An animated clock appears onscreen.

Organizations just like ours spend countless hours working to keep sensitive data out of the hands of cybercriminals.

An animation of a hand holding a smartphone appears.

But what happens when someone with legitimate access to this data knowingly, or unknowingly compromises it?

An animation of text messages appears.

The aftermath that follows may include, identity theft, lawsuits, monetary losses, and irreparable damage to our reputation.

An animation of a smartphone displaying exclamation points appears.

And, what is even more alarming is the fact that more than half of all data compromises are due to an "insider."

Several employees are standing shoulder to shoulder.

This threat from within, or "insider threat," generally occurs one of three ways.

An employee wearing a headset recieves a call.

An exploited insider is an unsuspecting employee or a business partner who is tricked into divulging sensitive data.

The employee is communicating with an animated caller.

To do this, cybercriminals will most often use a technique called social engineering.

Two animated characters take form to represent the employee and the caller.

Social engineering is a form of psychological manipulation, where the cybercriminal uses a person’s willingness to be helpful against them.

Multi-screen displays a telephone call, text, email, and a fax.

Social engineering attacks may occur over the telephone, SMS text messaging, email, fax, or any combination of these devices.

An employee is using a smartphone.

For example after careful planning and reconnaissance, a cybercriminal may contact an employee over the phone posing as a member of another department.

An animation of a company’s hieracrchy appears.

During the call, the cybercriminal may "name drop," "refer to policies," and use "company lingo" to sound like a trustworthy employee just looking to provide a service.

An employee is communicating with someone over the phone.

But as it turns out, this is just a ploy to get the employee to share the information they need to access sensitive data.

Three employees are rubbing their chins.

To avoid falling prey to attacks like these, you should maintain a healthy sense of skepticism of anyone requesting sensitive data.

An employee is answering a phone call.

As a best practice, you should always verify the identity of anyone who asks for information in person or over the phone.

An employee is falling asleep while using a laptop.

An employee who inadvertently exposes sensitive data is commonly referred to as a "careless insider." This is because in most cases, the exposure could have been avoided if better care had been taken to secure the data.

An animation of an employee and an email appears.

An example of inadvertent exposure is an employee who accidently sends an email with a document containing confidential data to the wrong person. An awkward or embarrassing mistake—maybe so.

An animation of files being eaten by a dinosaur-like character appears.

But if the document is acquired by cybercriminals, that data could be used to commit crime against the organization.

Icons representing data protection appear.

Preventing accidental data exposure such as this can be achieved by adhering to our data protection protocols and being committed to consistently protecting our information assets.

Closeup of a hand scanning an access card.

While careless and exploited insider threats yield unintentional data compromises, a malicious insider threat on the other hand, is an intentional compromise carried out by someone who has legitimate access to our systems.

An animated character throws a computer file in the trash.

A malicious insider seeks to alter, delete, or steal confidential data, and they may be motivated to commit these acts due to their own moral or political beliefs, for monetary gain, or revenge.

The animated character looks at a graphic representing motives.

Their desire to carry out malicious attacks may also be fueled by legal or financial problems, family difficulties, medical issues, failure to receive a promotion, or conflicts with coworkers.

Animated icons representing malicious insider tells appear.

A malicious insider may boast about being able to hack systems, blog or post negative comments about the organization, keep odd hours, or violate data security policies.

Surveillance employees are seated at a desk looking at monitors.

One of the best ways to prevent a malicious insider attack is to report data security violations and suspicious or inappropriate behavior immediately.

An employee is reporting suspicious activity to a manager.

Research suggests that malicious insider attacks are often spoiled by employees who saw something suspicious and reported it.

A group of employees are seated at a table having a meeting.

So remember, if you see something, say something.