



When CISOs talk about cyberattacks, the conversation almost always focuses outward — nation-state actors, ransomware gangs, phishing campaigns launched from the other side of the world. But some of the most damaging breaches in recent years have had one thing in common: the attacker already had the keys. They sat at a desk. They had a badge. They knew which server held the payroll data, which database contained customer PII, and which accounts had Domain Admin rights.
Insider threats are not a niche problem. According to the 2025 Verizon Data Breach Investigations Report, insiders account for nearly 20% of all incidents globally — and the average cost of an insider-related breach consistently exceeds that of external attacks, largely because detection takes months rather than days. For Indian enterprises navigating a complex regulatory landscape under the Digital Personal Data Protection (DPDP) Act 2023 and CERT-In’s 6-hour mandatory reporting directive, an undetected insider breach is not just a security failure — it is a compliance catastrophe.
This guide is for Indian IT leaders and CISOs who want a clear, operational roadmap to detect, contain, and prevent insider threats — without turning your workplace into a surveillance state.
Not all insider threats look the same, and your response strategy must differ accordingly.
These are employees, contractors, or partners who intentionally misuse their access — to steal intellectual property, sabotage systems, exfiltrate customer data for a competitor, or sell credentials to external actors. Motivations include financial gain, grievance, or coercion by an outside threat actor. Privileged users (IT admins, finance leads, DevOps engineers) are disproportionately represented in this category.
The most common category. These are well-meaning employees who click on a phishing link, misconfigure a cloud storage bucket, forward a sensitive document to a personal email “just to work from home,” or reuse passwords across personal and corporate accounts. The damage is unintentional, but the impact on DPDP compliance — particularly around data breaches involving personal data — can be severe.
An external attacker has stolen valid credentials — through phishing, credential stuffing, dark web purchase, or malware — and is now operating inside your environment disguised as a trusted user. This category is particularly dangerous because the attacker behaves like a legitimate employee while conducting reconnaissance and exfiltration. Without behavioural analytics, standard perimeter tools see nothing wrong.
Perimeter firewalls, antivirus, and even next-generation firewalls are built to stop threats coming from outside. An insider — or an attacker using insider credentials — bypasses these controls almost entirely because, from the network’s perspective, they look legitimate.
The result is a detection gap that, on average, stretches to 194 days before an insider incident is identified (IBM Cost of a Data Breach 2024). In the context of CERT-In’s 6-hour reporting window, this is not just a security problem — it is a regulatory exposure of the highest order.
Indian enterprises handling personal data of Indian citizens are now operating under two overlapping regulatory frameworks that make insider threat management a legal imperative, not merely a security best practice.
Under the DPDP Act, Data Fiduciaries must implement “reasonable security safeguards” to prevent personal data breaches. An insider who exfiltrates a customer database — whether maliciously or negligently — constitutes a personal data breach that triggers mandatory notification to the Data Protection Board of India (DPBI) and to affected individuals. Penalties for non-compliance can reach ₹250 crore per breach. Demonstrating that you had no insider threat detection capability will not be a valid defence.
CERT-In’s 2022 directive requires reporting of 20 specific incident types within 6 hours of discovery — including “unauthorised access to IT systems/data,” “data breach/data leak,” and “attacks on critical information infrastructure.” An insider exfiltration event falls squarely within this scope. The challenge: you cannot report in 6 hours what you detected 194 days after the fact. Early detection is compliance.
Effective insider threat programmes are not about distrust — they are about visibility, and visibility requires a structured approach.
UEBA establishes a behavioural baseline for every user and device, then flags deviations that may indicate malicious or compromised activity. Examples of high-value signals:
UEBA is most powerful when integrated with your SIEM, directory services (Active Directory / Azure AD), endpoint agents, and network flow data — giving the analytics engine a complete picture of user activity across all vectors simultaneously.
While PAM was addressed in a previous post in the context of external attackers, it is equally critical for insider threat prevention. The principle is simple: no standing privileges, no shared admin accounts, no permanent access.
Even if an insider or compromised credential gains access, network segmentation limits the blast radius. With a Zero Trust architecture — enforced through a next-generation firewall like the Fortinet FortiGate — east-west traffic between segments is inspected and controlled just as rigorously as inbound internet traffic.
DLP controls prevent data from leaving the organisation through channels the insider controls — email, USB, cloud storage, collaboration tools, or web uploads.
Technologies generate alerts. It takes trained analysts in a Security Operations Centre to correlate those alerts into actionable intelligence. Insider threats rarely announce themselves with a single high-confidence alarm — they reveal themselves through a pattern of low-level signals over time. A 24/7 SOC with access to UEBA data, network logs, endpoint telemetry, and directory activity can connect dots that automated rules alone will miss.
“The most dangerous moment in an employee’s tenure is the period between receiving a resignation or termination notice and their final day.”
Here are the highest-risk insider threat scenarios specific to the Indian enterprise context:
Use this checklist to assess your organisation’s current posture:
Indian enterprises must navigate a careful balance. The DPDP Act applies to employee personal data as well as customer data — meaning that intrusive monitoring of personal devices or personal communications may itself constitute a violation. The key principles:
PJ Networks delivers the managed security capabilities that an effective insider threat programme demands — without requiring Indian enterprises to build and staff a full in-house security operations function.
Insider threats are not a people problem you can solve with HR policy alone, nor a technology problem you can solve with a single product. They require a programme — one that combines the right controls, continuous monitoring, and the human expertise to act on what those controls reveal.
If you want to assess your current insider threat readiness or discuss how PJ Networks can help you build a programme suited to your organisation’s size, sector, and risk profile, reach out to our team. The question is not whether you have insider risk — every organisation does. The question is whether you will detect it in time to matter.