The internal security threats that put your data at risk
This article is part of Spiceworks’ Recalibrating Risk Tolerance series investigating the contemporary landscape of cybersecurity risk. You can follow along on our landing page, where we’ll be adding new stories all week.
Companies of all sizes routinely cite cybersecurity threats as a top concern, and for many, the greatest threats come from within. Those internal threats, which can manifest through human error, unclear policies, and other mundane factors, are compounded by changes in technology that create new and more complex internal security risks each year by expanding the attack surface and introducing new vulnerabilities.
Although today’s technology expands access to data and business insights, without the right skills and guardrails, it also increases internal security risks, explains Max Vetter, vice president of cyber at Immersive, a cyber resilience provider formerly known as Immersive Labs.
Factors impacting the growth in internal security risks
One of the biggest factors affecting internal security risks was the rapid and massive push toward remote work as a result of the COVID-19 pandemic, says Ven Auvaa, director of information security at Armor Point, a managed cybersecurity provider. Because many organizations – out of necessity – rushed into adding technologies to deploy remote workstations, that left huge security gaps, and in many cases businesses are still just beginning to see the effects of those changes.
“The risks have compounded, with the continued widespread adoption of cloud computing and proliferation of Internet of Things (IoT) devices, Auvaa says. “Remote work and cloud computing means that sensitive company data is no longer confined within a secure, on-premises perimeter, and the huge number of IoT devices in homes offered by countless different vendors and manufacturers means that the attack surface to get to that sensitive data is much larger.”
Internal information security risks are often interconnected, and human error remains at the top of the list of causes, says Chase Doellinger, principal strategist and director at JumpCloud, which offers an information security identity and access management tool. “It’s a persistent challenge with misconfigured accounts, [and users] clicking phishing links or mishandling sensitive information.”
“Hybrid and multi-platform environments increase this complexity because consistent policy enforcement becomes more difficult,” Doellinger explains. “By contrast, organizations that fully unified their IT environment tend to achieve stronger security outcomes.”
The top information security risks
Sources interviewed for this article identified close to two dozen top internal security risks.
Privileged access mismanagement: The most critical internal risk remains excessive and poorly managed privileged access, says John Bruce, CISO at Quorum Cyber, a provider of managed security services. Employees often retain access rights long after job role changes, and organizations struggle with the principle of least privilege. Standing administrative privileges create persistent attack paths for both malicious insiders and compromised accounts.
Unmanaged SaaS sprawl: The typical organization now uses over 400 SaaS applications; many deployed without security review, Bruce explains. Employees create accounts, share data, and integrate systems without understanding the security implications. This creates data governance nightmares and numerous potential breach vectors.
Shadow IT and unsanctioned apps: Employees often bypass official tools, introducing unmanaged risks, explains Erez Tadmor, field CTO at security policy company Tufin. Shadow IT has grown from a minor concern to a major risk vector. Additionally, the complexity of modern tech stacks makes it increasingly difficult for organizations to maintain comprehensive visibility into their security posture.
Application programming interface security: This has emerged as a critical concern, as employees unknowingly create data exposure risks through legitimate business applications that over-share information across platforms.
Social engineering vulnerability: Despite training improvements, social engineering remains devastatingly effective, Bruce says. Business Email Compromise (BEC) attacks have become more sophisticated, with attackers leveraging publicly available information to create highly convincing impersonation attempts. The rise of “vishing” (voice phishing) and AI-generated content has made these attacks harder to detect.
Data handling and classification failures: Employees consistently struggle with proper data classification and handling. Sensitive information regularly ends up in unsecured locations, shared drives, personal devices, and unauthorized cloud storage. The challenge has intensified with remote work, where corporate data governance extends into personal home networks.
Phishing: Even with employee training, phishing is still a top security threat. The attacks are getting cleverer due to AI, and employees can be tricked into clicking on malicious links or sharing credentials, says Benjamin Luthy, program director of cybersecurity and adjunct professor at Champlain College Online. While phishing originates as an external threat, phishing fatigue is one of the most significant – yet often overlooked – internal risks because employees eventually drop their guard after repeated exposure.
Misuse of credentials: Whether due to an accident or just blatant misuse, compromised credentials can be extremely damaging to an organization, Luthy explains. This could be anything from credentials from successful phishing attempts or administrative credentials left in secrets from ease of use deployments and/or poorly configured configurations.
Mobile device and Bring-Your-Own-Device (BYOD) risks: The proliferation of personal devices accessing corporate resources creates significant blind spots, Bruce says. Mobile device management (MDM) solutions often provide limited visibility, and employees frequently circumvent security controls for convenience. Lost or stolen devices containing corporate data remain a persistent threat.
Third-party integration vulnerabilities: Modern businesses rely heavily on vendor integrations and supply chain partnerships. Employees often grant excessive permissions to third-party applications and services without understanding the security implications. These trust relationships become attack vectors when vendors are compromised, Bruce explains.
Malicious insiders: This is one of the less common vectors, but insider threats can be difficult to detect and verify and could be more costly, Luthy explains. Employees or contractors with legitimate access can intentionally leak data, sabotage systems, or sell information. The defensive technology is helping, but the risk is very real, and can be enhanced through workforce turnover.
Infrastructure sprawl: The sheer diversity of on-premise, cloud and edge resources makes it difficult to enforce policies consistently, amplifying nearly all risks.
Misconfigurations: Complex hybrid networks lead to policy drift and errors in access controls, creating exploitable gaps.
Lack of segmentation: Flat networks allow attackers who gain a foothold to move laterally within systems with little resistance.
Poor overall IT practices: (Williamson) Poor practices include storing sensitive data in the clear, a lack of multi-factor authentication, poor hygiene around maintenance of patching and upgrading systems, and the lack of a strong vulnerability management program with clear policies on how to identify and respond to incidents, explains Clyde Williamson, senior product security architect at Protegrity, a provider of AI-driven data security.
Poor cyber hygiene: Weak passwords, a lack of multi-factor authentication, and unpatched systems are still responsible for a majority of breaches.
Complacency: Thinking “we’re covered” because tools are in place, without proving workforce readiness, is itself a risk for organizations.
Password reuse: This continues to be a problem since many employees still favor convenience even when password managers are available, explains Jeff Greenbaum, CIO at software developer Input 1
Data poisoning: Employees may inadvertently train AI systems on sensitive data, creating new exposure risks.
Model manipulation: Internal AI systems can become attack vectors if not properly secured, Bruce says. Most concerning is that employees often don’t recognize AI-generated threats, as the technology has surpassed human ability to detect sophisticated fakes without specialized tools.
Solutions can also come from within
The best practice for protecting against internal information security threats is promoting awareness and building a culture of cybersecurity within the organization. This goes beyond comprehensive information security awareness training, and extends into broader processes and procedures within the organization, Auvaa explains.
The fact that the biggest internal vulnerabilities are very simplistic and fixable is also good news, says Zbyněk Sopuch, CTO of Safetica, an intelligent data security solutions provider.
“People end up repeating mistakes because systems make the insecure paths faster,” Sopuch explains. “If the secure route is slower, by human nature, users will route around it. So the goal for organizations is to make the secure choice both the default and quickest.”
