Moderator Gehan Dabare started the discussion on insider threats by declaring, “There’s good and bad news: Everything is at risk, and everyone is a risk.” Therefore, security teams need to look at insider threats as unintended and intended. Most insider threats are individuals, many of whom are making an unintentional security mistake that exposes an enterprise to some form of cyber risk. Individuals who intentionally mean to cause harm are in the minority, but should still be considered a malicious risk that everyone should attempt to identify and protect against. To defend an organization, security teams need to secure controls for the following: data loss prevention, access control, and the end point. For instance, data must be accounted for and protected with the necessary controls, such as PCI, to keep it secure and out of the hands of threats. From an access control perspective, security teams must reduce their enterprise’s threat surface by decreasing the number of people with local admin credentials and privileged access. Those who need privileged access to perform their roles should be equipped with a separate account specifically for accessing privileged information. As for endpoints, malware protection, email scanning, and anti-virus software are key defenses for keeping endpoints secure and legitimate, covering those users who unintentionally pose risk to the enterprise. To deal with deliberate malicious insider threats, the entire enterprise, not just IT, must be involved with crafting a security program since teams and executives across the company bring a variety of knowledge and insight to the table to stop them.