In plain English
Not all threats come from outside. Insider threats include employees who steal data before resigning, contractors who exceed their authorised access, and well-meaning staff who accidentally expose sensitive data through misconfiguration or poor judgment. Microsoft Purview's Insider Risk Management module monitors for anomalous data access and exfiltration patterns.
Full definition
Most organisations spend their security budget facing outward. Firewalls, email filters, perimeter controls. The assumption is that danger comes from outside. But the accounts that can do the most damage already have keys to the door.
An insider threat is anyone with authorised access who causes harm, whether on purpose or by accident. A finance manager who emails a client list to a personal account before resigning. A contractor who accesses systems outside the scope of their engagement. An accounts payable officer who clicks a link and hands their credentials to an attacker. All of these are insider threats, even though only one intended harm.
monitors for behavioural signals that precede a data breach: bulk downloads in the days before a resignation, unusual access to files outside a user's normal working pattern, email forwarding to external addresses. The controls that reduce insider risk most are access governance and the principle of least privilege. If staff can only reach what they need for their current role, the blast radius of any single account stays contained. Under the Australian Privacy Act and the , a breach caused by an employee is still a breach the organisation is accountable for. The regulatory question of who took the data matters far less than the fact that left the building.
