Key Tactics to Assess and Mitigate Insider Threats

Schaumburg, Ill. (Aug. 30, 2021) - Recent Verizon research found a 47 percent increase in insider threats over the past two years. A new free resource from ISACA, A Holistic Approach to Mitigating Harm from Insider Threats , outlines a proactive approach for enterprises to implement to reduce and mitigate risks associated with insider threats.


Though many insider threats can seem ambiguous, the paper provides insight into how to approach them, and the potential losses that can result. The paper also outlines the various types of insider threats—like well-meaning employees, malicious employees, contractors, and vendors—as well as several ways that enterprises can mitigate insider threats, including:


  • Reduce data access by limiting individual permission to data. Need to know and principle of least privilege (sometimes referred to as "need to do" should drive access to data, applications and systems. Scrutinizing initial access requests and regularly reviewing accesses reduces risk.
  • Consider the damage that phishing and ransomware cause, and act accordingly. Filtering emails significantly decreases phishing messages from reaching the hands of an insider.
  • Introduce controls around the insider (technical, operational or physical), which lessen opportunity for the insider to create loss of any type.
  • Apply human security engineering principles, which reduces the likelihood of users being in a position initiate a loss.


"Insider threats can be especially challenging for many enterprises to manage, as their sources can be unpredictable and unexpected," says Jonathan Brandt, ISACA Information Security Professional Practices Lead. "However, with a dedicated strategy and plan in place for identifying and monitoring these threats, teams can reduce their risk and be better prepared to take action if needed to lessen their losses."


A Holistic Approach to Mitigating Harm from Insider Threats is available as a free download at Visit for additional ISACA cybersecurity resources. For more information on IT risk, including ISACA's complimentary Risk IT Framework and Risk IT Practitioner Guide, visit



For more than 50 years, ISACA® ( has advanced the best talent, expertise and learning in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations, and enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its more than 150,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a philanthropic foundation that supports IT education and career pathways for under-resourced, under-represented populations. Twitter: LinkedIn: Facebook: Instagram: