Skip to main content


You are here:

Massive Pentagon data leak shines light on insider cybersecurity risks

Cybersecurity has long been focused on keeping the bad guys out. Organizations just like yours spend the majority of their security budgets on building (hopefully) impermeable rings that protect employees, clients, infrastructure, data, and other resources from an ever worsening threat landscape. But what if we’re getting it wrong? What if the real threat is coming from the inside? The recent leak of classified Pentagon briefing documents – and the subsequent arrest of a National Guard airman suspected of stealing them – should be a reminder to us all that insider threats are every bit as worrisome as anything on the outside.


Massachusetts Air National Guard member Jack Teixeira, 21, was arrested last week for allegedly stealing the highly classified military documents and sharing them on a Discord gaming channel. The compromised data includes signals-based intelligence that could impact American information gathering efforts for years to come. In the ever evolving pantheon of major cybersecurity events, this ranks among the most damaging.

What is especially troubling about this particular breach is the amount of time it took to be discovered. Military officials were unaware anything was amiss a full three months after the first set of documents was shared on Discord. This suggests existing checks and balances were not only unable to detect the initial breach, but were so pointed in the wrong direction that they weren’t tripped for months afterward.

The net result: a low-ranking airman responsible for providing IT support to military intelligence teams had the run of the place. He was only caught after complete strangers eventually recognized the seriousness and legitimacy of the compromised data and began raising alarms across other social media platforms.


The risk of insider-led exposure unfortunately isn’t limited to government agencies or to the military. Any organization in any sector faces similar headaches in determining which direction to look and where to deploy sufficient resources to detect anomalies and respond appropriately to them.

report from Gurucul and Cybersecurity Insiders suggests over half of all organizations have experienced an insider threat within the past year – with a quarter of respondents saying they’ve experienced more than six attacks in the same period. Ponemon’s 2022 Cost of Insider Threats Global Report paints a similarly troubling picture:

  • Insider threats have increased over 44% in the past two years.
  • In that period, the cost of each incident has increased by one-third, to $15.38 million USD.
  • Organizations are taking longer to resolve them, taking 85 days to contain insider threat incidents, up from 77 days.
  • The longer it takes to contain, the greater the cost. Incidents that remained unresolved for 90 days or more ended up costing victim organizations $17.19 million.

Also eye-opening is precisely who is behind these incidents, and why they commit them. ObserveIT data suggests negligence is the root cause of two-thirds of insider threat-related incidents, while 55% of organizations say privileged users represent the greatest risk.

If there’s any good news in the data, it is that organizations are already beginning to recognize the insider threat. Less than 3% of respondents to the Gurucul/Cybersecurity Insiders survey say they aren’t concerned with insider risk. According to CISOs who participated in Code42’s Annual Data Exposure Report 2023, insider risk ranks as the most difficult to detect – and they’re starting to shift more resources in this direction.


There’s a wide gap between recognizing threats from insiders and implementing definitive protections against those threats. Fortunately, the risks can be mitigated by extending investments in a range of already-known cybersecurity best practices, including:

  1. Implement employee monitoring. Organizations can no longer afford to give employees, contractors, and other third-party resources unfettered access to systems after they’ve been onboarded. Instead, leverage employee monitoring platforms like SentryPC, ActivTrack, and Teramind to track employee activities and flag anomalous behaviors like outside-of-hours accesses and large file transfers.
  2. Deploy access controls. One login should never grant an individual unlimited access to all organizational systems. Segment employee and contractor accesses to ensure only those who legitimately need access to a given system ultimately receive it. Incorporate – and enforce – password policies, multi-factor authentication, and role-based access controls to reduce the potential for these kinds of breaches and mitigate the exposure in case they occur.
  3. Conduct background checks. While many organizations miss this simple step during the recruitment process, it’s never too late to retroactively investigate employee backgrounds. While this is particularly crucial for individuals with access to sensitive information and systems, it is important to apply similar oversight to all employees and contractors.
  4. Educate, educate, educate. A little awareness can go a long way, and employees across the organization form an important line of defence in identifying and reporting potential insider-related incidents. Ensure current technology and cybersecurity training incorporates insider threat detection and responses, as well.
  5. Know how you’d respond. Ensure all disaster recovery plans (DRPs), and business continuity plans (BCPs) include comprehensive incident response scenarios. Add insider threats to the list of potential scenarios and include real-world response training as part of regularly scheduled DRP/BCP evaluation. 


There’s no single way to fully eliminate any and all cybersecurity risks associated with rogue employees and contractors. But by elevating the awareness of insider threats – and investments in recognizing the responding to them – organizations can significantly reduce the likelihood of generating global headlines for the wrong reason.

At STEP Software, we incorporate cybersecurity best practices into everything we do and build. We’re always here if you’d like to have a discussion on what your software environment needs to counter today’s – and tomorrow’s – insider threats.