Insider threats are a category that businesses often prefer not to think about. The idea that a current or former employee, contractor, or business partner might deliberately misuse access to corporate data is uncomfortable. But insider incidents — whether intentional or negligent — are a consistent feature of the Australian breach landscape.
Three Types of Insider Threat
Malicious insiders deliberately exfiltrate data, sabotage systems, or provide access to external parties. Negligent insiders cause harm through poor judgement — forwarding sensitive files to personal email, falling for phishing, using weak passwords. Compromised insiders are staff whose accounts have been taken over by an external attacker — technically an insider from the perspective of access but externally controlled.
The Access Controls That Address All Three
Least privilege access — ensuring staff can access only what they need for their specific role — limits the damage any single insider, negligent or malicious, can do. Privileged access management ensures that the accounts with highest access are most tightly controlled. Access reviews, conducted at minimum annually and when staff change roles, prevent access accumulation over time.
Monitoring and Detection
Microsoft Purview (formerly Microsoft Information Protection and Compliance) includes Insider Risk Management capabilities that can identify patterns of unusual data access or exfiltration behaviour — staff downloading unusual volumes of files before resignation, accessing data outside their normal scope, or forwarding corporate emails to personal accounts. These tools require configuration and a clear policy framework around how alerts are investigated.
Off-Boarding Procedures
The highest-risk insider threat scenario is an employee who has given notice — or been terminated — retaining access to corporate systems. Off-boarding procedures should include same-day revocation of system access, retrieval of devices, and confirmation that personal devices are removed from MDM management and corporate email.
Can we monitor staff activity on corporate systems?
With appropriate disclosure and policy frameworks, yes. Monitoring corporate systems for security purposes is lawful in Australia with appropriate disclosure in employment contracts and IT policies. Monitoring should be proportionate, focused on security-relevant activities, and governed by a written policy that staff are aware of.
