Cybersecurity vendor CrowdStrike recently acknowledged reports that it was the victim of an insider incident. When contacted for more information about the incident, a CrowdStrike spokesperson said:
“We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised, and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.”
While the vendor hasn’t released further details, media reports allege that the cyber extortion group ShinyHunters claimed it “agreed to pay the insider $25,000 to provide them with access to CrowdStrike’s network.” The article goes on to say that CrowdStrike detected the insider activity and shut down the insider’s network access.
Forrester covered the risk of insiders selling their access in our report, How Insiders Use The Dark Web To Sell Your Data. Organizations — especially those with valuable intellectual property or sensitive customer data to protect — should be aware that external threat actors may approach insiders for their access. Also note that insiders sometimes take pictures of sensitive information on their screens to circumvent data security controls.
Last year, human risk management (HRM) vendor KnowBe4 disclosed that a fake North Korean IT worker tried to infiltrate them. The vendor detected attempts by the fake worker to install malware on their company-issued laptop and stopped the activity. Much to its credit, KnowBe4 published a detailed blog post to educate the community about its experience and how to avoid falling victim to insider incidents.
Insider Incidents Are Responsible For Over 20% Of Data Breaches
Data from Forrester’s Security Survey, 2025, indicates that 22% of data breaches resulted from internal incidents — nearly half of those were malicious. Common data types compromised by insiders include authentication credentials, personally identifiable information, protected health information, employee communications, and IP.
The bottom line is that insider incidents (aka insider threat) can happen to any organization — even security vendors. If you’re not practicing insider risk management and monitoring insider behavior, these incidents may go undetected.
Prepare For Insider Incident Response
At Forrester’s 2025 Security & Risk Summit, Principal Analyst Jess Burn and I presented a session titled “Incident Response For Insider Threats.” In our session, we covered how insider incident response differs from traditional incident response. One major difference is the need to determine intent when investigating insider incidents — to figure out whether the insider is malicious or careless/negligent. Once intent is established, the next step is deciding the outcome for the insider. Possible outcomes include:
Educating the user. Use HRM tools to educate or nudge the insider to correct careless or negligent behavior.
Taking employment action. Depending on the organization’s policies and the nature of the incident, organizations may choose to take an action such as reducing the insider’s privileges, issuing a formal warning, reassigning the insider to another role, or terminating the insider.
Informing law enforcement. Malicious insiders may take actions that make it necessary to inform law enforcement and pursue criminal prosecution.
Manage Your Insider Risk
All organizations have insider risk, and all insiders (employees, contractors, partners, and vendors) represent a level of insider risk. Managing insider risk requires focus, documenting policies, and following defined processes. Follow steps laid out in Forrester’s Best Practices: Insider Risk Management report, such as:
Starting an insider risk management team. Insider risk management involves trusted insiders who have inside knowledge of your data and systems. Therefore, managing insider risk requires dedicated focus. Read Forrester’s The Insider Risk Management Team Charter report, or work with vendors like CrowdStrike, IXN Solutions, PwC, and Signpost Six to start your insider risk management function.
Embracing HRM. HRM can correlate the behavioral, identity, attack, and awareness telemetry collected from its various integrations to spot risks that a single tool can’t find. Many HRM tools include insider risk monitoring. These tools also have data protection and real-time intervention capabilities to stop employees from mishandling data. Look into offerings from CybSafe, KnowBe4, Living Security, and Mimecast.
Revamping your hiring processes for remote employees. Fake workers (such as the North Korean threat actor mentioned above) are opportunistic — any company can be a target. Work with your partners in HR to ensure that the hiring and onboarding of remote workers includes verification of location and legality. Additionally, be certain that your third-party staffing vendors and IT service partners use equally rigorous screening methods, as these organizations are common infiltration vectors.
Running a realistic insider incident scenario exercise or crisis simulation. Ransomware tabletop and crisis management exercises are important, but you should also be ready to flex your different insider response muscles at the technical and executive level. Run one insider incident tabletop scenario each year with the same stakeholders and work through the differences in roles, responsibilities, and communication needed to handle this specific and often sensitive situation. Work with IR service providers like CrowdStrike, Google’s Mandiant, Kroll, and Palo Alto Networks’ Unit 42 for advice about incident response and delivering tabletops or crisis simulations.
Let’s Connect
Forrester clients can schedule an inquiry or guidance session with us to do a deeper dive on insider risk, learn how to start their own insider risk management program, or discuss incident response best practices.
