-user.

Michels began by reframing the core issue, pointing to data that shows most insider incidents are accidental.

“A recent cybersecurity insider report found that a stunning 83% of organizations experienced an insider threat incident in the last year. But what’s even more surprising is how many of these are unintentional,” Michels explained. “Some figures suggest that up to 80% of insider incidents stem from simple accidents or negligence… This completely reframes the problem. It’s not just about malicious actors; it’s about protecting well-meaning employees from making costly mistakes.”

To address this, Gormley and Michels detailed three key strategies organizations can implement.

1. Seamless access with a great user experience

The first line of defense, Gormley noted, is to remove the friction that often causes users to make mistakes or bypass security controls in the first place. When employees are frustrated by clunky logins, multiple VPN clients, or complex authentication steps, they are likelier to take shortcuts that create vulnerabilities.

“If users are frustrated or have complex processes to go through to access different applications, it leads to them making mistakes, which can lead to a breach; or they get frustrated and try to avoid security,” Gormley said. “So our goal here is to make security invisible but very effective.”

He explained that a modern approach, using a single unified agent, like the Cisco Secure Client, can authenticate a user and their device once and then intelligently route their traffic to the applications they need, whether on the internet, in the cloud, or on a private network. This is grounded in a zero-trust philosophy of “never trust, always verify,” but it’s executed without burdening the user.

2. Precise permission policies

Once a user has access, the next step is ensuring they can only see and interact with the data they are authorized to handle. This is achieved through precise permission policies built on two pillars: Data Loss Prevention (DLP) and a practical application of Zero Trust Network Access (ZTNA).

Michels highlighted the growing importance of DLP, especially with the rise of generative AI tools. “A strong DLP solution can prevent users from pasting sensitive information into a tool like ChatGPT,” she noted, adding that Cisco’s platform provides visibility into over 1,200 different generative AI applications to help organizations manage this risk.

While ZTNA is a major buzzword, Gormley cautioned against a rip-and-replace mentality. He advocated for a hybrid approach that recognizes that not all applications, especially legacy ones, are compatible with a pure zero trust model.

“The reality is that in a typical organization’s application portfolio, there’s a mix of different types of applications… trying to force them into a zero trust model can simply break them,” Gormley stated. “And so the practical solution is a hybrid one. You migrate the majority of your applications… But for that tricky 25-or-30% of those legacy apps… you need to still use a secure connection for remote access.”

3. Relentless defense powered by threat intelligence

The third and final strategy is the engine that drives a proactive defense: massive-scale threat intelligence. Rather than waiting for an attack to happen, this approach uses global data to anticipate and block threats before they reach the user. Michels described the immense scale of Cisco’s Talos threat intelligence group, which processes approximately 800 billion security events daily.

“By analyzing this immense volume of data, they can identify new malware, phishing campaigns and attack trends as they emerge,” Michels said. “And so it’s about moving from a reactive posture to a proactive one, building defenses for tomorrow’s attacks based on what we see across the globe today.”

For organizations feeling overwhelmed, Gormley recommended a tangible first step: consolidating security functions into a single, cloud-delivered platform known as a Security Service Edge (SSE). This approach simplifies management, reduces costs, and provides the integrated visibility needed to implement all three defensive strategies effectively, turning a complex, multi-front battle against insider threats into a manageable and proactive security posture.

Listen to the whole podcast conversation on tackling insider threats on CyberScoop.

This article and the original podcast were sponsored by Cisco.